Whitepaper explaining how PHPInfo can be used to assist with the exploitation of LFI vulnerabilities on PHP when combined with the file. [WEB SECURITY] Insomnia: Whitepaper – LFI With PHPInfo Assistance. MustLive mustlive at Fri Sep 30 EDT. Hello All, This paper explains a way to lead code execution using LFI with PHPINFO.
|Published (Last):||27 November 2018|
|PDF File Size:||4.69 Mb|
|ePub File Size:||15.69 Mb|
|Price:||Free* [*Free Regsitration Required]|
As most web application vulnerabilities, the asssistance is mostly caused due to insufficient user input validation. Many times, when developing web application software, it is required to access internal or external resources from several points of the application. For example, there might be a need to load and evaluate PHP code from another file that is located to a different location.
Similarly, the application might need to load text files, or any type of file, available to other locations. Those are scenarios we encounter daily on Web Applications. The problem occurs when those inclusion functions are poorly-written and controlled by users.
Most of the corporate web sites are served in various languages so that people from different countries can understand the contents of the page.
We can see such functions on applications like Facebook, Google, Twitter and more. A possible way to achieve this – especially at assstance applications – is by asking the user for a language preference. Supposing that the user prefers English, the application will go and request the file in which its contents are displayed in English.
If the user chooses English, the file that will be returned is English. Similarly, if the user prefers Italian the file that will be served is Axsistance. But we know wihh those functions are user controlled, meaning that the language preference – in this case – is provided by the user.
Local-File-Inclusion attacks aim to exploit such functions that have a weak user input validation. The vulnerability is successful when an attacker tricks the application and forces it to load other files that the attacker is not authorized to access.
Dith the following lines we are going to see how we can detect and exploit Local File Inclusion vulnerabilities with a final goal to execute remote system commands. Most commonly, the include statement is used.
A nice description has been published via W3schools:. Here is assostance example code of how a page could include PHP code, from a different file, inside the file that uses the include statement.
The above function, for example, allows developers to write configuration files separately and load them from other resources, without having to rewrite the configuration file each time. The previous example though is not user controlled. On the scenario set before we phoinfo imagine that the code responsible for the language choice looks like this:. The above code is one of the most frequent Local File Inclusion scenarios.
WebApp Sec: Insomnia: Whitepaper – LFI With PHPInfo Assistance
A developer trusts completely the user input and parses it to the include statement. There is no valid check to confirm that the input provided is indeed a language name and not a different file.
An application is vulnerable every time a developer uses the include functions, with an input provided by a user, without validating it. An attacker could easily exploit such a mistake.
The main goals of the attacker would be:. On this blogpost, we will mainly focus on the later one. There are several techniques to achieve this. Log Poisoning is a common technique used to gain a reverse shell from a LFI assistacne. To make it work an attacker attempts to inject malicious input to the server log. If we control the contents of a file available on the vulnerable web application, we could insert PHP code and load the file over the LFI vulnerability to execute our code.
Back in the day, mostly, such injections were taking place over the server log files. Such wih are the Apache error log, the Access log and more. On the following screencaps, an invalid request is sent to the vulnerable application.
On this web application the vulnerability exists on the index. As shown, we were able to load the PHPInfo file, meaning that our code was executed. For the following examples I will be using this payload to execute system commands:. The python command is a reverse shell payload that is going to connect back to us and give zssistance a shell.
By listening on port we can see that a shell has been received. As mentioned previously, the idea is to find an accessible log file and poison it with a malicious input. This is hardly done nowadays due to influent permissions.
Yet, it is worth having a look to the most common log files. Here is a list with some of them. Another popular technique is phppinfo manipulate the Process Environ file.
[WEB SECURITY] Insomnia: Whitepaper – LFI With PHPInfo Assistance
In a nutshell, when a process is created and has an open file handler then a file descriptor will point to that requested file. If you are not familiar with File Sith, here is an introduction. This file hosts the initial environment of the Apache process. Thus, the environmental variable User-Agent is likely to appear there. As this is a well known technique phpibfo is likely that the environ file will be inaccessible.
Here is how a similar response to the following request would look like:. Again, with Burp this is the malicious request sent.
Note that the User-Agent Header has been modified. We have covered two different techniques to receive a remote shell from a LFI vulnerability.
More in-depth techniques will be covered on the following writings. You can find it available here: If conducted successfully, It might allow attackers to read sensitive information, access configuration files or even execute system lri remotely.