pierre Posted July 5, 2017 Share Posted July 5, 2017 Hello, I try to execute command on a server from a LFI. According to this article (http://resources.infosecinstitute.com/local-file-inclusion-code-execution/#gref) , I could do it by managing the /proc/self/environ file. But I even can't display his content on the page by requesting: http://192.168.1.1/DVWA/vulnerabilities/fi/?page=/proc/self/environ It appears that the rights associated are : - r-- --- --- 1 test test 0 So it is normal that www-data can't see it, no ? Quote Link to comment Share on other sites More sharing options...
digininja Posted July 5, 2017 Share Posted July 5, 2017 Did you read this line? Quote This is why this technique is old and on upgraded systems, it will not work. Quote Link to comment Share on other sites More sharing options...
digip Posted July 6, 2017 Share Posted July 6, 2017 There are several versions of DVWA out there in CTF's I've seen. If you're using one that has this protected/patched against, you will need to use a different attack method like uploading a reverse shell if local file inclusion for certain files are blocked or just not vulnerable to in general. Also DVWA has several levels. Try lowering the level to low or medium, if you are not already. Some links that might help https://highon.coffee/blog/lfi-cheat-sheet/#procselfenviron-lfi-method http://tech.joshuacummings.com/2015/11/dvwa-19-file-inclusion-medium-and-high.html http://hacksys.vfreaks.com/pen-testing/damn-vulnerable-web-app-local-file-inclusion-lfi.html Quote Link to comment Share on other sites More sharing options...
pierre Posted July 6, 2017 Author Share Posted July 6, 2017 13 hours ago, digininja said: Did you read this line? Oops 7 hours ago, digip said: There are several versions of DVWA out there in CTF's I've seen. If you're using one that has this protected/patched against, you will need to use a different attack method like uploading a reverse shell if local file inclusion for certain files are blocked or just not vulnerable to in general. Also DVWA has several levels. Try lowering the level to low or medium, if you are not already. Some links that might help https://highon.coffee/blog/lfi-cheat-sheet/#procselfenviron-lfi-method http://tech.joshuacummings.com/2015/11/dvwa-19-file-inclusion-medium-and-high.html http://hacksys.vfreaks.com/pen-testing/damn-vulnerable-web-app-local-file-inclusion-lfi.html Thanks you, by reading these, it appears to me that Apache user must not have root right if we do not want an attacker (through Apache) to read whatever file this attacker wants :) Quote Link to comment Share on other sites More sharing options...
digip Posted July 6, 2017 Share Posted July 6, 2017 1 hour ago, pierre said: Oops Thanks you, by reading these, it appears to me that Apache user must not have root right if we do not want an attacker (through Apache) to read whatever file this attacker wants :) I'd say test in a VM that has DVWA installed, and set the level to Low to test against, at least to learn LFI attacks. On some of them I've seen bundled with other CTF challenges, and on those machines, not all the DVWA stuff was wide open, so a stand alone DVWA, maybe even the OWASP hosted version, might have all the holes open to play with. Just don't let the machine update or manually update anything, as these are designed to be vulnerable for learning purposes. There are also a number of them on Vulnhub that have LFI vulns, so I'd work my way through their site's CTF's, which also have walkthroughs for a number of them if you get stuck. I couldn't tell you off the top of my head which ones have LFI, but in doing several of them, I do recall a number of them demonstrate and use this method to get the flags on them. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.