Haxf4rall
  • Home
  • Become a Hacker
    • Get Started
    • Hacker Mindset
    • Roadmap
    • Simple Setup – Hacker 101
    • Types of Hackers
    • Recommended Courses
  • Boot People Offline
  • Courses
    • All Hacking Courses
    • Cyber Security School
  • CTF
    • Beginners to Advanced Guide
    • Create your own CTF box
    • Field and Resources Guide
    • Platforms & Wargames
    • Tools Used for Solving CTF
    • Writeups
  • Dark Web
    • Beginners Guide
    • Darknet Markets
    • Darkweb 101 (Anonymity Guide)
    • Dark Web OSINT Tools
    • Hacking Forums
    • Latest News
    • Onion Links
  • Hacker Gadgets
  • Hacking Books
  • Tools Directory
  • Home
  • 2018
  • January
  • 23
  • Local File Inclusion (LFI) Web Application Penetration Testing

Local File Inclusion (LFI) Web Application Penetration Testing

January 23, 2018July 27, 2019 1 Comment
lfi exploit lfi hack tutorial lfi hacking lfi hacking guide lfi to reverse shell lfi vulnerability lfi web penetration testing Local File Inclusion (LFI) Web Application Penetration Testing local file inclusion cheat sheet local file inclusion to remote code execution using lfi to hack

The definitive guide for LFI vulnerability security testing for bug hunting & penetration testing engagements.

The intent of this document is to help penetration testers and students identify and test LFI vulnerabilities on future penetration testing engagements by consolidating research for local file inclusion LFI testing techniques. LFI vulnerabilities are typically discovered during web app pen tests using the techniques contained within this document. Additionally, some of the techniques mentioned in this paper are also commonly used in CTF style competitions.

 

Main Chapters

  • What is a Local File Inclusion (LFI) vulnerability?
  • Identifying LFI Vulnerabilities within Web Applications
  • PHP Wrappers
  • LFI via /proc/self/environ
  • Null Byte Technique
  • Truncation LFI Bypass
  • Log File Contamination
  • Email a Reverse Shell

 

What is a Local File Inclusion (LFI) vulnerability?

Local File Inclusion (LFI) allows an attacker to include files on a server through the web browser. This vulnerability exists when a web application includes a file without correctly sanitising the input, allowing and attacker to manipulate the input and inject path traversal characters and include other files from the web server.

The following is an example of PHP code vulnerable to local file inclusion.

<?php
 $file = $_GET['file'];
 if(isset($file))
    {
      include("pages/$file");
    }
 else
    {
      include("index.php");
    }
?>

 

Identifying LFI Vulnerabilities within Web Applications

/script.php?page=index.html

A penetration tester would attempt to exploit this vulnerability by manipulating the file location parameter, such as:

/script.php?page=../../../../../../../../etc/passwd

The above is an effort to display the contents of the /etc/passwd file on a UNIX / Linux based system.

Below is an example of a successful exploitation of an LFI vulnerability on a web application:

 

PHP Wrappers

PHP has a number of wrappers that can often be abused to bypass various input filters.

 

PHP Expect Wrapper

PHP expect:// allows execution of system commands, unfortunately the expect PHP module is not enabled by default.

php?page=expect://ls

The payload is sent in a POST request to the server such as:

/fi/?page=php://input&cmd=ls

Example using php://input against DVWA:

Request:

POST request using php://input

POST request using php://input

Web Application Response:

The output from the command “ls” is rendered above the DVWA banner

The output from the command “ls” is rendered above the DVWA banner

 

PHP php://filter

php://filter allows a pen tester to include local files and base64 encodes the output. Therefore, any base64 output will need to be decoded to reveal the contents.

