Gaining Shell Access From LFI Vulnerabilities - Method 1

Lecture Transcript - Gaining Shell Access From LFI Vulnerabilities - Method 1

So local full inclusion is really good because they allow us to read files in the server and we might

be able to read files with passwords or sensitive information, what would be really great is if we

can actually gain full access or full control over the target server using local file inclusion vulnerabilities.

So in this lecture, we'll see how we can get a reverse shell by exploiting the local file inclusion

vulnerability that we've seen in the previous lecture.

So because they allow us to read files on the server, we managed to write anything on that server,

then we can write some malicious code and then browse it and get that code to be executed.

So this is exactly what we're going to try to do.

There is a number of methods to achieve that.

Usually it's done using the log files because the log files usually register or write stuff that happens

on the server.

So you can try to log in with a username.

But instead of putting a username, you put a zip code or you can try to send an email and then instead

of the email, put a code and then try to browse these log files and the BHP code will be executed.

The first method that we're going to have a look on, though, it's going to exploit the environ variable.

So this is basically a file that contains an array of information about the current environment.

So let's just have an example of this quickly.

Right here I am on my Calli machine.

I'm not taking anything.

I'm not on any server, and I'm just going to see what's the content of that file.

So this file exists in all Linux operating systems.

So I'm just going to open that file right now using the card command.

And as you can see, you'll see a number of environmental variables that are related to the current

environment.

So what we're going to do now is we're going to try to open this file here and my brother instead of

the password.

So it's going to be in prox self environ.

OK, going to enter.

And as you can see, again, we can see an array of variables about the current environment.

What's interesting here is this variable so we can see that the user agent.

Is being sent and it's being displayed right here.

Now, the user agent basically is the current browser used by the user.

The website thinks that I'm using Firefox, which is correct.

And that's because Firefox, every time you open a website, it actually tells the website what browser

it is.

So this happens on our website.

So this is actually sent from the client so we can actually modify this value.

And what we're going to try to do is we're going to modify the user agent value and we're going to place

code that will give us reverse shelp.

Before we do that, let's make sure that the code will be executed on the server.

So we're going to send just a normal code that will display information.

So I'm going to turn on my interceptor now.

I showed you how to set up a proxy.

So if you don't know how to do that, go back to that lecture and see how you can set up a proxy.

So I just turned on the interceptor and I'm going to browse the exact same URL.

And right here, if we go on beheaders, you'll see that Firefox is sending the user agent right here

and it's sending it as Mozilla five, whatever.

So what we're going to do is we're going to modify this value and we're going to put BHB code and the

code I'm going to put is very simple.

It'll basically just display information.

So it's a function called BHP info.

And then I'm going to forward this packet.

And as you can see, the HP code got executed on the on the website, on the Target website.

This means if we send malicious code to this website will actually be able to gain full access or we

can get our code to be executed.

Now, you can literally send any record you want.

You can send code to list files.

You can send code to upload a file, or you can send one of the codes that were used before to gain

a reverse connection.

So that's what I'm going to do.

I'm going to use the exact same code that we used before and the previous lectures to gain full control

over the target computer.

So I'm actually just going to type it down here in terminal and then I'm going to copy it.

So we're going to be using passthrough.

And we're using Netcare.

And then I'm going to put my IP address.

And I'm going to use the port, which is I'm going in this attack, I'm going to use eight eight, eight,

eight, and then we put the semicolon.

So it's the same.

It's just a function.

We use that in the code execution next year.

So I'm literally just going to copy this and I'm going to inject it as the user agent.

Now, before I do that, I'm going to listen on Part eight eight eight eight four connections.

So we're going to use the same code that we used before.

Again, with Netcare.

And now we're listening for connections, we have our interceptor on, I'm going to browse the website,

I'm going to enter and I'm going to modify the user agent.

Again, don't forget to put the question marks here, because I only put the code there, so we have

the opening and the closing for HP and then we put our code, which is the pass through code.

And she's been S.H., our IP, followed by the port that we're listening on.

I'm going to enter and I'm going to forward.

And as you can see, we got a connection back using the local file, inclusion vulnerability.

Now I can browse files.

I can do I can do Ellos, I can do ID and I can pretty much do anything I want on the server now that

I have full access.

So we were able to convert a local file inclusion vulnerability that can only show you files or can

only allow you to read files on the server.

We were able to convert that and exploit it to get full access to the target server all the possible,

because we were able to write to the proc self environ variable, which displays our user agent, and

by changing the user agent to our code, we were able to run any record that we want.


Complete and Continue  

Become a Member and Get Unlimited Access to 300+ Top Cyber Security Courses.