Moving from LFI to Remote Code Execution

Mutt

Mutt

Professional
Messages
1,457
Reaction score
1,266
Points
113
74379420-d85a-45da-8821-27acf3aeabd3.jpeg


Introduction
Local File Inclusion (LFI) is one of the most popular attacks in web applications. In this article, we are not going to focus on what LFI attacks are or how we can perform them, but instead we are going to look at how you can get a command shell using this vulnerability.

From LFI to Code Execution
As you probably already know, LFI attacks allow attackers not only to view the contents of files on the server, but also sometimes execute commands directly on the server itself. In other words, we can get a command shell (shell). There are several ways to achieve this goal. In most cases, we will need to focus on the following:
  • Server logs (Apache and SSH);
  • Mail journals (logs);
  • File upload forms;
  • The file / proc / self / environ.
Each time we will try to put PHP code in some files on the server, and then access them using LFI, thereby executing malicious code. We'll cover several techniques in this article.

For simplicity, we will use the following PHP code as the vulnerable web application:
Code: 
<? php // The page we wish to display $ file = $ _GET ['page']; ?>

This implementation can be found in the DVWA project.
f0f94c19-e8e1-4268-bb1d-3580f47a17f2.jpeg


File / proc / self / environ
The technique we are going to explore first is the most common method for making a shell from an LFI. The file located at / proc / self / environ contains several environment variables such as REMOTE_PORT, HTTP_USER_AGENT and others. For most Linux operating systems, the file should not be accessible to non-root users. This is why this technique is outdated and will not work on upgraded systems.

Suppose we are dealing with an outdated version of the OS, an attempt to view the file / proc / self / environ will result in something like the following:
18f4c205-d464-4a12-aeec-9cdaa15caeba.jpeg


For better viewing and usability, I will be using Burp Suite to intercept, modify and analyze requests. Let's go back to the same file and see what the request looks like:
d4cae797-3afc-4740-824d-da4352398c45.jpeg


As we can see, there is a variable called HTTP_USER_AGENT. This environment variable contains information about the web browser that we used to access the page. In this example, we can see that the Mozilla browser was used. Of course, we can change the value of our
 
You must log in or register to reply here.

Similar threads

D
NANOSHIELD Crypter V2 | Runtime & Scantime | Long FUD times | VBS&BAT Stub cracked:
Replies
0
Views
390
done44865
D
M
HOW TO HACK INSTAGRAM POWERFUL OSINT TOOL
Replies
0
Views
442
montakey
M
B
NeptuneRAT V2.0
Replies
0
Views
141
bigdog1
B
M
OpenBullet 2.0 Automates Evasive Attacks
Replies
0
Views
713
Mantaray
M
B
World Wind Stealer 2024
Replies
0
Views
370
blackmanbold393
B
Back
Top