Bypassing LFI (Local File Inclusion)

LFI (Local File Inclusion) allows an attacker to expose a file on the target server. With the help of directory traversal(../) we can access files that should not be accessible to a user.

For example,

https://example.com/redirect.php?page=/home/index.html This will return the index.html

https://example.com/redirect.php?page=../../../etc/passwd This will return the passwd file.

Its a serious issue, P1 and could lead to RCE with various methods.

Bugcrowd VRT

In my case the URL was www.target.com/rd?page=/change/lmtstats.html

So i tried directory traversal in the page parameter. The list of payloads can be found here. Its a huge list but ../../../etc/passwd works most of the time but the amount of time you need to add ../ can be huge, and even even if you add maybe 20 ../ the command i.e etc/passwd maybe blocked. So its a bit of try and error.

In my case i had to add ../ 7 times but the final command had .html at the end like so ../../../../../../../etc/passwd.html

Tried changing filetype to txt, png etc no luck.

NullByte - %00

After trying various techniques and encoding, the final payload was

www.target.com/rd?page=Li4lMkYuLiUyRi4uJTJGLi4lMkYuLiUyRi4uJTJGLi4lMkZldGMuLiUyRnBhc3N3ZC4uJTJGMDAudHh0Ly8uJTAw

That is the below payload encoded in base64.

..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc..%2Fpasswd..%2F00.txt//.%00

After a lot of trial and error and getting blocked i could finally access the passwd file. Now time to escalate this to RCE. Unfortunately, i could not escalate this to RCE cause i could only read a few files and for RCE we need to access specific files. But you can escalate it to RCE via the below methods if you find LFI.

There are a ton of blogs that explain various methods for RCE which are just a google search away.

For those who ask me on twitter from where do i learn all the bug bounty stuff, the below resources should help.

Basically i just read a lot of blogs and try that on my target website 😆

Hope you learned something.

Thanks 😄

--

--

--

Bug-Bounty | Pentester

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Obkio — Fault Monitoring vs Performance Monitoring — What’s the difference?

$QUIDD Token IDO on Polkastarter — Whitelist is NOW OPEN!

The Future of Privacy and Technology with Kee Jefferys

Q&A on Network Detection and Response (NDR)

These are the top GameFi tokens that deserve your attention on March 8th, 2022: AXS, GALA and ENJ

The Human Protocol

Wolfonaire Chatbox : AMA With Paralink(13 January, 2021)

{UPDATE} Tiny Pig Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abhishek

Abhishek

Bug-Bounty | Pentester

More from Medium

ALL Labs: Server-side request forgery | WalkThrough

My write-up in hacking IBM’s administration panel and getting SQLi on it

A Summary Of Fancy Attack Injection Methods — Part 3

BLIND SSRF