Follow us on Twitter!
The measure of a mans life is not how well he dies, but how well he lives.
Saturday, April 19, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 33
Guests Online: 33
Members Online: 0

Registered Members: 82831
Newest Member: FL4SHC0D3R
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

need help with lfi


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 15-03-09 23:01
Hi all!
Let's say (it's all theory, I am testing locally Pfft) that i have a php script like:
<?php
$handle = fopen("/blah/blah/".$_GET['file'], "r"Wink;
//echo file contents
?>
First of all, the server's /etc/passwd file permission's allow me to see all the accounts on the machine:
www.target.com/show_file.php?file=../../../../../../etc/passwd (shadowed password of course)
even
www.target.com/show_file.php?file=../../../../../../usr/bin/ls
return's something.
Where I need help is the latter, is it possible to run commands 'with' arguments?
What kinds of attack(s) could I perform using fopen?
Author

RE: need help with lfi

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 15-03-09 23:08
Try passing arguments to any program.

Edit: oops typo



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
УWidespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.Ф
- Carl Sagan
УSince the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?Ф - Ebert
[/s

Edited by spyware on 15-03-09 23:18
http://bitsofspy.net
Author

RE: need help with lfi

SySTeM
Member

Your avatar

Posts: 1524
Location: England, UK
Joined: 27.07.05
Rank:
HBH Guru
Posted on 15-03-09 23:09
What exactly shows up when you fopen "ls"?


img138.imageshack.us/img138/6527/sig2ak1.jpg
www.hellboundhackers.org/sig/r/2783.png

http://www.elites0ft.com/
Author

RE: need help with lfi


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 15-03-09 23:50
Thanks for the quick response
First, I lied about fopen, the script uses readfile($_GET['file']) //well i didn't lie, i just check by lfing the script...
By *.php?file=./../../../../../bin/ls
I get a lot of symbols at the top
and something like ( i just piked a few lines from the mid )
Code

eport bugs to <%s>.
a33;bug-coreutils@gnu.orga33;?a33;%*lu a33;%-*s a33;User name too longa33;cannot read symbolic link %sa33;Group name too longa33;%s %*s a33;%-32s a33;  a33; -> a33;%*s, %*s a33;%s a33;%-8u a33;%-8.8s a33;reading directory %sa33;:
a33;totala33;coreutilsa33;/usr/share/localea33;QUOTING_STYLEa33;LS_BLOCK_SIZEa33;COLUMNSa33;POSIXLY_CORRECTa33;TABSIZEa33;--sorta33;.*~a33;David MacKenziea33;Richard Stallmana33;5.2.1a33;vdira33;--timea33;--quoting-stylea33;--indicator-stylea33;--formata33;invalid line width: %sa33;*=@|a33;invalid time style format %sa33;.a33;LS_COLORSa33;//DIRED//a33;//SUBDIRED//a33;--colora33;invalid tab size: %sa33;time stylea33;%Y-%m-%d %H:%M:%S.%N %za33;TIME_STYLEa33;posix-long-isoa33;%Y-%m-%d %H:%Ma33;targeta33;unrecognized prefix: %sa33;%Y-%m-%d a33;ls.ca33;founda33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;Bрю€гпю€эпю€∆пю€ пю€lсю€lсю€lсю€lсю€lсю€lсю€lсю€lсю€lсю€lсю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€Zсю€Zсю€Zсю€Zсю€Zсю€Zсю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€Hсю€Hсю€Hсю€Hсю€Hсю€Hсю€тю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€щсю€щсю€щсю€щсю€щсю€щсю€щсю€щсю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€псю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€~сю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€есю€ѓрю€ўсю€ѕсю€ѓрю€ѓрю€≈сю€Јсю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€≠сю€ѓрю€ѓрю€ѓрю€£сю€ѓрю€Щсю€ѓрю€Псю€ѓрю€~сю€Oью€ѕью€Eэю€зью€&эю€kью€С&€€ш&€€X'€€k(€€М)€€п#€€maina33;posix-a33;a33;a33;a33;a33;a33;a33;
a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;dev_ino_popa33;.;€€;€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€ƒ7€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€a33;;€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€.:€€:€€:€€х9€€98€€≈9€€\9€€ж9€€‘9€€98€€98€€с:€€98€€з:€€98€€98€€ќ:€€њ:€€∞:€€e:€€V:€€98€€98€€G:€€98€€a33;9€€98€€98€€98€€98€€98€€98€€Y?€€L?€€r?€€=?€€98€€о>€€’>€€∆>€€Ј>€€98€€÷?€€C9€€«?€€Ѓ?€€R9€€Я?€€Р?€€Б?€€0@€€!@€€@€€@€€ >€€>€€98€€98€€98€€98€€98€€98€€98€€?@€€ћ=€€Ж=€€w=€€#=€€=€€Є<€€j<€€[<€€$<€€k9€€a33;9€€)9€€<€€µ;€€Ґ;€€dereference-command-line-symlink-to-dira33;Try `%s --help' for more information.
a33;a33;Usage: %s [OPTION]... [FILE]...
a33;a33;a33;a33;List information about the FILEs (the current directory by default).
Sort entries alphabetically if none of -cftuSUX nor --sort.

