PHP Include And Post Exploitation:Walkthrough

This challange is all about escalating the Local file inclusion vulnerabilty for gaining the  shell in the box.
so  lets jump into the can downlad the vulnerable iso for this challenge again from the link given below .

The excercise is about chaining individual vulnerabilities to convert into something deadly.if any of you  are not aware of LFI (I will post a detailed material on this later),but for the time being you can read about it here :

Install the iso and it will present you an web page something like below.

Its ask user to submit the papers/documents for  in PDF format.The typical url of page was
so a i did little fiddling with other pages as well like ,login presented the page which was included with the page=

so possible php code behind could be

So now from above behaviour of application it was somewhere showing that page could vulnerable to the LFI I tried to include a local file

as expected page generated an error beacuse it was appending .php at the end of every file included

/etc/passwd.php..which is somethign obviously not uplaoded in the path.Then i check the version of PHP which ws getting refelcted in the http resposne as expected the php version of the application was older than 5.3.4,and version below the stated one has one exploit call null byte injection vulnerabilty.

I injected a null byte at the end of the file and we got th expected output of the /etc/passwd


Now LFI is confirmed and  let us try to exploit the file uplading the function in submit section.
This section of upload only allows the PDF file no other file was being allowed during upload,however the file content vaidation was only based the on file header.Therefore an attacker could easily bypass such cheks by adding valid PDF header in beginning followed by the PHP in added %PDF-1.7 as header above my php code


To get the shell we need to access the file ,so our file got uploaded in the uplaods section of application


Now its time to chainning the vulnerabilty LFI+fileuplaod=make this into RCE 

I attache the netcat listen to my attacker maching and make the code repond to the attacker maching using netcat

There we go in our attacker machine

  • Image
  • Image
  • Image
  • Image
  • Image
    Blogger Comment
    Facebook Comment


Post a Comment