[Owasp-austin] PHP LFI exploitation

Wed Aug 19 16:59:25 EDT 2009

Told James about this at the last meeting and figured others might be
interested too.

In the aftermath of the AT&T debacle, where they pushed out a PHP script
that had a local file inclusion vulnerability, there was some discussion
on reddit.

One of the posters mentioned two ways to exploit a LFI to execute
arbitrary PHP code on the server.

Basically, you tell the PHP script to include one of two files:

1) /proc/self/environ.  This has the environment variables passed to
the process, which in the case of CGIs (and maybe PHP), contains
some user-specified data like the User-Agent field.  By embedding
PHP code in the User-Agent or other client-controlled fields, you
get local code execution.

2) The log file for the server itself.  Most www server log files
contain user-specified fields like Referer and User-Agent.  Embed
PHP in those fields, then tell the app to include it, and again
you have local code execution.

I once saw a really sneaky but simple back door written in PHP.
Apparently the adversary had managed to get his own PHP uploaded to
the server, and it accepted a shell command to execute as a POST
parameter.  The clever thing about this was that there were virtually
no logs of what happened; it didn't show the parameters in the log
file because they were POST parameters, and there was no shell history
because the PHP code's call to system() invoked a non-interactive
shell.
-- 
Obama Nation | My emails do not have attachments; it's a digital signature
that your mail program doesn't understand. | http://www.subspacefield.org/~travis/ 
If you are a spammer, please email john at subspacefield.org to get blacklisted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-austin/attachments/20090819/eaacbbc5/attachment.bin 