This challange is all about escalating the Local file inclusion vulnerabilty for gaining the shell in the box.
so lets jump into the thing.you can downlad the vulnerable iso for this challenge again from the link given below .
https://www.pentesterlab.com/exercises/php_include_and_post_exploitation/
The excercise is about chaining individual vulnerabilities to convert into something deadly.if any of you are not aware of LFI (I will post a detailed material on this later),but for the time being you can read about it here :https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
Install the iso and it will present you an web page something like below.
Its ask user to submit the papers/documents for in PDF format.The typical url of page was
http://192.168.0.102/index.php?page=submit
so a i did little fiddling with other pages as well like ,login etc.it presented the page which was included with the page=
so possible php code behind could be
<?php
include($_GET['page'].'php');
?>
So now from above behaviour of application it was somewhere showing that page could vulnerable to the LFI attack.so I tried to include a local file
/etc/password
http://192.168.0.102/index.php?page=../etc/passwd
as expected page generated an error beacuse it was appending .php at the end of every file included
like
/etc/passwd.php..which is somethign obviously not uplaoded in the path.Then i check the version of PHP which ws getting refelcted in the http resposne code.so as expected the php version of the application was older than 5.3.4,and version below the stated one has one exploit call null byte injection vulnerabilty.
I injected a null byte at the end of the file and we got th expected output of the /etc/passwd
Now LFI is confirmed and let us try to exploit the file uplading the function in submit section.
This section of upload only allows the PDF file no other file was being allowed during upload,however the file content vaidation was only based the on file header.Therefore an attacker could easily bypass such cheks by adding valid PDF header in beginning followed by the PHP shell.so in added %PDF-1.7 as header above my php code
To get the shell we need to access the file ,so our file got uploaded in the uplaods section of application
Now its time to chainning the vulnerabilty LFI+fileuplaod=make this into RCE
I attache the netcat listen to my attacker maching and make the code repond to the attacker maching using netcat
There we go in our attacker machine
so lets jump into the thing.you can downlad the vulnerable iso for this challenge again from the link given below .
https://www.pentesterlab.com/exercises/php_include_and_post_exploitation/
The excercise is about chaining individual vulnerabilities to convert into something deadly.if any of you are not aware of LFI (I will post a detailed material on this later),but for the time being you can read about it here :https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
Install the iso and it will present you an web page something like below.
Its ask user to submit the papers/documents for in PDF format.The typical url of page was
http://192.168.0.102/index.php?page=submit
so a i did little fiddling with other pages as well like ,login etc.it presented the page which was included with the page=
so possible php code behind could be
<?php
include($_GET['page'].'php');
?>
So now from above behaviour of application it was somewhere showing that page could vulnerable to the LFI attack.so I tried to include a local file
/etc/password
http://192.168.0.102/index.php?page=../etc/passwd
as expected page generated an error beacuse it was appending .php at the end of every file included
like
/etc/passwd.php..which is somethign obviously not uplaoded in the path.Then i check the version of PHP which ws getting refelcted in the http resposne code.so as expected the php version of the application was older than 5.3.4,and version below the stated one has one exploit call null byte injection vulnerabilty.
I injected a null byte at the end of the file and we got th expected output of the /etc/passwd
Now LFI is confirmed and let us try to exploit the file uplading the function in submit section.
This section of upload only allows the PDF file no other file was being allowed during upload,however the file content vaidation was only based the on file header.Therefore an attacker could easily bypass such cheks by adding valid PDF header in beginning followed by the PHP shell.so in added %PDF-1.7 as header above my php code
To get the shell we need to access the file ,so our file got uploaded in the uplaods section of application
Now its time to chainning the vulnerabilty LFI+fileuplaod=make this into RCE
I attache the netcat listen to my attacker maching and make the code repond to the attacker maching using netcat
There we go in our attacker machine
0 comments:
Post a Comment