a33;a33;Mandatory arguments to long options are mandatory for short options too.
a33;a33;a33;  -a, --all                  do not hide entries starting with .
  -A, --almost-all           do not list


Author

RE: need help with lfi

SySTeM
Member

Your avatar

Posts: 1524
Location: England, UK
Joined: 27.07.05
Rank:
HBH Guru
Posted on 16-03-09 00:00
F1L0s0F3R_gr wrote:
Thanks for the quick response
First, I lied about fopen, the script uses readfile($_GET['file']) //well i didn't lie, i just check by lfing the script...
By *.php?file=./../../../../../bin/ls
I get a lot of symbols at the top
and something like ( i just piked a few lines from the mid )
Code

eport bugs to <%s>.
a33;bug-coreutils@gnu.orga33;?a33;%*lu a33;%-*s a33;User name too longa33;cannot read symbolic link %sa33;Group name too longa33;%s %*s a33;%-32s a33;  a33; -> a33;%*s, %*s a33;%s a33;%-8u a33;%-8.8s a33;reading directory %sa33;:
a33;totala33;coreutilsa33;/usr/share/localea33;QUOTING_STYLEa33;LS_BLOCK_SIZEa33;COLUMNSa33;POSIXLY_CORRECTa33;TABSIZEa33;--sorta33;.*~a33;David MacKenziea33;Richard Stallmana33;5.2.1a33;vdira33;--timea33;--quoting-stylea33;--indicator-stylea33;--formata33;invalid line width: %sa33;*=@|a33;invalid time style format %sa33;.a33;LS_COLORSa33;//DIRED//a33;//SUBDIRED//a33;--colora33;invalid tab size: %sa33;time stylea33;%Y-%m-%d %H:%M:%S.%N %za33;TIME_STYLEa33;posix-long-isoa33;%Y-%m-%d %H:%Ma33;targeta33;unrecognized prefix: %sa33;%Y-%m-%d a33;ls.ca33;founda33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;Bрю€гпю€эпю€∆пю€ пю€lсю€lсю€lсю€lсю€lсю€lсю€lсю€lсю€lсю€lсю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€Zсю€Zсю€Zсю€Zсю€Zсю€Zсю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€°рю€Hсю€Hсю€Hсю€Hсю€Hсю€Hсю€тю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€щсю€щсю€щсю€щсю€щсю€щсю€щсю€щсю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€псю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€~сю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€есю€ѓрю€ўсю€ѕсю€ѓрю€ѓрю€≈сю€Јсю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€ѓрю€≠сю€ѓрю€ѓрю€ѓрю€£сю€ѓрю€Щсю€ѓрю€Псю€ѓрю€~сю€Oью€ѕью€Eэю€зью€&эю€kью€С&€€ш&€€X'€€k(€€М)€€п#€€maina33;posix-a33;a33;a33;a33;a33;a33;a33;
a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;a33;dev_ino_popa33;.;€€;€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€ƒ7€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€a33;;€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€98€€.:€€:€€:€€х9€€98€€≈9€€\9€€ж9€€‘9€€98€€98€€с:€€98€€з:€€98€€98€€ќ:€€њ:€€∞:€€e:€€V:€€98€€98€€G:€€98€€a33;9€€98€€98€€98€€98€€98€€98€€Y?€€L?€€r?€€=?€€98€€о>€€’>€€∆>€€Ј>€€98€€÷?€€C9€€«?€€Ѓ?€€R9€€Я?€€Р?€€Б?€€0@€€!@€€@€€@€€ >€€>€€98€€98€€98€€98€€98€€98€€98€€?@€€ћ=€€Ж=€€w=€€#=€€=€€Є<€€j<€€[<€€$<€€k9€€a33;9€€)9€€<€€µ;€€Ґ;€€dereference-command-line-symlink-to-dira33;Try `%s --help' for more information.
a33;a33;Usage: %s [OPTION]... [FILE]...
a33;a33;a33;a33;List information about the FILEs (the current directory by default).
Sort entries alphabetically if none of -cftuSUX nor --sort.

a33;a33;Mandatory arguments to long options are mandatory for short options too.
a33;a33;a33;  -a, --all                  do not hide entries starting with .
  -A, --almost-all           do not list




Looks like it's just cat'ing the ELF, so nothing's executing.


img138.imageshack.us/img138/6527/sig2ak1.jpg
www.hellboundhackers.org/sig/r/2783.png

http://www.elites0ft.com/
Author

RE: need help with lfi


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 16-03-09 00:59
OK.
That means there is no way I could run commands using readfile or fopen, true?
Author

RE: need help with lfi


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 16-03-09 01:06
If the site, or your site, allows the uploading of images you could insert some PHP into the image using something like this http://www.sb-sof. . .commenter/ and then LFI the image and the PHP will execute. Although I'm not sure if that's what your looking for.




Edited by on 16-03-09 01:10
Author

RE: need help with lfi

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 16-03-09 01:11
skathgh420 wrote:
If the site, or your site, allows the uploading of images you could insert some PHP into the image using something like this http://www.sb-sof. . .commenter/ and then LFI the image and the PHP will execute. Although I'm not sure if that's what your looking for.


Readfile, not include.



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
УWidespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.Ф
- Carl Sagan
УSince the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?Ф - Ebert
[/s
http://bitsofspy.net