Local File Inclusion (LFI)

Local File Inclusion

• If your path looks like a file/folder.. you might find an LFI

• Keep trying combinations until you find one.

• Or google/searchsploit a known LFI

• REF: PhpTricks, WebInjections, PFSenseRemoteExec, CharEvasion

LFI Likely:
http://$IP/dept/manage.php?notes=files/nineveh.txt

Testing:
http://$IP/dept/manage.php?notes=files/../../../../etc/passwd
http://$IP/dept/manage.php?notes=files/../../../../../../../etc/passwd
http://$IP/dept/manage.php?notes=/myNotes/../../../etc/passwd

Automation

• Automate LFI Enumeration/Discovery.

• Good to add to the tool-belt when you're looking to see what sensitive files exists and are readable once you've found a LFI vulnerability. It also includes a Mode (ICE-Breaker) to scan a potential target using an encoded path traversal list - which helps in LFI discovery.

• https://www.reddit.com/r/oscp/comments/9fxhbp/helpful_local_file_inclusion_tool_fi/

Whoami Home SSH:

Code exe with 'environ'

• If you have access to 'environ' - you might have code execution

• Burp > Repeater > /proc/self/environ

Fuzzing LFI

• Burp > Intercept > Send to Intruder > Positions

• Clear & Add: $attack$

• https://github.com/tennc/fuzzdb/tree/master/dict/BURP-PayLoad/LFI

• REF: Fuzzing

RFI from LFI (php cookies)

• If you can locate the 'session' cookies

• You may be able to inject them into Burp Repeater to get an Execution

Directory Traversals

NULL BYTE

• %00 ..URL-encoded

• Adding a NULL BYTE will get rid of suffix (on older systems)

• Works well in Perl and older versions of PHP (solved since 5.3.4)

• Scenario: Server is adding .png automatically to your page

Netcat Tricks

• Find all files on host.. send to remote

• REF: ReverseShell, CharEvasion, LFI