LFI ( LFI -> RCE )

Whenever an application seems to retrieve something always check for LFI.

LFI

• Searching for files as specified in the web page provides us with the requested page

File being retrived with ?file parameter

• Looking at the url http://10.10.10.84/browse.php?file=phpinfo.[php](<http://10.10.10.84/browse.php?file=info.php>), the requested file is being fetched with the parameter file

• Since the requested resource are being fetched on a GET parameter, lets test for the availability of LFI

LFI Confirmed

• LFI (Local File Inclusion) is a vulnerability where the system files are requested via web service and the contents are displayed in the web app

• Since the /etc/passwd is a globally readable file, we are able to check for the availablility of the LFI and obtainted the output

Intresting files to look for

/etc/passwd
/etc/apache2/sites-enabled/000-default.conf # know the location of the web files
/etc/hosts # neighbouring hosts ?
/etc/knockd.conf # port knocking sequence
log files ? --> RCE 

Php-Filter File Read

• Whenever an LFI is identified try to obtain the contents of the *.php files with php filter

?file=php://filter/convert.base64-encode/resource=index.php
?file=php://filter/convert.base64-encode/resource=config.php
?file=php://filter/convert.base64-encode/resource=/etc/passwd

• Some times the page which are vulnerbale to LFI will not show encoded php content as expected when using php filter, so check the value without the .php extension

?file=php://filter/convert.base64-encode/resource=index
?file=php://filter/convert.base64-encode/resource=config

LFI to RCE

• Log files are system generated files for a service, the log files contain aspects like which IP accessed the service, which resource was requested, on which time stuffs like that

• Log Poisoning is a technique where the log files are injected with some code and when chained with LFI, it could result in RCE (Remote Code Execution)

• Since we already confirmed the existence of LFI, lets try to obtain the http log file.

For debian distribution the apache log file will be under /var/log/apache2/access.log

For RHEL / Red Hat / CENT OS / Fedora the apache log file will be under /var/log/httpd/access_log

For the freebsd distros the apache log file location will be /var/log/httpd-access.log

• Requesting the log file in the web service LFi and we have access to the log file which makes the possibility of log poisoning

Log file access

• Legend

  • RED - IP address of the user who requested the resource

  • BLUE - TIME and DATE of request

  • GREEN - Requested Resource

  • PURPLE - User-Agent

• Lets Inject some code in the user-agent parameter and request the log file which could result in RCE

• Requesting the web page with php code injected in the User-Agent header

Injecting

• Now again requesting the log file generates an error

Accessing

• The Error Message says that its expecting a varible which we modified in the previous request

• Notice, The php code injection took place at the User-Agent Header and the Error message is also produced where the user agent value will be

• Now again requesting the resource with the rce parameter specified (which was the injected php code) we are able to obtain the code execution

RCE

• Since the code execution is successful, a reverse shell can be obtained from this rce

• The reverse shell is obtained as www

Shell