Through this article you will see how to create local
file inclusion log posioning inside the target machine and gain unauthourized
access with help of apache access .log file.
Attacker:
Kali Linux
Target:
Metasploitable 2
Connect the target using SSH service as shown below in the following image
Now
login with user as “sudo” and create a folder “lfi” inside /var/www
cd /var/www
mkdir lfi
Now create a PHP file which will allow the user to
include a file through file parameter. Hence using file parameter we can
execute a file that contains malicious code to make unauthorized access is
target PC.
$file = $_GET['file'];
if(isset($file))
{
include("$file");
}
else
{
include("index.php");
}
?>
Now I have saved above PHP code inside a text file as lfi.php and share this file.
In order to download lfi.PHP inside the lfi directory
type following command
Now let’s browse following URL: 192.168.1.8/lfi/lfi.php
In given screenshot you can see when I have browse
lfi.php file; it has shown some error which looks like local file inclusion
vulnerability.
Now
I will try to open apache access.log file and to explore this file first I will
give read permission to apache2 and then include the acess.log file.
Now include the acess.log file as file parameter and give
following URL inside browser.
192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log
Now turn on burp suite to capture the request of same web
page
Here
you will get intercepted data where we need to inject our cmd comment inside
user-agent by replace highlighted data.
Add
cmd comment inside user_Agent and send the request with GET
parameter 192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log&c=ps
as shown in the below image. Then click
on forward.
Here
it will dump the log data as well as execute comment given through cmd. From
screenshot you can view both log as well as process state.
In
same manner execute lsb_release –a
through cmd and view the result from inside the given screenshot.
0 comments:
Post a Comment