-->
Local File Inclusion Exploitation Alongside Burp

Local File Inclusion Exploitation Alongside Burp

Local File Inclusion Exploitation Alongside Burp

Local file inclusion is a vulnerability that allows the assailant to read files that are stored locally through the spider web application.This happens because the code of the application does non properly sanitize the include() function.So if an application is vulnerable to LFI this agency that an assailant tin harvest information almost the spider web server.Below you lot tin encounter an illustration of PHP code that is vulnerable to LFI.
Local file inclusion is a vulnerability that allows the assailant to  read files that are second Local File Inclusion Exploitation With Burp
Vulnerable Code to LFI

In this article nosotros volition job the mutillidae every bit the target application inwards lodge to exploit the local file inclusion flaw through Burp Suite.As nosotros tin encounter together with from the adjacent screenshot the user tin choose the file elevate together with he tin sentiment the contents of this but yesteryear pressing the sentiment file button.
Local file inclusion is a vulnerability that allows the assailant to  read files that are second Local File Inclusion Exploitation With Burp
Location of LFI on the Web Application

So what nosotros volition produce is that nosotros volition effort to capture together with manipulate the HTTP asking amongst Burp inwards lodge to read organization files.
Local file inclusion is a vulnerability that allows the assailant to  read files that are second Local File Inclusion Exploitation With Burp
Capturing the HTTP Request

As nosotros tin encounter from the inwards a higher house request,the spider web application is reading the files through the textfile variable.So nosotros volition effort to alter that inwards lodge to read a organization directory similar /etc/passwd.In lodge to arrive at that nosotros bring to leave of absence of the spider web directory yesteryear using directory traversal.
Local file inclusion is a vulnerability that allows the assailant to  read files that are second Local File Inclusion Exploitation With Burp
HTTP Request Modification – /etc/passwd

We volition frontwards the asking together with forthwith nosotros tin banking concern fit the reply on the spider web application every bit the adjacent icon is showing:
Local file inclusion is a vulnerability that allows the assailant to  read files that are second Local File Inclusion Exploitation With Burp
Reading the /etc/passwd

We bring successfully read the contents of the /etc/passwd file.Now amongst the same procedure nosotros tin dump together with other organization files.Some of the paths that nosotros mightiness desire to effort are the following:
  • /etc/group
  • /etc/hosts
  • /etc/motd
  • /etc/issue
  • /etc/mysql/my.cnf
  • /proc/self/environ
  • /proc/version
  • /proc/cmdline
Local file inclusion is a vulnerability that allows the assailant to  read files that are second Local File Inclusion Exploitation With Burp
/etc/group contents

Local file inclusion is a vulnerability that allows the assailant to  read files that are second Local File Inclusion Exploitation With Burp
etc/hosts contents

Local file inclusion is a vulnerability that allows the assailant to  read files that are second Local File Inclusion Exploitation With Burp
motd

Local file inclusion is a vulnerability that allows the assailant to  read files that are second Local File Inclusion Exploitation With Burp
/etc/issue contents

Local file inclusion is a vulnerability that allows the assailant to  read files that are second Local File Inclusion Exploitation With Burp
mysql configuration file

Local file inclusion is a vulnerability that allows the assailant to  read files that are second Local File Inclusion Exploitation With Burp
/proc/self/environ

Local file inclusion is a vulnerability that allows the assailant to  read files that are second Local File Inclusion Exploitation With Burp
/proc/version contents

Local file inclusion is a vulnerability that allows the assailant to  read files that are second Local File Inclusion Exploitation With Burp
/proc/cmdline contents

Conclusion
As nosotros saw the exploitation of this vulnerability doesn’t involve whatsoever item science but but noesis of well-known directories for unlike platforms.An assailant tin respect a large sum of information for his target through LFI but yesteryear reading files.It is an sometime vulnerability which cannot hold upwards seen rattling oftentimes inwards modern spider web applications.
Blogger
Disqus
Pilih Sistem Komentar

No comments

Advertiser