LFI ( LFI -> RCE )
Whenever an application seems to retrieve something always check for LFI.
LFI
Searching for files as specified in the web page provides us with the requested page

Looking at the url
http://10.10.10.84/browse.php?file=phpinfo.[php](<http://10.10.10.84/browse.php?file=info.php>)
, the requested file is being fetched with the parameterfile
Since the requested resource are being fetched on a GET parameter, lets test for the availability of
LFI

LFI (Local File Inclusion) is a vulnerability where the system files are requested via web service and the contents are displayed in the web app
Since the
/etc/passwd
is a globally readable file, we are able to check for the availablility of the LFI and obtainted the output
Intresting files to look for
Php-Filter File Read
Whenever an LFI is identified try to obtain the contents of the *.php files with php filter
Some times the page which are vulnerbale to LFI will not show encoded php content as expected when using php filter, so check the value without the .php extension
LFI to RCE
Log files are system generated files for a service, the log files contain aspects like which IP accessed the service, which resource was requested, on which time stuffs like that
Log Poisoning is a technique where the log files are injected with some code and when chained with LFI, it could result in
RCE
(Remote Code Execution)Since we already confirmed the existence of LFI, lets try to obtain the http log file.
For debian distribution the apache log file will be under
/var/log/apache2/access.log
For RHEL / Red Hat / CENT OS / Fedora the apache log file will be under
/var/log/httpd/access_log
For the freebsd distros the apache log file location will be
/var/log/httpd-access.log
Requesting the log file in the web service LFi and we have access to the log file which makes the possibility of log poisoning

Legend
RED - IP address of the user who requested the resource
BLUE - TIME and DATE of request
GREEN - Requested Resource
PURPLE - User-Agent
Lets Inject some code in the user-agent parameter and request the log file which could result in RCE
Requesting the web page with php code injected in the
User-Agent
header

Now again requesting the log file generates an error

The Error Message says that its expecting a varible which we modified in the previous request
Notice, The php code injection took place at the User-Agent Header and the Error message is also produced where the user agent value will be
Now again requesting the resource with the
rce
parameter specified (which was the injected php code) we are able to obtain the code execution

Since the code execution is successful, a reverse shell can be obtained from this rce
The reverse shell is obtained as
www

Last updated
Was this helpful?