An example using DVWA:

vuln.php?page=php://filter/convert.base64-encode/resource=/etc/passwd

Image showing the base64 encoded text at the top of the rendered page

Image showing the base64 encoded text at the top of the rendered page

Base64 decoding the string provides the /etc/passwd file:

An image showing the base64 decoded output from /etc/passwd on a UNIX / Linux system

An image showing the base64 decoded output from /etc/passwd on a UNIX / Linux system

 

php://filter can also be used without base64 encoding the output using:

?page=php://filter/resource=/etc/passwd

An image showing the output from /etc/passwd on a UNIX / Linux system using php://filter

An image showing the output from /etc/passwd on a UNIX / Linux system using php://filter

 

PHP ZIP Wrapper LFI

The zip wrapper processes uploaded .zip files server side allowing a penetration tester to upload a zip file using a vulnerable file upload function and leverage he zip filter via an LFI to execute. A typical attack example would look like:

  1. Create a PHP reverse shell
  2. Compress to a .zip file
  3. Upload the compressed shell payload to the server
  4. Use the zip wrapper to extract the payload using: php?page=zip://path/to/file.zip%23shell
  5. The above will extract the zip file to shell, if the server does not append .php rename it to shell.php instead

If the file upload function does not allow zip files to be uploaded, attempts can be made to bypass the file upload function (see: OWASP file upload testing document).

 

LFI via /proc/self/environ

     If it’s possible to include /proc/self/environ via a local file inclusion vulnerability, then introducing source code via the User Agent header is a possible vector. Once code has been injected into the User Agent header a local file inclusion vulnerability can be leveraged to execute /proc/self/environ and reload the environment variables, executing your reverse shell.

 

Useful Shells

Useful tiny PHP back doors for the above techniques:

<? system('uname -a');?>

 

Null Byte Technique

Null byte injection bypasses application filtering within web applications by adding URL encoded “Null bytes” such as %00. Typically, this bypasses basic web application blacklist filters by adding additional null characters that are then allowed or not processed by the backend web application.

Some practical examples of null byte injection for LFI:

vuln.php?page=/etc/passwd%00

vuln.php?page=/etc/passwd%2500

 

Truncation LFI Bypass

Truncation is another blacklist bypass technique. By injecting long parameter into the vulnerable file inclusion mechanism, the web application may “cut it off” (truncate) the input parameter, which may bypass the input filter.

 

Log File Contamination

Log file contamination is the process of injecting source code into log files on the target system. This is achieved by introducing source code via other exposed services on the target system which the target operating system / service will store in log files. For example, injecting PHP reverse shell code into a URL, causing syslog to create an entry in the apache access log for a 404 page not found entry. The apache log file would then be parsed using a previously discovered file inclusion vulnerability, executing the injected PHP reverse shell.

After introducing source code to the target systems log file(s) the next step is identifying the location of the log file. During the recon and discovery stage of penetration testing the web server and likely the target operating system would have been identified, a good starting point would be looking up the default log paths for the identified operating system and web server (if they are not already known by the consultant). FuzzDB’s Burp LFI payload lists can be used in conjunction with Burp intruder to quickly identify valid log file locations on the target system.

Some commonly exposed services on a Linux / UNIX systems are listed below:

 

Apache / Nginx

Inject code into the web server access or error logs using netcat, after successful injection parse the server log file location by exploiting the previously discovered LFI vulnerability. If the web server access / error logs are long, it may take some time execute your injected code.

 

Email a Reverse Shell

If the target machine relays mail either directly or via another machine on the network and stores mail for the user www-data (or the apache user) on the system then it’s possible to email a reverse shell to the target. If no MX records exist for the domain but SMTP is exposed it’s possible to connect to the target mail server and send mail to the www-data / apache user. Mail is sent to the user running apache such as www-data to ensure file system permissions will allow read access the file /var/spool/mail/www-data containing the injected PHP reverse shell code.

