🐝
OSCP 2022 Materials
  • General
    • Whoami
    • Resources
    • Frequently Asked Questions
    • Shared Resource
  • Enumeration
    • Foreword
    • FTP
    • SMTP
    • DNS
    • Finger
    • HTTP/ HTTPS
      • Login Attacks
        • PHP Logins
      • XSS
      • LFI ( LFI -> RCE )
      • RFI ( RFI -> RCE )
      • CMS Exploitation
        • Wordpress
        • Magento
        • Bludit
        • Tomcat
        • Drupal
      • PHPMyAdmin
    • Kerberos
    • POP3
    • SMB
    • IMAP
    • SNMP
    • IRC
    • RSync
    • MSSQL
    • NFS
    • REDIS
    • Port Forwarding
  • Linux Post Exploitation
    • Post Exploit Checks
    • Pivoting ( ProxyChains )
  • Windows Post Exploitation
    • Post Exploit Checks
    • Active Directory ( Recon -> PE)
    • Notes
      • Powershell
      • Commands
  • Buffer Overflow
    • Hackthebox
    • TryHackMe
  • Mobile Pentesting
    • Android Pentesting
      • Lab TroubleShoot
      • Root Detection Bypass ( Manual )
      • Physical Device
  • MISC
    • Useful
    • Web
    • Linux
    • Application Specific
    • Programming Notes for Offensive Security
      • Python
    • Forensics
      • Disk Forensics
    • Inspection
    • Troubleshooting
      • Mouse Flickering
Powered by GitBook
On this page
  • LFI
  • Intresting files to look for
  • Php-Filter File Read
  • LFI to RCE

Was this helpful?

  1. Enumeration
  2. HTTP/ HTTPS

LFI ( LFI -> RCE )

PreviousXSSNextRFI ( RFI -> RCE )

Last updated 2 years ago

Was this helpful?

Whenever an application seems to retrieve something always check for LFI.

LFI

  • Searching for files as specified in the web page provides us with the requested page

  • Looking at the url http://10.10.10.84/browse.php?file=phpinfo.[php](<http://10.10.10.84/browse.php?file=info.php>), the requested file is being fetched with the parameter file

  • Since the requested resource are being fetched on a GET parameter, lets test for the availability of LFI

  • LFI (Local File Inclusion) is a vulnerability where the system files are requested via web service and the contents are displayed in the web app

  • Since the /etc/passwd is a globally readable file, we are able to check for the availablility of the LFI and obtainted the output

Intresting files to look for

/etc/passwd
/etc/apache2/sites-enabled/000-default.conf # know the location of the web files
/etc/hosts # neighbouring hosts ?
/etc/knockd.conf # port knocking sequence
log files ? --> RCE

Php-Filter File Read

  • Whenever an LFI is identified try to obtain the contents of the *.php files with php filter

?file=php://filter/convert.base64-encode/resource=index.php
?file=php://filter/convert.base64-encode/resource=config.php
?file=php://filter/convert.base64-encode/resource=/etc/passwd

  • Some times the page which are vulnerbale to LFI will not show encoded php content as expected when using php filter, so check the value without the .php extension

?file=php://filter/convert.base64-encode/resource=index
?file=php://filter/convert.base64-encode/resource=config

LFI to RCE

  • Log files are system generated files for a service, the log files contain aspects like which IP accessed the service, which resource was requested, on which time stuffs like that

  • Log Poisoning is a technique where the log files are injected with some code and when chained with LFI, it could result in RCE (Remote Code Execution)

  • Since we already confirmed the existence of LFI, lets try to obtain the http log file.

For debian distribution the apache log file will be under /var/log/apache2/access.log

For RHEL / Red Hat / CENT OS / Fedora the apache log file will be under /var/log/httpd/access_log

For the freebsd distros the apache log file location will be /var/log/httpd-access.log

  • Requesting the log file in the web service LFi and we have access to the log file which makes the possibility of log poisoning

  • Legend

    • RED - IP address of the user who requested the resource

    • BLUE - TIME and DATE of request

    • GREEN - Requested Resource

    • PURPLE - User-Agent

  • Lets Inject some code in the user-agent parameter and request the log file which could result in RCE

  • Requesting the web page with php code injected in the User-Agent header

  • Now again requesting the log file generates an error

  • The Error Message says that its expecting a varible which we modified in the previous request

  • Notice, The php code injection took place at the User-Agent Header and the Error message is also produced where the user agent value will be

  • Now again requesting the resource with the rce parameter specified (which was the injected php code) we are able to obtain the code execution

  • Since the code execution is successful, a reverse shell can be obtained from this rce

  • The reverse shell is obtained as www

File being retrived with ?file parameter
LFI Confirmed
Log file access
Injecting
Accessing
RCE
Shell