Local File Inclusion (Lfi) Spider Web Application Penetration Testing

The definitive conduct for LFI vulnerability security testing for põrnikas hunting & penetration testing engagements.

---

     The intent of this document is to attention penetration testers together with students position together with essay LFI vulnerabilities on future penetration testing engagements past times consolidating query for local file inclusion LFI testing techniques. LFI vulnerabilities are typically discovered during spider web app pen tests using the techniques contained inside this document. Additionally, around of the techniques mentioned inward this newspaper are besides usually used inward CTF mode competitions.

Main Chapters

• What is a Local File Inclusion (LFI) vulnerability?
• Identifying LFI Vulnerabilities inside Web Applications
• PHP Wrappers
• LFI via /proc/self/environ
• Null Byte Technique
• Truncation LFI Bypass
• Log File Contamination
• Email a Reverse Shell

What is a Local File Inclusion (LFI) vulnerability?

      Local File Inclusion (LFI) allows an assaulter to include files on a server through the spider web browser. This vulnerability exists when a spider web application includes a file without correctly sanitising the input, allowing together with assaulter to manipulate the input together with inject path traversal characters together with include other files from the spider web server.

The next is an instance of PHP code vulnerable to local file inclusion.

<?php  $file = $_GET['file'];  if(isset($file))     {       include("pages/$file");     }  else     {       include("index.php");     } ?>

Identifying LFI Vulnerabilities inside Web Applications

/script.php?page=index.html

H5N1 penetration tester would endeavor to exploit this vulnerability past times manipulating the file place parameter, such as:

/script.php?page=../../../../../../../../etc/passwd

The higher upwards is an drive to display the contents of the /etc/passwd file on a UNIX / Linux based system.

Below is an instance of a successful exploitation of an LFI vulnerability on a spider web application:

PHP Wrappers

PHP has a discover of wrappers that tin oft endure abused to bypass diverse input filters.

PHP Expect Wrapper

PHP expect:// allows execution of organisation commands, unfortunately the hold back PHP module is non enabled past times default.

php?page=expect://ls

The payload is sent inward a POST asking to the server such as:

/fi/?page=php://input&cmd=ls

Example using php://input against DVWA:

Request:

POST asking using php://input

Web Application Response:

The output from the ascendency “ls” is rendered higher upwards the DVWA banner

PHP php://filter

php://filter allows a pen tester to include local files together with base64 encodes the output. Therefore, whatsoever base64 output volition involve to endure decoded to reveal the contents.

An instance using DVWA:

vuln.php?page=php://filter/convert.base64-encode/resource=/etc/passwd

Image showing the base64 encoded text at the top of the rendered page

Base64 decoding the string provides the /etc/passwd file:

An icon showing the base64 decoded output from /etc/passwd on a UNIX / Linux system

php://filter can besides endure used without base64 encoding the output using:

?page=php://filter/resource=/etc/passwd

An icon showing the output from /etc/passwd on a UNIX / Linux organisation using php://filter

PHP ZIP Wrapper LFI

     The zip wrapper processes uploaded .zip files server side allowing a penetration tester to upload a zip file using a vulnerable file upload business office together with leverage he zip filter via an LFI to execute. H5N1 typical laid on instance would expression like:

1. Create a PHP opposite shell
2. Compress to a .zip file
3. Upload the compressed vanquish payload to the server
4. Use the zip wrapper to extract the payload using: php?page=zip://path/to/file.zip%23shell
5. The higher upwards volition extract the zip file to shell, if the server does non append .php rename it to shell.php instead

If the file upload business office does non permit zip files to endure uploaded, attempts tin endure made to bypass the file upload business office (see: OWASP file upload testing document).

LFI via /proc/self/environ

     If it’s possible to include /proc/self/environ via a local file inclusion vulnerability, together with hence introducing root code via the User Agent header is a possible vector. Once code has been injected into the User Agent header a local file inclusion vulnerability tin endure leveraged to execute /proc/self/environ and reload the surroundings variables, executing your opposite shell.

Useful Shells

Useful tiny PHP dorsum doors for the higher upwards techniques:

<? system('uname -a');?>

Null Byte Technique

     Null byte injection bypasses application filtering inside spider web applications past times adding URL encoded “Null bytes” such every bit . Typically, this bypasses basic spider web application blacklist filters past times adding additional cypher characters that are together with hence allowed or non processed past times the backend spider web application.

Some practical examples of cypher byte injection for LFI:

vuln.php?page=/etc/passwd  vuln.php?page=/etc/passwd%2500

Truncation LFI Bypass

     Truncation is around other blacklist bypass technique. By injecting long parameter into the vulnerable file inclusion mechanism, the spider web application may “cut it off” (truncate) the input parameter, which may bypass the input filter.

Log File Contamination

    Log file contamination is the procedure of injecting root code into log files on the target system. This is achieved past times introducing root code via other exposed services on the target organisation which the target operating organisation / service volition shop inward log files. For example, injecting PHP opposite vanquish code into a URL, causing syslog to produce an entry inward the apache access log for a 404 page non constitute entry. The apache log file would together with hence endure parsed using a previously discovered file inclusion vulnerability, executing the injected PHP opposite shell.

After introducing root code to the target systems log file(s) the side past times side stride is identifying the place of the log file. During the recon together with regain phase of penetration testing the spider web server together with probable the target operating organisation would produce got been identified, a skillful starting betoken would endure looking upwards the default log paths for the identified operating organisation together with spider web server (if they are non already known past times the consultant). FuzzDB’s Burp LFI payload lists tin endure used inward conjunction amongst Burp intruder to chop-chop position valid log file locations on the target system.

Some usually exposed services on a Linux / UNIX systems are listed below:

Apache / Nginx

     Inject code into the spider web server access or fault logs using netcat, afterwards successful injection parse the server log file place past times exploiting the previously discovered LFI vulnerability. If the spider web server access / fault logs are long, it may accept around fourth dimension execute your injected code.

Email a Reverse Shell

      If the target auto relays postal service either straight or via around other auto on the network together with stores postal service for the user www-data (or the apache user) on the organisation together with hence it’s possible to e-mail a opposite vanquish to the target. If no MX records be for the domain but SMTP is exposed it’s possible to connect to the target postal service server together with shipping postal service to the www-data / apache user. Mail is sent to the user running apache such every bit www-data to ensure file organisation permissions volition permit read access the file /var/spool/mail/www-data containing the injected PHP opposite vanquish code.

First enumerate the target organisation using a listing of known UNIX / Linux concern human relationship names:

The higher upwards icon uses the smtp-user-enum script confirming the www-data user exists on the system

The next screenshot shows the procedure of sending e-mail via telnet to the www-data user:

The higher upwards icon shows the procedure of sending a opposite PHP vanquish via SMTP using telnet

The higher upwards icon shows the inclusion of www-data postal service spool file containing the emailed PHP opposite vanquish code

The higher upwards icon shows the emailed PHP opposite vanquish connecting to a netcat listener

References

Information sources used inside this document:

• Original article: https://www.aptive.co.uk/blog/local-file-inclusion-lfi-testing/
• https://www.owasp.org/index.php/PHP_File_Inclusion
• DVWA (used for LFI examples): http://www.dvwa.co.uk/