The definitive conduct for LFI vulnerability security testing for põrnikas hunting & penetration testing engagements.
The intent of this document is to attention penetration testers together with students position together with essay LFI vulnerabilities on future penetration testing engagements past times consolidating query for local file inclusion LFI testing techniques. LFI vulnerabilities are typically discovered during spider web app pen tests using the techniques contained inside this document. Additionally, around of the techniques mentioned inward this newspaper are besides usually used inward CTF mode competitions.
Main Chapters
- What is a Local File Inclusion (LFI) vulnerability?
- Identifying LFI Vulnerabilities inside Web Applications
- PHP Wrappers
- LFI via /proc/self/environ
- Null Byte Technique
- Truncation LFI Bypass
- Log File Contamination
- Email a Reverse Shell
What is a Local File Inclusion (LFI) vulnerability?
Local File Inclusion (LFI) allows an assaulter to include files on a server through the spider web browser. This vulnerability exists when a spider web application includes a file without correctly sanitising the input, allowing together with assaulter to manipulate the input together with inject path traversal characters together with include other files from the spider web server.
The next is an instance of PHP code vulnerable to local file inclusion.<?php $file = $_GET['file']; if(isset($file)) { include("pages/$file"); } else { include("index.php"); } ?>
Identifying LFI Vulnerabilities inside Web Applications
/script.php?page=index.html
H5N1 penetration tester would endeavor to exploit this vulnerability past times manipulating the file place parameter, such as:
/script.php?page=../../../../../../../../etc/passwd
The higher upwards is an drive to display the contents of the /etc/passwd file on a UNIX / Linux based system.
Below is an instance of a successful exploitation of an LFI vulnerability on a spider web application:
PHP Wrappers
PHP has a discover of wrappers that tin oft endure abused to bypass diverse input filters.
PHP Expect Wrapper
PHP expect:// allows execution of organisation commands, unfortunately the hold back PHP module is non enabled past times default.
php?page=expect://ls
The payload is sent inward a POST asking to the server such as:
/fi/?page=php://input&cmd=ls
Example using php://input against DVWA:
Request:
Web Application Response:
PHP php://filter
php://filter allows a pen tester to include local files together with base64 encodes the output. Therefore, whatsoever base64 output volition involve to endure decoded to reveal the contents.
An instance using DVWA:
vuln.php?page=php://filter/convert.base64-encode/resource=/etc/passwd
Base64 decoding the string provides the /etc/passwd file:
php://filter can besides endure used without base64 encoding the output using:
?page=php://filter/resource=/etc/passwd
PHP ZIP Wrapper LFI
The zip wrapper processes uploaded .zip files server side allowing a penetration tester to upload a zip file using a vulnerable file upload business office together with leverage he zip filter via an LFI to execute. H5N1 typical laid on instance would expression like:
- Create a PHP opposite shell
- Compress to a .zip file
- Upload the compressed vanquish payload to the server
- Use the zip wrapper to extract the payload using: php?page=zip://path/to/file.zip%23shell
- The higher upwards volition extract the zip file to shell, if the server does non append .php rename it to shell.php instead
If the file upload business office does non permit zip files to endure uploaded, attempts tin endure made to bypass the file upload business office (see: OWASP file upload testing document).
LFI via /proc/self/environ
If it’s possible to include /proc/self/environ via a local file inclusion vulnerability, together with hence introducing root code via the User Agent header is a possible vector. Once code has been injected into the User Agent header a local file inclusion vulnerability tin endure leveraged to execute /proc/self/environ and reload the surroundings variables, executing your opposite shell.
Useful Shells
Useful tiny PHP dorsum doors for the higher upwards techniques:<? system('uname -a');?>
Null Byte Technique
Null byte injection bypasses application filtering inside spider web applications past times adding URL encoded “Null bytes” such every bit . Typically, this bypasses basic spider web application blacklist filters past times adding additional cypher characters that are together with hence allowed or non processed past times the backend spider web application.
Some practical examples of cypher byte injection for LFI:
vuln.php?page=/etc/passwd vuln.php?page=/etc/passwd%2500
Truncation LFI Bypass
Truncation is around other blacklist bypass technique. By injecting long parameter into the vulnerable file inclusion mechanism, the spider web application may “cut it off” (truncate) the input parameter, which may bypass the input filter.
Log File Contamination
Log file contamination is the procedure of injecting root code into log files on the target system. This is achieved past times introducing root code via other exposed services on the target organisation which the target operating organisation / service volition shop inward log files. For example, injecting PHP opposite vanquish code into a URL, causing syslog to produce an entry inward the apache access log for a 404 page non constitute entry. The apache log file would together with hence endure parsed using a previously discovered file inclusion vulnerability, executing the injected PHP opposite shell.
After introducing root code to the target systems log file(s) the side past times side stride is identifying the place of the log file. During the recon together with regain phase of penetration testing the spider web server together with probable the target operating organisation would produce got been identified, a skillful starting betoken would endure looking upwards the default log paths for the identified operating organisation together with spider web server (if they are non already known past times the consultant). FuzzDB’s Burp LFI payload lists tin endure used inward conjunction amongst Burp intruder to chop-chop position valid log file locations on the target system.
Some usually exposed services on a Linux / UNIX systems are listed below:
Apache / Nginx
Inject code into the spider web server access or fault logs using netcat, afterwards successful injection parse the server log file place past times exploiting the previously discovered LFI vulnerability. If the spider web server access / fault logs are long, it may accept around fourth dimension execute your injected code.
Email a Reverse Shell
If the target auto relays postal service either straight or via around other auto on the network together with stores postal service for the user www-data (or the apache user) on the organisation together with hence it’s possible to e-mail a opposite vanquish to the target. If no MX records be for the domain but SMTP is exposed it’s possible to connect to the target postal service server together with shipping postal service to the www-data / apache user. Mail is sent to the user running apache such every bit www-data to ensure file organisation permissions volition permit read access the file /var/spool/mail/www-data containing the injected PHP opposite vanquish code.
First enumerate the target organisation using a listing of known UNIX / Linux concern human relationship names:
The next screenshot shows the procedure of sending e-mail via telnet to the www-data user:References
Information sources used inside this document:
- Original article: https://www.aptive.co.uk/blog/local-file-inclusion-lfi-testing/
- https://www.owasp.org/index.php/PHP_File_Inclusion
- DVWA (used for LFI examples): http://www.dvwa.co.uk/