Local File Inclusion
Fuzzing with wfuzz
The key is taking a look at unusual responses and filtering them using -hh, for example in this case most responses had a character count of around 300 characters on average, so whenever one would pop up that had 13000 it meant that the content was being displayed.
This also gives us a hint on how the Local FIle Inclusion is working.
Windows
Reference this list for LFI so we can get creds for other services around.
Linux
The guide above should help you depending on how the website reacts.
Look for files associated with other services around that could give you access.
LFI + TOMCAT
Look at the version of tomcat and depending on its version we can gather credentials for the manager site and gain rce by uploading a war file.
By transversing to: /usr/share/tomcat9/etc/tomcat-users.xml
We were able to gather credentials.
LFI + Redis
Try to enumerate where we can load files using redis, make a php reverse shell or any sort of code and we can easily use lfi to execute the code we wrote.
LFI + Filezilla
Using the reference list above we can gather credentials for the Filezilla FTP server.
Bypassing Tricks
Null byte
This was patched since PHP 5.4
Double encoding
From existing folder
Wrapper php://filter
RCE Methods
PHP Wrappers
Wrapper input://
Since we have code execution all we have to do is make sure that we get a reverse shell using different payloads from Payloads of All things.
Wrapper data://
Wrapper Expect://
Wrapper zip://
LFI to RCE via controlled log file
Just append your PHP code into the log file by doing a request to the service (Apache, SSH..) and include the log file.
RCE via SSH
Try to ssh into the box with a PHP code as username <?php system($_GET["cmd"]);?>.
Then include the SSH log files inside the Web Application.
Via vsftpd logs
The logs of this FTP server are stored in /var/log/vsftpd.log. If you have a LFI and can access a exposed vsftpd server, you could try to login setting the PHP payload in the username and then access the logs using the LFI
RCE via Mail
First send an email using the open SMTP then include the log file located at http://example.com/index.php?page=/var/log/mail.
In some cases you can also send the email with the mail command line.
RCE via Apache logs
Poison the User-Agent in access logs:
Note: The logs will escape double quotes so use single quotes for strings in the PHP payload.
Then request the logs via the LFI and execute your command.
Reagardless we are still able to access the C:\xampp\apache\logs\access.log and execute the shell.
LFI to RCE via PHP sessions
Check if the website use PHP Session (PHPSESSID)
In PHP these sessions are stored into /var/lib/php5/sess_[PHPSESSID] or /var/lib/php/session/sess_[PHPSESSID] files
Set the cookie to <?php system('cat /etc/passwd');?>
Use the LFI to include the PHP session file
LFI to RCE via credentials files
This method require high privileges inside the application in order to read the sensitive files.
Windows version
First extract sam and system files.
Then extract hashes from these files samdump2 SYSTEM SAM > hashes.txt, and crack them with hashcat/john or replay them using the Pass The Hash technique.
Linux version
First extract /etc/shadow files.
Then crack the hashes inside in order to login via SSH on the machine.
Another way to gain SSH access to a Linux machine through LFI is by reading the private key file, id_rsa. If SSH is active check which user is being used /proc/self/status and /etc/passwd and try to access /<HOME>/.ssh/id_rsa.
Resources
Last updated