Tutorial: Local File Inclusion to Command Execution
Ready to Start Your Career?

Tutorial: Local File Inclusion to Command Execution

Chilico s profile image
By: Chilico
September 2, 2016
file folder vectorSome information from this article has been used from the InfoSec InstituteAs you probably know , LFI attack's allow the attackers to view local files on a server but is not limited to that. With LFI we can also get a shell (sometimes) . There is several ways to manage that and here i will focused on Apache logs. If the logs is readable we can inject a php shell in to it.I have uploaded a custom php code for that to metasploitable2 machine.So lets move on .... Here is the prove that LFI existhttps://postimg.org/image/iiw65emeh/https://postimg.org/image/xg4n6ezmx/[clear]We are able to access different files hosted on the server......
Now I want to know if Apache logs are readable -https://postimg.org/image/7ym8mthwp/Right click --> open image in new tab for enlarged view.[clear]As you can see logs are readable, so we can try an injection.
I will use burpsuite as a proxy to intercept the request and try the injection...a nice injection point is the User-Agent.https://postimg.org/image/c90wiemzt/[clear]
Also for learning purposes lets ssh the 'victims' box and tail the logs to see what happened in real time.https://postimg.org/image/tatqki1ux/[clear]As we can see are injection seems to happen without a problem.
Lets now navigate again to apache logs and see what happendhttps://postimg.org/image/7ponww549/[clear]We can see at the end of the logs we have a system warning:"Cannot execute a blank command in /var/log/apache2/access.log"
That means our injection work but it has nothing to execute at this point.What we have to do at this point is to add the '&cmd=' at the end of the link and execute the command we wish.https://postimg.org/image/fwgnogv6x/
As we already know linux systems comes with netcat pre-installed so lets use that for our advantage and create a reverse shell to our system.https://postimg.org/image/4le003obt/[clear]And that's it we have our shell !!!Hope you like it , please add you comments below.
Schedule Demo
Build your Cybersecurity or IT Career
Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry