Jump to content

Execute remote command from a LFI


pierre

Recommended Posts

Hello,

I try to execute command on a server from a LFI.

According to this article (http://resources.infosecinstitute.com/local-file-inclusion-code-execution/#gref) , I could do it by managing the /proc/self/environ file.

But I even can't display his content on the page by requesting: http://192.168.1.1/DVWA/vulnerabilities/fi/?page=/proc/self/environ

It appears that the rights associated are : - r-- --- --- 1 test test 0

So it is normal that www-data can't see it, no ?

Link to comment
Share on other sites

There are several versions of DVWA out there in CTF's I've seen. If you're using one that has this protected/patched against, you will need to use a different attack method like uploading a reverse shell if local file inclusion for certain files are blocked or just not vulnerable to in general. Also DVWA has several levels. Try lowering the level to low or medium, if you are not already.

Some links that might help

 https://highon.coffee/blog/lfi-cheat-sheet/#procselfenviron-lfi-method 

http://tech.joshuacummings.com/2015/11/dvwa-19-file-inclusion-medium-and-high.html

http://hacksys.vfreaks.com/pen-testing/damn-vulnerable-web-app-local-file-inclusion-lfi.html

Link to comment
Share on other sites

13 hours ago, digininja said:

Did you read this line?

 

Oops

 

7 hours ago, digip said:

There are several versions of DVWA out there in CTF's I've seen. If you're using one that has this protected/patched against, you will need to use a different attack method like uploading a reverse shell if local file inclusion for certain files are blocked or just not vulnerable to in general. Also DVWA has several levels. Try lowering the level to low or medium, if you are not already.

Some links that might help

 https://highon.coffee/blog/lfi-cheat-sheet/#procselfenviron-lfi-method 

http://tech.joshuacummings.com/2015/11/dvwa-19-file-inclusion-medium-and-high.html

http://hacksys.vfreaks.com/pen-testing/damn-vulnerable-web-app-local-file-inclusion-lfi.html

Thanks you, by reading these, it appears to me that Apache user must not have root right if we do not want an attacker (through Apache) to read whatever file this attacker wants :)

Link to comment
Share on other sites

1 hour ago, pierre said:

Oops

 

Thanks you, by reading these, it appears to me that Apache user must not have root right if we do not want an attacker (through Apache) to read whatever file this attacker wants :)

I'd say test in a VM that has DVWA installed, and set the level to Low to test against, at least to learn LFI attacks. On some of them I've seen bundled with other CTF challenges, and on those machines, not all the DVWA stuff was wide open, so a stand alone DVWA, maybe even the OWASP hosted version, might have all the holes open to play with. Just don't let the machine update or manually update anything, as these are designed to be vulnerable for learning purposes. There are also a number of them on Vulnhub that have LFI vulns, so I'd work my way through their site's CTF's, which also have walkthroughs for a number of them if you get stuck. I couldn't tell you off the top of my head which ones have LFI, but in doing several of them, I do recall a number of them demonstrate and use this method to get the flags on them.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...