First enumerate the target system using a list of known UNIX / Linux account names:

 The above image uses the smtp-user-enum script confirming the www-data user exists on the system

The above image uses the smtp-user-enum script confirming the www-data user exists on the system

The following screenshot shows the process of sending email via telnet to the www-data user:

The above image shows the process of sending a reverse PHP shell via SMTP using telnet

The above image shows the process of sending a reverse PHP shell via SMTP using telnet

The above image shows the inclusion of www-data mail spool file containing the emailed PHP reverse shell code

The above image shows the inclusion of www-data mail spool file containing the emailed PHP reverse shell code

The above image shows the emailed PHP reverse shell connecting to a netcat listener

The above image shows the emailed PHP reverse shell connecting to a netcat listener

 

References

Information sources used within this document:

  • Original article: https://www.aptive.co.uk/blog/local-file-inclusion-lfi-testing/
  • https://www.owasp.org/index.php/PHP_File_Inclusion
  • DVWA (used for LFI examples): http://www.dvwa.co.uk/

Post navigation

SweetSecurity – Raspberry Pi Network Security Monitoring
CUPP – Common User Passwords Profiler

Related Articles

Cazador – WebApp Pentest Toolkit

- Website Hacking
October 9, 2019

N-Stalker X – Next Generation Web Application Scanner

- Website Hacking
July 31, 2019

WAFNinja – Tool to Bypass Web Application Firewalls

- Hack Tools, Website Hacking
July 7, 2019

One thought on “Local File Inclusion (LFI) Web Application Penetration Testing”

  1. Free says:
    January 27, 2018 at 4:17 pm

    Heya, Thanks for sharing this post, I really liked it! Looking forward to more posts! PS. If you are looking for free themes and plugins, let me know. Have a nice day!

Comments are closed.

hacker gadgets
hacker phone covers

Recent Posts

PlutoCrypt Ransomware Decryptor

PlutoCrypt Ransomware Decryptor

May 27, 2023
Galaxy Fold 4

Samsung to improve the durability of the waterdrop hinges in the foldable smartphones

May 26, 2023
CISA Adds CVE-2023-2868 Vulnerability to KEV Catalog

CISA Adds CVE-2023-2868 Vulnerability to KEV Catalog

May 26, 2023
Google releases Chrome version 111 to fix 40 security vulnerabilities

Google releases Chrome version 111 to fix 40 security vulnerabilities

May 26, 2023
PoC Exploit Released for GitLab CVE-2023-2825 Vulnerability

PoC Exploit Released for GitLab CVE-2023-2825 Vulnerability

May 26, 2023
CVE View

Mondoo v7.17.1 releases: Cloud-Native Security & Vulnerability Risk Management

February 16, 2023

Social Media Hacking

SocialPath – Track users across Social Media Platforms

SocialPath – Track users across Social Media Platforms

- Social Media Hacking
October 16, 2019October 16, 2019

SocialPath is a django application for gathering social media intelligence on specific username. It checks for Twitter, Instagram, Facebook, Reddit...

SocialScan – Check Email Address and Username Availability on Online Platforms

SocialScan – Check Email Address and Username Availability on Online Platforms

June 17, 2019
Shellphish – Phishing Tool For 18 Social Media Apps

Shellphish – Phishing Tool For 18 Social Media Apps

June 10, 2019July 27, 2019
WhatsApp Hacking using QRLJacking

WhatsApp Hacking using QRLJacking

May 2, 2019May 19, 2019
How to Hack any Facebook Account with Z-Shadow

How to Hack any Facebook Account with Z-Shadow

April 26, 2019June 29, 2020
hacker buffs

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Active Members

Submit a Tool

Hackers Handbook 2018


Grab your copy here

About Us

Haxf4rall is a collective, a good starting point and provides a variety of quality material for cyber security professionals.

Categories

  • Secure Coding
  • Documentary
  • Courses & Ebooks
  • Hack Tools
  • Hacking Tutorials
  • Mobile Hacking
  • News
  • Operating Systems
  • TOR
  • Tricks & How To’s

Active Members

Useful Links

Contact Us

Disclaimer

Privacy Policy

Submit a Tool

Copyright 2019. All rights reserved | Theme: OMag by LilyTurf Themes