[PentesterLab] PHP LFI & Post Exploitation

“This course details the discovery and the exploitation of PHP include vulnerabilities in a limited environment. Then it introduces the basics of post exploitation: shell, reverse-shell and TCP redirection.” – PentesterLab

More information and ISO download please check here. The official course is highly recommanded to read.

Difficulty: 2 / 5

Links

watch video online:

Method

  • Scanned the network to discover the target server [Net Discover]
  • Port scanned the target to determine the running services on the target [Unicorn Scan]
  • Interacted with the web server, found the Local File Include (LFI) vulnerable point and a page with upload function. [Firefox]
  • Construct and upload a PHP shell onto the web server (have to bypass server end file validation). [Burp proxy]
  • Gain remote access by running the PHP shell via LFI vulnerability which we found before. [Burp proxy]

Tools

All the tools used here can be found in Kali linux * Net Discover * Unicorn Scan * Firefox * Netcat * php-reverse-shell * Wget

Walkthrough

By reading the training course, we know what kind of vulnerabilities should be targeted to. (PHP Include vulnerability is focused on this course)

Find the LFI weakness

The attacker interacts with the web server, by using Firefox browser to graphically render the web application on the target. Upon viewing the page, the attacker know that this site is calling for papers for a conference.

On the right hand side, which is the navigation menu to home (show the home page), submit (jump to paper upload form page) and login (which asks the attacker to login).

The attacker noticed the URL’s parameter is ?page=submit in submit page and ?page=login in login page. After the attacker tried to replace the parameter submit in submit page to ./login and the login page is presented from the web server. That means here is the LFI vulnerable point.

In order to double check this vulnerability, the attacker construct the following URL http://10.10.10.130/index.php?page=/etc/passwd to extract the default passwd file in Linux. The attacker also check if the server is vulnerable to RFI by constructing the following URL http://10.10.10.130/index.php?page=http://www.google.com/?. However the server sent back error information which is illustrated that the PHP function for Remote file include is currently turned off (allow_url_fopen = On but allow_url_include = Off).

Find the way to upload file (web shell) and the path where the uploaded file saved

In the submit page, the attacker only can upload a pdf file to the server (white list and file content is validated on the server end).

Then the attacker input everything the form required and submit a normal pdf file. After that, successful uploaded page is presented. The attacker login to the web server with the information he just provided in the submit form and he found the uploaded PDF file is saved under the uploads folder.

Bypass file upload validation

The attacker can only upload a PDF file due to the white list and file content validation is running on the server side. However, many file content validation only check file header which usually first bytes of a file. So the attacker create a fake PDF file (evil.pdf) which has normal PDF header and followed by the PHP shell code (here the attacker using Pentest Monkey’s PHP reserve shell, which is able to connect back from the target to the attacker).

Then the attacker upload the file evil.php to the server. Because it is only executed when someone visits the page, the attacker quickly creates a listener to wait for the PHP shell to connect back.

After the attacker browse the page on the server, it causes the PHP code to be executed and a connection back to the attacker. Now, the attacker has an interactive shell on the target.

Reference:

  1. OWASP Test LFI
  2. passwd file
  3. php.ini configuration file
  4. Bypass file upload validation
2015-05-31 05:19:10 -0400