search

2. Local File Inclusion Attacks

aIn the first lab LFI we saw a simple directory traversal to get access to sensitive data like accessing /etc/passwd under root or /etc/hosts under root to get more information about what is going on on the server.

What we did is:

  • Proxied through burp suite on the lab.

  • Then checked in burpsuite a request from the dropdown

  • Sent that request to the repeater

  • changed the file target to ../../../../etc/passwd / or ../../../../etc/hosts

Great resource from GitHub: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion

  • PayloadsAllTheThings is basically a master page with all kinds of payloads explained for different types of attacks.

When testing for local file inclusion we might see that the path won't work if we get an error like:

Warning: file_get_contents(etc/passwd): failed to open stream: No such file or directory in /var/www/html/labs/fi0x02.php on line 12

We can also check for different types of encoding to see if those are a possibility.

For that we would:

  • select the inserted path part

  • right click and choose Convert to

  • and from the next dropdown we would select the type of encoding we would like to use

Using ffuf to fuzz and then send into burpsuite

  1. first capture the request in http history in burpsuite

  2. copy to file the request fx: api-req.txt

  3. fuzz with ffuf

4. Send to repeater and use the discoveries.

hashtag
LFI0x02

  • Check for recursive filters:

GET /labs/fi0x02.php?filename=..././..././..././..././etc/passwd

  • Check for RFI

GET /labs/fi0x02.php?filename=https://youtube.com

  • Read php files (PayloadsAllThings):

php://filter/convert.base64-encode/resource=index.php php://filter/convert.base64-encode/resource=..././db.php

Previous1. Introduction to Local and Remote File InclusionNext3. SQL Injection Introduction