Local File Inclusions to Remote Code Execution
Local file inclusion is a type of cyber attack through which an attacker can trick the web application into including files on the web server by exploiting a functionality that dynamically includes local files or scripts. A successful attack can lead to disclosure of sensitive file on the server and also can lead to remote code execution through various ways. i will be giving a proof of concept using a vulnerable server found in TryHackMe. The server gives beginner penetration testers or beginner ethical hackers a good foundation on local file inclusion attack
lets begin:
we start with a Nmap scan to determine the port that the server is running on
Nmap results show that only port 80 is open lets take a look at the web server using a browser
Following the first link LFI Walthrough 1 (Basics)
We get a webpage running PHP but is seems that its using some parameters to access a page. TryHackMe walk through gives you a hint to use “?page=”
If the parameter wasn’t given you could fuzz using a tool WFUZZ that is available on Kali Linux as i’ll demonstrate below. I’ll use a wordlist that i downloaded from Github called Seclists
When the parameter is added to the page and user input is supplied to the link, the input is displayed on the page
Now lets see if we can reads files of the server. I’ll read a file that is common to all linux operating systems passwd
Voila! we are able to view sensitive files that normally we aren’t allowed to view
Local File Inclusion using Directory Traversal
Directory Traversal is a attack which allows attackers to access restricted directories and execute commands outside of the web server’s root directory or other paths. And in our case we’ll view a file one directory up that contains a credit card number. We’ll be using the second link LFI Walkthrough 2 (Using Directory Traversal)
Voila we are able to view the contents of that page
REMOTE CODE EXECUTION USING LOCAL FILE INCLUSION AND LOG POISONING
An attacker can attacker attempts to inject malicious input to the server log files to gain remote code execution some of the log files that malicious code can be injected have been listed bellow
For the purpose of demonstration i’ll be using /var/log/apache2/access.log
I’ll be using the Third link LFI Walkthrough 3 for demonstration. I’ll intercept the request using burpsuite a tool that comes preinstalled on Kali Linux and modify the user agent to inject malicious input to the server log and the input will lead to a remote code execution. Highlighted is the malicious input that gets stored in the access log that leads to Remote Code Execution
Now opening the access log file using burpsuite and passing it the parameter that had been used in the malicious PHP input followed by a Linux system command and in the Response
Boom we get code execution now lets go a step further and upload a reverse shell to the server to get a remote shell in our computer. ensure that the PHP reverse shell has your IP address and the port is correctly configured
Start a server on your local box and use wget to download the PHP shell form our local box to the server. Now set up a netcat listener in our local machine for the php shell to connect back to
Now we execute the PHP script on the server to get a connection back at our machine
And boom we have a shell on our local machine. Now let me upgrade the shell for it to become fully interactive
Now we get the flag
and we are done with the box hope you’ve learnt something