Links:
watch the HD video online: http://vimeo.com/f4l13n5now/phplfiMethod
- Scanned the network to discover the target server [Net Discover]
- Port scanned the target to determine the running services on the target [Unicorn Scan]
- Interacted with the web server, found the Local File Include (LFI) vulnerable point and a page with upload function. [Firefox]
- Construct and upload a PHP shell onto the web server (have to bypass server end file validation). [Burp proxy]
- Gain remote access by running the PHP shell via LFI vulnerability which we found before. [Burp proxy]
Tools
Walk-through
Find the LFI weakness
The attacker interacts with the web server, by using “Firefox” browser to graphically render the web application on the target. Upon viewing the page, the attacker know that this is a site which is calling for papers for a conference. On the right hand side, is the navigation menu to “home” (show the home page), “submit” (jump to paper upload form page) and “login” (which asks the attacker to login). The attacker noticed the URL’s parameter is “?page=submit” in submit page and “?page=login” in login page. After the attacker tried to replace the parameter “submit” in submit page to “./login” and the login page is presented from the web server. That means here is the LFI vulnerable point. In order to double check this vulnerability, the attacker construct the following URL “http://10.10.10.130/index.php?page=/etc/passwd” to extract the famous passwd file in Linux. The attacker also check if the server is vulnerable to RFI by constructing the following URL “http://10.10.10.130/index.php?page=http://www.google.com/?”. However the server sent back error information which is illustrated that the PHP function for Remote file include is currently turned off (allow_url_fopen = On but allow_url_include = Off).Find the way to upload file (web shell) and the path where the uploaded file saved
In the submit page, the attacker only can upload a pdf file to the server (white list and file content is validated on the server end). Then the attacker inputted everything the form required and submit a normal pdf file. After that, successful uploaded page is presented. Then the attacker login to the web server with the information he just provided in the submit form. Then he found the uploaded PDF file is saved under the “uploads” folderBypass file upload validation
The attacker can only upload a PDF file due to the white list and file content validation are running on the web server side. However, many file content validation only check file header which usually first bytes of a file. So the attacker create a fake PDF file (evil.php) which has normal PDF header and followed by the PHP shell code (here the attacker using Pentest Monkey’s PHP reserve shell, which is able to connect back from the target to the attacker). Then the attacker upload the file “evil.php” to the server. Because it is only executed when someone visits the page, the attacker quickly creates a listener to wait for the PHP shell to connect into. After the attacker browse the page on the server, it causes the PHP code to be executed and a connection back to the attacker. Now, the attacker has an interactive shell on the target.Reference:
[2] OWASP Test LFI
[3] passwd file
[4] php.ini configuration file
[5] Bypass file upload validation
ReplyDeleteBeware of scammers i have been scammed 3 times because i was trying to know if my husband was cheating until i met this hacker named; (wizardcyprushacker@gmail.com) who helped me hack into my spouse phone for real this great hacker hacked into my spouse whats-app messages,Facebook messages.text messages,call logs,deleted text messages,bitcoin account and many more i was impressed with his job and he brought me results under 24 hours believe me he is real and his services are cheap and affordable.
If you really need a professional hacker to hack your cheating boyfriend's/girlfriend's/spouse phone, whatsapp, facebook, bank account hack etc. Or credit score upgrade, I would recommend
ReplyDeleteETHICALHACKERS009@GMAIL.COM
He has proven to be trustworthy, His jobs are fast and affordable. He has carried out over 3 jobs for me including helping me hack my ex wife's mobile phone and i can't forget when he cleared my credit card debts and improved my credit score to 750. I can put my money on him at anytime!. He's one of the best out there. Spreading the word as my little favor to him for all he's done. Thank me later.
I really loved reading your blog. It was very well authored and easy to understand. Unlike other blogs I have read which are really not that good.Thanks alot!
ReplyDeletesattaking.online
[XSS TEST_1 BEGINS] %2f%2e'"`;!?: <
ReplyDeleteimg src="/../../../../../etc/passwd"> [XSS TEST_1 ENDED]
%%3cimg src="whatev.bmp"%%3e
ReplyDelete
ReplyDeleteThe below:
ReplyDelete<img src="https://i.chzbgr.com/full/3844705792/h20D65643/is-your-cat-on-meth" onclick="javascript:alert('lol');">woopwoop</img>
Was made by the following base64-encoded message (to not have to convert into HTML):
PDwhLS1YU1MtLT5pbWcgc3JjPSJmb28uYmFyIiBvbmNsaWNrPSJqYXZhc2NyaXB0OmFsZXJ0KCds
b2wnKTsiPndvb3B3b29wPDwhLS1YU1MtLT4vaW1nPgo=
</p><img src="https://i.chzbgr.com/full/3844705792/h20D65643/is-your-cat-on-meth" onclick="javascript:alert('lol');">woopwoop</img>
ReplyDeletenice post click heresatta
ReplyDeletenice post click hereSattaking
nice post click hereSatta king
nice post click hereSatta Matka
nice post click hereMatka Result
ApunctranKan-chi Heather Wang https://wakelet.com/wake/zyZQ3j2rU8_0zoZtJH0a9
ReplyDeletefromiztralvi
Wcioforsparfu Jen Campbell https://www.marcglen.com/profile/Philippine-Literature-A-Regional-Approach-Pdf-Download-Fix/profile
ReplyDeletesoabulkstarer
Yquiciedestpu2002 Leah Lundwall MorphVOX Pro
ReplyDeleteScreenHunter Pro
CorelDRAW
penanwoodbhou