#BugBounty — “Journey from LFI to RCE!!!”-How I was able to get the same in one of the India’s popular property buy/sell company.

Hi Guys,

This blog is about how I was able to get Remote Code Execution (RCE) from Local file inclusion (LFI) in one of the India’s property buyers & sellers company. Let’s see what was the complete scenario-

As a bugbounty hunter the most important thing that I feel is the approach which we try or follow to exploit the vulnerability and which ultimately leads to have a much more impact from the vulnerability and the same I carried here.

While searching for the vulnerabilities, I found LFI in the target site- https://www.victimsite.com/forum/attachment-serve?name=../../../../../../../../../../etc/shadow&path=. As you can see parameter “name” was vulnerable to LFI.

LFI (/etc/shadow)

I was confirmed that LFI was there and so now my target was to escalate it to get RCE. Before that, I have read many articles on how to get RCE from LFI and this one helped me a little here — https://medium.com/@p4c3n0g3/lfi-to-rce-via-access-log-injection-88684351e7c0 . Now the idea was to get access to some file may be log files which could provide some user controller input (in order to run some command) .

So I tried reading access logs ,error logs , different location to access them.

Access Logs response

But it seems the user with which I got LFI didn’t have access to access logs files. Did a little reading,researching and I came to know that “/proc/self/fd” provides symbolic shortcut to access logs and various other system related file. So I tried reading those in search for access logs-

/proc/self files

and I run intruder over /proc/self/fd/{number} and one of the fd files provided me access to access logs —

Access log file

and what caught my attention here was “referer” header because I knew that it was something which is under user controlled input. Time to execute some command. I added ‘referer’ header in the HTTP request , set its value to system(id) and forwarded it-

LFI to RCE

and a cheerful response :)

RCE Response

So this is how I was able to get Remote code execution(RCE) from Local file inclusion(LFI)! :)


Report details-

13-April-2018 — Bug reported to the concerned company.

16-April-2018 — Bug was marked fixed.

16-April-2018 — Re-tested and confirmed the fix

Reward in progress.

Thanks for reading!

~Logicbomb ( https://twitter.com/logicbomb_1 )