In
this article you will learn how make unauthorized access in a web server if it
is suffering from local file inclusion vulnerability with help of auth log
file. To perform this attack first you need to read my previous article which will help you
to create local file inclusion vulnerability manually.
Attacker: Kali Linux
Target: Metasploitable 2
Open terminal in your kali Linux and connect
the target using SSH service
From
screenshot you can see I am connected with target PC, now type following
command to check the permission for auth.log file
Ls –l /var/log/auth.log
Now if you notice the given screenshot again you will
find that the highlighted text is showing read
write permission had been given to
auth.log file.
Since
we know that the auth.log file has read permission therefore type following command
to view its logs.
Tail –f
/var/log/auth.log
The highlighted text is showing the log for the valid
user msfadmin.
Now open another terminal in kali where I will try to
connect with web server using fake user name and then confirm whether any log
is generated inside auth.log file for invalid user or not.
Ssh
hacker@192.168.1.105
When
you move back to your previous terminal you find it has created a log for
invalid user hacker which you can also check in the given screenshot.
Hence it is confirm that auth.log file generates log for
every failed and pass login when we try to connect with web server. Taking
advantage of this feature now I will send PHP
code as fake user and it will get added automatically in auth.log file as
new log.
Ssh ‘’@192.168.1.105
Again when you check its log, you will find the PHP code has
been added as new log.
Since
I have already created LFI vulnerability manually inside the web server, so if
you want to create LFI vulnerability view above link of previous article.
In
given screenshot you can see when I have browse lfi.php file; it has shown some
error which looks like local file inclusion vulnerability.
Now include the auth.log file as file parameter and give following
URL inside browser.
192.168.1.105/lfi/lfi.php?file=/var/log/auth.log
From
screenshot you can read the warning
cannot execute blank command, it means our PHP code which was containing
CMD comment is successfully injected now only we need to send any command as
parameter
192.168.1.105/lfi/lfi.php?file=/var/log/auth.log&c=ps
Here it will dump the data of auth log as well as execute
comment given through cmd. From screenshot you can view both log as well as
process state.
In same way execute pwd through cmd and view the result from
inside the given screenshot.
0 comments:
Post a Comment