PHP Lfi
PHP Lfi
PHP Lfi
INCLUSION
Types, exploitation, and prevention
The following presentation is for Educational Purposes Only
We do not condone the use of the contents of this talk for nefarious or illegal
purposes.
PHP Basics
What is PHP? Hypertext Preprocessor
What does that really mean?
Code is executed server side at runtime
HTML is the output
Can be configured without the use of .php urls
PHP Basics
Example PHP script:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Example</title>
</head>
<body>
<?php
$msg = “Hi, I’m a PHP script!”;
echo $msg;
?>
</body>
</html>
PHP Include
What is the PHP include function?
The include statement includes and evaluates the
specified file.
PHP Include/Eval
What is the PHP include function?
The include statement includes and evaluates the
specified file.
2:
<?php
if isset($_REQUEST[“file”]) {
$file = $_REQUEST[“file”];
include(“$file.php”);
}
Better LFI design
3:
<?php
if isset($_GET[“file”]) {
//remove any attempts at directory traversal
$file = str_replace(‘../’, ‘’, $_GET[‘file’]);
include(“$file.php”);
}
?>
LFI detection bypasses
Even our “Better” design has flaws.
Bypassed by encoding characters into hexadecimal
http://example.com/index.php?file=..%2F..%2F..%2F..%2Fetc
%2Fpasswd
“.php” can be stripped off the request via Poison null byte
%00
http://example.com/index.php?file=..%2F..%2F..%2F..%2Fetc
%2Fpasswd%00
Most secure LFI - Whitelisting
Allow user input, but only from select choices
Protect your code!
What now?
So, we can execute local files as php code, what
can this get us?
If we can get files uploaded to the server, even in /tmp,
we can include them as executable php
Can you think of typical ways to get files on a system?
Typical Apache Log file
Green = source IP address Yellow = Requested URL and GET Parameters
Pink = HTTP Server return code Blue = User agent of browser
LFI Exploit- Access Log
Include apache Access Log
Via telnet HTTP request
Via curl/wget
Using a regular browser will likely not work as the
browser makes automatic substitutions before actually
making the request.
Via modifying User agent to contain PHP
Log Injection
3 stage attack
Seed logfile with appropriate PHP code
Locate logfile on system
Include logfile to execute PHP code
LFI Exploit – PHP Input
Execute PHP code using the php://input file and
posting PHP code/commands
Hackbar Firefox extension makes this very easy
https://addons.mozilla.org/en-us/firefox/addon/hackbar/
So easy we almost didn’t need a talk…
LFI Exploit - /proc/self/environ
Include /proc/self/environ
If apache has rights to view, including will list current
processes, including things like the
HTTP_USER_AGENT
If you have previously modified your useragent to
contain php code (say “<?phpinfo();?>” instead of
“Mozilla/5.0”) it will execute as php code when
environ is executed.
Don’t run into this one very often, most systems do not
allow apache to have read permissions to environ
LFI Exploit – PHP Session
Include your php session file
Determine your sessionid from browser cookies
The trick to this one is identifying where your session
file is stored and if the admin has configured unique
settings may prove difficult.
Try to include in the normal session storage locations
/tmp/sess_mysessionid%00
/var/lib/php5/sess_mysessionid%00
LFI Exploit – Allowed Uploads
Some websites allow users to upload files as part of
the use of the app.
Typically an avatar or picture upload.
Edit an image file, and place plaintext php code
somewhere in the middle of the image file. The
image should still pass filetype validation due to
the appropriate header.
Include the picture using the LFI and voila.
Gibson Powering Up…
Demo time…
Hack the planet!
LFI Exploit – Read Files
Read any file on the filesystem
Since all included files that contain php are
executed upon include we can never read any of the
php files, they instead execute.
PHP Filters will bypass this.
PHP Filters LFI Use
index.php?page=php://filter/read=convert.base64-
encode/resource=config
This code will base64 the resource “config” (like if it was
index.php?page=config, but with base64′d) with that,
your code won’t be executed, and you’ll can
base64_decode() it after to take the original config.php
file. This method won’t need magic quotes but you’ll
need to have a PHP Version higher or equal to PHP5.
LFI Reconnaissance
Does a folder exist?
Simply attempt to directory traverse in and out of
the directory. If it exists the include will work.
index.php?page=../../../../../../var/www/doiexist/../../../../../etc/passwd%00
LFI -> Root Steps
Recon the application / locate LFI injection point
Use LFI to gather as much data about the system as
you can
Drop file upload script into /tmp
Use file upload script to add additional files to
system
Use shell to LPE to root, copy php shell into
suitable web directory to use for further
exploitation
So, we have many ways to get PHP level access
Now it’s time for LPE!
Local Privilege Escalation
Now that we have valid PHP / httpd access on the
box can we get root?
Local privilege escalations are vulnerabilities that
allow a non-privileged user to become root.
Use user level access to determine system
information, version, packages, etc.
Head to exploit-db.com (or elsewhere)
Root. It does a body good.
Nothing quite like the feel of a freshly popped box
LFI Protections
Activate magic quotes
Configure open_basedir to only read into the web folder and /tmp
Sanitize User input by parsing out ‘/’, ‘.’, and ‘%00’ for starters
Remove apache read permissions on access.log
Monitor /tmp for file additions (/tmp is read/write to everyone)
Use static includes instead of dynamic ones if possible
If ($_GET[‘file’] == ‘mypage’){include(‘mypage.php’);};
Questions?
Q&A Time
Join us in #exploit206 on freenode
Capture the flag, polish your skills, stay up all night!
#exploit206 internot CTF writeup
http://dl.dropbox.com/u/18949146/Exploit206_HaxMe05_WriteUp_2.pdf
Thanks!
Thanks for listening
Get Involved with CTF Challenges #exploit206 on
freenode
Resources:
http://ddxhunter.wordpress.com/2010/03/10/lfis-exploitation-techniques/
Glibc LPE http://news.ycombinator.com/item?id=1810291
http://zentrixplus.net/blog/lfi-tutorial-phpinput/
www.sh3ll.org for php shells