Tutorial: Local File Inclusion to Command Execution

September 2, 2016 | Views: 4499

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Some information from this article has been used from the InfoSec Institute

As you probably know , LFI attack’s allow the attackers to view local files on a server but is not limited to that. With LFI we can also get a shell (sometimes) . There is several ways to manage that and here i will focused on Apache logs. If the logs is readable we can inject a php shell in to it.

I have uploaded a custom php code for that to metasploitable2 machine.

So lets move on ….

 

Here is the prove that LFI exist

https://postimg.org/image/iiw65emeh/

https://postimg.org/image/xg4n6ezmx/

We are able to access different files hosted on the server……


Now I want to know if Apache logs are readable –

https://postimg.org/image/7ym8mthwp/
Right click –> open image in new tab for enlarged view.

As you can see logs are readable, so we can try an injection.


I will use burpsuite as a proxy to intercept the request and try the injection…a nice injection point is the User-Agent.

https://postimg.org/image/c90wiemzt/


Also for learning purposes lets ssh the ‘victims’ box and tail the logs to see what happened in real time.

https://postimg.org/image/tatqki1ux/

As we can see are injection seems to happen without a problem.


Lets now navigate again to apache logs and see what happend

https://postimg.org/image/7ponww549/

We can see at the end of the logs we have a system warning:

“Cannot execute a blank command in /var/log/apache2/access.log”


That means our injection work but it has nothing to execute at this point.

What we have to do at this point is to add the ‘&cmd=’ at the end of the link and execute the command we wish.

https://postimg.org/image/fwgnogv6x/


As we already know linux systems comes with netcat pre-installed so lets use that for our advantage and create a reverse shell to our system.

https://postimg.org/image/4le003obt/

And that’s it we have our shell !!!

Hope you like it , please add you comments below.

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
6 Comments
  1. thanks a lot for that share. a video would be very much appreciated

  2. Please create a video also. Thanks.

  3. it’s look nice I will try, thanks

  4. good article, isn’t possible to make a video of your demo?

  5. Cool Bro This is a Very nice idea ^ Tnx Man and Keep going You are In The Right Path 🙂

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel