Jun 3, 2021
Bypassing LFI (Local File Inclusion)
LFI (Local File Inclusion) allows an attacker to expose a file on the target server. With the help of directory traversal(../) we can access files that should not be accessible to a user.
For example,
https://example.com/redirect.php?page=/home/index.html This will return the index.html
https://example.com/redirect.php?page=../../../etc/passwd This will return the passwd file.
Its a serious issue, P1 and could lead to RCE with various methods.
In my case the URL was www.target.com/rd?page=/change/lmtstats.html
So i tried directory traversal in the page parameter. The list of payloads can be found here. Its a huge list but ../../../etc/passwd works most of the time but the amount of time you need to add ../ can be huge, and even even if you add maybe 20 ../ the command i.e etc/passwd maybe blocked. So its a bit of try and error.
In my case i had to add ../ 7 times but the final command had .html at the end like so ../../../../../../../etc/passwd.html
Tried changing filetype to txt, png etc no luck.
NullByte - %00
After trying various techniques and encoding, the final payload was
That is the below payload encoded in base64.
..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc..%2Fpasswd..%2F00.txt//.%00
After a lot of trial and error and getting blocked i could finally access the passwd file. Now time to escalate this to RCE. Unfortunately, i could not escalate this to RCE cause i could only read a few files and for RCE we need to access specific files. But you can escalate it to RCE via the below methods if you find LFI.
There are a ton of blogs that explain various methods for RCE which are just a google search away.
For those who ask me on twitter from where do i learn all the bug bounty stuff, the below resources should help.
Basically i just read a lot of blogs and try that on my target website 😆
Hope you learned something.
Thanks 😄
