Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to raise rights from User-Agent to RCE by constructing LFI request header content. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

The following successfully implements the lifting of rights from local file inclusion vulnerabilities (LFI) to remote code execution vulnerabilities (RCE) by constructing the content of the request User-Agent.

Discover LFI vulnerabilities

The following is the Contact Us link path of the target website:

Https://www.website.com/index.php?pg=contact.php

Through the fuzz of the pg parameter, I found that there is a LFI vulnerability, which can read the system password information directly with.. / etc/passwd:

Https://www.website.com/index.php?pg=../../../../etc/passwd

From LFI to RCE

To elevate LFI to RCE, I found another readable path / proc/self/environ, so I have the following structure:

Https://www.website.com/index.php?pg=../../../../proc/self/environ

Well, as you can see from its output, it contains some environment variable parameters such as HTTP_USER_AGENT:

Yes, open BurpSuite and use the system () method to change the User-Agent value in the request:

User-Agent:

No, it doesn't work. Try the exec () method again:

User-Agent:

It doesn't work either. It doesn't work. Then try using phpinit ():

User-Agent:

After messing around for a while, I almost forgot that I could write to the target website server, so I constructed the following Payload in the User-Agent header:

User-Agent: Payload that explains the above construction

The final Payload used by the above construction is a base64-encoded webshell, and the original code file exists in the Github library-https://github.com/alita-ido/PHP-File-Writer/blob/master/lfi-writer.php, which looks like this:

$a = base64_decode ('webshell_base64_encoded_code_here')

Then we wrote a file called nadeshot.php to the server:

$file = fopen ('nadeshot.php','w')

The server then writes the above base64-encoded file to the nadeshot.php file:

Echo fwrite ($file,$a)

Then save the file:

Fclose ($file)

The BurpSuite action after the above request Payload executes is as follows:

The response was successful. Hope our Webshell can be successful, visit https://website.com/nadeshot.php to try:

Webshell was successfully written and saved for nadeshot.php. Great, let's continue to write the nadeshot.txt file into it:

Then visit https://website.com/nadeshot.txt, which is also valid:

In this way, the lifting of rights from LFI to RCE has been successfully realized.

On how to construct User-Agent request header content to achieve LFI to RCE rights sharing here, I hope the above content can be of some help to you, you can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.