Method
- Scanned the network to discover the target server [Net Discover]
- Port scanned the target to determine the running services on the target [Unicorn Scan]
- Interacted with the web server, found the Local File Include (LFI) vulnerable point and a page with upload function. [Firefox]
- Construct and upload a PHP shell onto the web server (have to bypass server end file validation). [Burp proxy]
- Gain remote access by running the PHP shell via LFI vulnerability which we found before. [Burp proxy]
Tools
Walk-through
Find the LFI weakness
The attacker interacts with the web server, by using “Firefox” browser to graphically render the web application on the target. Upon viewing the page, the attacker know that this is a site which is calling for papers for a conference. On the right hand side, is the navigation menu to “home” (show the home page), “submit” (jump to paper upload form page) and “login” (which asks the attacker to login). The attacker noticed the URL’s parameter is “?page=submit” in submit page and “?page=login” in login page. After the attacker tried to replace the parameter “submit” in submit page to “./login” and the login page is presented from the web server. That means here is the LFI vulnerable point. In order to double check this vulnerability, the attacker construct the following URL “http://10.10.10.130/index.php?page=/etc/passwd” to extract the famous passwd file in Linux. The attacker also check if the server is vulnerable to RFI by constructing the following URL “http://10.10.10.130/index.php?page=http://www.google.com/?”. However the server sent back error information which is illustrated that the PHP function for Remote file include is currently turned off (allow_url_fopen = On but allow_url_include = Off).Find the way to upload file (web shell) and the path where the uploaded file saved
In the submit page, the attacker only can upload a pdf file to the server (white list and file content is validated on the server end). Then the attacker inputted everything the form required and submit a normal pdf file. After that, successful uploaded page is presented. Then the attacker login to the web server with the information he just provided in the submit form. Then he found the uploaded PDF file is saved under the “uploads” folderBypass file upload validation
The attacker can only upload a PDF file due to the white list and file content validation are running on the web server side. However, many file content validation only check file header which usually first bytes of a file. So the attacker create a fake PDF file (evil.php) which has normal PDF header and followed by the PHP shell code (here the attacker using Pentest Monkey’s PHP reserve shell, which is able to connect back from the target to the attacker). Then the attacker upload the file “evil.php” to the server. Because it is only executed when someone visits the page, the attacker quickly creates a listener to wait for the PHP shell to connect into. After the attacker browse the page on the server, it causes the PHP code to be executed and a connection back to the attacker. Now, the attacker has an interactive shell on the target.Reference:
[2] OWASP Test LFI
[3] passwd file
[4] php.ini configuration file
[5] Bypass file upload validation