LFI: beyond /proc/self/environ

Written by  on October 19, 2015 

Let’s suppose that we have a simple php application. The web app has a login form and a small news system based on txt files.

So a user can simple log into the system

1

And access the company’s internal board:

2

After looping through all the pages, one can guess that the web app is loading the content for each section from a plain text file.

3

Reviewing the code clarifies the question.

4

So at this point, an evil user could perform some local file inclusion and read files in the remote system.

5

We all know how to exploit that via the “/proc/self/environ” way and if we don’t, our friend google can help for sure.

So in thist post we’ll see some other ways to inject php code inside various files in the servers remote system.

If the remote system has the apache access.log accesible via web a hacker can inject php code inside.

6

Php code can be injected via netcat. By trying to browse and invalid page, the GET request will be stored inside the apache log file:

7

Then the attacker can call the log file and enjoy the remote code execution.

8

Various pieces of code can be executed.

9

If the remote box has ssh auth.log accesible, malicious code can be injected via SSH

10

By trying to log into the system using an invalid username, the name used will be stored inside auth.log. So the hacker can inject code that way.

11

Other scenario is presented when the remote and LFI vulnerable web application stores – not sanitized –  data inside a session file. Let’s think about some piece of code like the following:

if($user==’admin’ and $password==’admin1234′){
$_SESSION[“auth”] = 1;
foreach ($_POST as $key => $value) {
if ( substr($key, 0, 4) == ‘cms_’ ) {
$_SESSION[$key] = $value;
}
}

At this point, all post variables starting with cms_ will be included inside the session file, so an attacker can use that to inject evil code.

An attacker can use some proxy like PAROS to alter http traffic on the fly:

12

13

By altering the traffic, an attacker will be able to inject a third post variable:

14

So the attacker can include a variable called cms_whatever and inject php code inside:

15

Using PAROS, the attacker can look for the session ID.

16

And now he’s able to exploit the LFI and call the php session file

17

In a real life scenario, the attacker will include an evil file like a backdoor and gain control of the server.

A shell can be obtained using a php, perl, python or whatever reverseshell like this

18

Files can be transfered to the remote server via an HTTP server and the wget command used along with the shell_exec php function.

19

Using shell_exec in php will allow us to run system commands on the remote server.

wget

And after running the perl /tmp/ps.pl command, access is gained on the server

shell

be good!

Category : hacking series

Leave a Reply

Your email address will not be published. Required fields are marked *