terça-feira, 3 de janeiro de 2012

Acunetix LFI Pos Exploitation - Downloading Files Structure Part 1 (En-Us)

Hi folks!

In this article we will show a very interesting feature of Acunetix: the HTTP fuzzer. In addition to be used as a fuzzer  for web applications and the HTTP protocol itself, it can also be used to effectively exploit a common security flaw: Local File Include or LFI for short. If you are not familiar with this bug, a reference can be found at the end of this document.

Let's get it started: The feature can be located on the left side of Acunetix main screen, as shown below:

Understanding the fuzzer and setting the url:

We will not use the fuzzer as a scanner, the idea here is to use the fuzzer to extract as much information as possible from the target host.

On the Fuzzer's main screen is shown a typical HTTP request

GET http://hostname/path HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept: */*

We will use this space to set up our request in order to exploit the LFI, moreover, as the field is free to edit, we can add and/or change the headers. At this point you should already know the URL of LFI, as exemplified below:

GET http://lfi.dc/lfi.php?pag= HTTP/1.1
User-Agent: Mozilla/4.0 (DcLabs)
Accept: */*

Therefore, to explore the LFI the url http://lfi.dc/lfi.php?pag= should be used, where "pag" is the vulnerable variable. The value of User-Agent field was changed only to show that the headers can be changed/added without any problems.

Creating and configuring the Generators

As this is a fuzzer, of course it must generate strings, integers, repeated chars and other functions, but as stated above, we will not scan or fuzzer or anything, thus let's take a new role for the generators, we need first to create two generators, of course more complex attacks will require more generators.

Character generator File and repeater

As its name implies, the Character repeater will repeat a character or string as many times as we want. So let's fill in the fields for the creation, use intuitive names for each generator, when you have several, knowing what they do can be really tricky. The default name generated by Acunetix is Gen_N, where N is a sequential number.

Name: dotslash => Intuitive Name
Character / String: .././ => If you do not know why we are using the string "../../", I suggest you to read the LFI reference.
Initial count: = 1> Will start the process with the given string ../../
Final count: 2 => Maximum repetitions for the string ../../
Increment: 1 => string increment counter
Encoding: None

This generator was set to a classic LFI attack, so, the field Initial count must be configured according to the amount of "dotslashs" found to exploit the bug. No need to encode the string in this case, so the Encoding field is set to None. Use of base64encoding and URL is a good option to evade possible filters. The second generator (File Generator) will read information from a txt or xml file line by line, so we will use a list of filenames that probably exist in the server attacked.
A simple idea to create this list is to run this command on several linux  flavors with a lot of installed applications, such as Apache, mysql, wordpress, Cacti, Nagios, Oracle and others.

find / -type f > wordlist.txt

The wordlists then was appended and removed identical lines, additionally, the leading "/" was removed too because the string "../../" was used.

Completing the fields of this generator:

Name: filenames_wordlist => Intuitive Name
Fileaname: wordlist.txt => Wordlist name
Filetype: txt => Wordlist extension
Encoding: none => No need this time

After the generators were properly both, created and configured, you must add them to the HTTP request:

Position the cursor just after pay= select the generator dotslash and click Insert Into Request, repeat the process for filenames_wordlist.
The result should be something like this:

GET http://lfi.dc/lfi.php?pag=${dotslash}${filenames_wordlist} HTTP/1.1
User-Agent: Mozilla/4.0 (DcLabs)
Accept: */*

Before starting the operation, it is interesting to notice that the filters are designed to separate only relevant results of the attack. This can be created by Fuzzer Filters. Acunetix brings two filters by default, Include Internal Server Error and Invalid username / password combination, the second filter for LFI case is not necessary, just mark and delete it.

Creating and configuring filters:

Rule Description: Failed to open => intuitive name for the filter
Rule type: Exclusion => If the request matches the rule, it will be removed from the report

Apply to: Response => Where the rule will make the match, in which case it will look the string's size in any response sent by the server.
Regular Expression: failed to open stream => This field is populated with the string that will match with the response from the server and removed from the final report, I chose the string "failed to open stream" because it is a generic PHP error when a file is not found, have no access permission or any other reason why the file can not be read:

Permission error:Warning: include(../../../etc/shadow) [function.include]: failed to open stream: Permission denied in /var/www/t.php on line 6

Warning: include() [function.include]: Failed opening '../../../etc/shadow' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/t.php on line 6

File not found:Warning: include(../../../etc/dclabs) [function.include]: failed to open stream: No such file or directory in /var/www/t.php on line 6

Warning: include() [function.include]: Failed opening '../../../etc/dclabs' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/t.php on line 6


Therefore, many possibilities will be filtered with a single rule, once done, click Add.
If you need to change the rule, select the desired rule and click update.

Remembering that this rule was made to handle a generic PHP error. Codes where the treatment is done by the programmer are likely to be found, your filter must be adjusted according to the error message returned by the application on this cases.

Ok, now just click on start and reap the files found on the target server.

There's other trick that I will show in the next post. I decided to split in two parts so that the article does not become tiring.

The HTTP Fuzzer is part of the free version of Acunetix.
I made also a video showing the tool running with a smaller wordlist: http://youtu.be/z357C_8H3Mc

The next step, in addition to Part 2, is to write a code that does this same job integrated with Metasploit.

LFI referencehttp://hakipedia.com/index.php/Local_File_Inclusion

Any questions #dclabs @ freenode
Twitter: @crashbrz
Thank's all for english revision
Cya folks!

Nenhum comentário:

Postar um comentário