Pages

Saturday, July 26, 2014

[Pentester Lab] PHP LFI & Post Exploitation


Links:
watch the HD video online:   http://vimeo.com/f4l13n5now/phplfi

Method
  • Scanned the network to discover the target server [Net Discover]
  • Port scanned the target to determine the running services on the target [Unicorn Scan]
  • Interacted with the web server, found the Local File Include (LFI) vulnerable point and a page with upload function. [Firefox]
  • Construct and upload a PHP shell onto the web server (have to bypass server end file validation). [Burp proxy]
  • Gain remote access by running the PHP shell via LFI vulnerability which we found before. [Burp proxy]


Tools
All the tools used here can be found in Kali linux


Walk-through
By reading the training pdf, we know what kind of vulnerabilities should be targeted to. (PHP Include vulnerability is focused on this vuln disc)

 

Find the LFI weakness

The attacker interacts with the web server, by using “Firefox” browser to graphically render the web application on the target. Upon viewing the page, the attacker know that this is a site which is calling for papers for a conference. On the right hand side, is the navigation menu to “home” (show the home page), “submit” (jump to paper upload form page) and “login” (which asks the attacker to login). The attacker noticed the URL’s parameter is “?page=submit” in submit page and “?page=login” in login page. After the attacker tried to replace the parameter “submit” in submit page to “./login” and the login page is presented from the web server. That means here is the LFI vulnerable point. In order to double check this vulnerability, the attacker construct the following URL “http://10.10.10.130/index.php?page=/etc/passwd” to extract the famous passwd file in Linux. The attacker also check if the server is vulnerable to RFI by constructing the following URL “http://10.10.10.130/index.php?page=http://www.google.com/?”. However the server sent back error information which is illustrated that the PHP function for Remote file include is currently turned off (allow_url_fopen = On but allow_url_include = Off).

 

Find the way to upload file (web shell) and the path where the uploaded file saved

In the submit page, the attacker only can upload a pdf file to the server (white list and file content is validated on the server end). Then the attacker inputted everything the form required and submit a normal pdf file. After that, successful uploaded page is presented. Then the attacker login to the web server with the information he just provided in the submit form. Then he found the uploaded PDF file is saved under the “uploads” folder

 

Bypass file upload validation

The attacker can only upload a PDF file due to the white list and file content validation are running on the web server side. However, many file content validation only check file header which usually first bytes of a file. So the attacker create a fake PDF file (evil.php) which has normal PDF header and followed by the PHP shell code (here the attacker using Pentest Monkey’s PHP reserve shell, which is able to connect back from the target to the attacker). Then the attacker upload the file “evil.php” to the server. Because it is only executed when someone visits the page, the attacker quickly creates a listener to wait for the PHP shell to connect into. After the attacker browse the page on the server, it causes the PHP code to be executed and a connection back to the attacker. Now, the attacker has an interactive shell on the target.

13 comments:


  1. Beware of scammers i have been scammed 3 times because i was trying to know if my husband was cheating until i met this hacker named; (wizardcyprushacker@gmail.com) who helped me hack into my spouse phone for real this great hacker hacked into my spouse whats-app messages,Facebook messages.text messages,call logs,deleted text messages,bitcoin account and many more i was impressed with his job and he brought me results under 24 hours believe me he is real and his services are cheap and affordable.

    ReplyDelete
  2. If you really need a professional hacker to hack your cheating boyfriend's/girlfriend's/spouse phone, whatsapp, facebook, bank account hack etc. Or credit score upgrade, I would recommend
    ETHICALHACKERS009@GMAIL.COM
    He has proven to be trustworthy, His jobs are fast and affordable. He has carried out over 3 jobs for me including helping me hack my ex wife's mobile phone and i can't forget when he cleared my credit card debts and improved my credit score to 750. I can put my money on him at anytime!. He's one of the best out there. Spreading the word as my little favor to him for all he's done. Thank me later.

    ReplyDelete
  3. I really loved reading your blog. It was very well authored and easy to understand. Unlike other blogs I have read which are really not that good.Thanks alot!
    sattaking.online

    ReplyDelete
  4. [XSS TEST_1 BEGINS] %2f%2e'"`;!?: <
    img src="/../../../../../etc/passwd"> [XSS TEST_1 ENDED]

    ReplyDelete
  5. %%3cimg src="whatev.bmp"%%3e

    ReplyDelete
  6. The below:
    <img src="https://i.chzbgr.com/full/3844705792/h20D65643/is-your-cat-on-meth" onclick="javascript:alert('lol');">woopwoop</img>
    Was made by the following base64-encoded message (to not have to convert into HTML):
    PDwhLS1YU1MtLT5pbWcgc3JjPSJmb28uYmFyIiBvbmNsaWNrPSJqYXZhc2NyaXB0OmFsZXJ0KCds
    b2wnKTsiPndvb3B3b29wPDwhLS1YU1MtLT4vaW1nPgo=

    ReplyDelete
  7. </p><img src="https://i.chzbgr.com/full/3844705792/h20D65643/is-your-cat-on-meth" onclick="javascript:alert('lol');">woopwoop</img>

    ReplyDelete
  8. nice post click heresatta
    nice post click hereSattaking
    nice post click hereSatta king
    nice post click hereSatta Matka
    nice post click hereMatka Result

    ReplyDelete
  9. Thanks and that i have a nifty offer: What Renovation Expenses Are Tax Deductible home renovation contractors near me

    ReplyDelete