In this article we will go through
Local file inclusion commonly known as LFI is a code flaw that allows attacker to include internal files from the system, which leads to sensitive data disclosure and may lead to RCE.
If the app has a "dynamic file inclusion" without proper protection, an attacker can include files which the developer didn't intend to disclose.
<?php // Get input from user $file = $_GET['file']; // include the file include('public_files/'.$file)
We will pass the following value to out vulnerable parameter to get the passwd file
so let's visit the following url
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh messagebus:x:105:106::/var/run/dbus:/bin/false mysql:x:106:107:MySQL Server,,,:/var/lib/mysql:/bin/false ssh-rsa:x:1004:1004::/home/ssh-rsa:/bin/bash ...
Ok now we have successfully included an internal system file, let's exploit more.
We won't face issues extracting text files, but for non-text files (eg. PNG,JPG,RAR,ZIP) we wont be able to successfully extract the file because the server will serve stream of non printable characters, so here's the workaround for this issue using PHP filter feature
the previous url will get the file included in base64 format
Large base64 string which we can decode to get our extracted file
In order to gain RCE on the server we have set of various techniques like :
Simply if the application allows uploading files (eg. images, videos, documents, etc) in a known directory for the attacker (eg. /images ) an attacker can inject php code within the file bytes and include the malicious file to execute the injected code
Since we are able to include most of the files on the server, let's write our malicious code in one of the files to execute it later.
in this step we have to inject our malicious code into log files , we can do this easily by a simple get request through netcat
please note that we have used netcat not web browsers as we need to send our code as it is , without being URL-Enocded
as a proof of concept let's run the command
ls on the server
Let's go the vulnerable page to include server logs.
for nginx logs are by default located at: /var/log/nginx/access.log
for apache logs are by default located at: /var/log/apache2/access.log
server log location may vary depending on the server
by visiting our URL we will get the ouput of the
14 days trial , No credit card upfront , Risk free