Weird LFI and escalating the impact from High to Critical

snoopy
3 min readSep 18

--

Hey wonderful hackers. I was hacking on a VDP program and after a light recon I picked one subdomain to hunt.

I clicked around and used the website as intended but when I looked at the requests in burp, this request caught my eyes.

https://target.tld/api/whitelabel/getFile?file=favico

So I tested for LFI and tried to get the /etc/passwd file, but the response was empty. I tried all bypasses but no luck.

I tried endpoints from Seclists and I got these files:

https://target.tld/api/whitelabel/getFile?file=../../../../../../../../../../../../etc/hosts
https://target.tld/api/whitelabel/getFile?file=../../../../../../../../../../../../var/log/dmesg
https://target.tld/api/whitelabel/getFile?file=../../../../../../../../../../../../etc/ssh/ssh_host_dsa_key
https://target.tld/api/whitelabel/getFile?file=../../../../../../../../../../../../var/log/dpkg.log
/etc/hosts
/etc/ssh/ssh_host_dsa_key

That's all. Nothing quite impactful.

Anyway this is an LFI and based on the wrong belief the impact is High, but I personally believe that the impact of LFI must be Critical.

Some examples of High impact LFIs:

U.S. Dept Of Defense disclosed on HackerOne: [Critical] Full local...

Description Hello. I discovered a Path Traversal issue on the https://██████████/ I was able to turn it to the local…

hackerone.com

U.S. Dept Of Defense disclosed on HackerOne: lfi in...

hi i found critcal lfi vulnerability poc: https://█████████/████████=/etc/passwd response:...

hackerone.com

Starbucks disclosed on HackerOne: Korea - LFI Server directory...

b4bilal discovered a misconfiguration when handling URI paths. This permitted an adversary to traverse the docroot and…

hackerone.com

They did it on my report too:

I wanted to escalate this to Critical, so I had to find something, and It’s a little difficult by brute-forcing.

I fuzzed internal endpoints with special characters and unicodes and I found something interesting. The * character was returning a file in every directory. (I guess it was the first file. I still don’t know)

I sent this request:

https://target.tld/api/whitelabel/getFile?file=../../../../../../../../../../../../../../../var/www/*

I got Database credentials:

The password was too hard to guess :)

They were valid and I logged into the Database.

Source code disclosure:

Hello white box

Is it still “High” baby?

It’s a VDP, so there is no bounty :)

Story is over here, but I found another thing about that * behavior.

It can be used like this too: /etc/apache2/*SOME-STRING

If that string matches part of the file name in that directory, it returns the file. Like these examples:

I don’t know the reason still. Please tell me if you know. :)

Takeaway:

  • The impact of LFI vulnerability is definitely Critical.

Reach me at:

LinkedIn:

https://www.linkedin.com/in/ali-imani-2a896a266/

twitter:

https://twitter.com/snoopy101101

Thanks for reading. Love y’all.

Hacking
Bug Bounty
Hackerone
Bug Bounty Tips
Lfi

--

--

snoopy

Written by snoopy

962 Followers

Hacker | Bug Bounty Hunter | Twitter: https://twitter.com/snoopy101101

More from snoopy

See all from snoopy

Recommended from Medium

Lists

Medium Publications Accepting Story Submissions

154 stories1140 saves
See more recommendations

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams