5 ways to Exploit LFi Vulnerability

The main aim of writing this article is to share the idea of making an attack on a web server using various techniques when the server is suffering from file inclusion vulnerability. As we all are aware of LFI vulnerability which allows the user to include a file through URL in the browser. In this article, I have used two different platform bWAPP and DVWA which contains file inclusion vulnerability and through which I have performed LFI attack in FOUR different ways.

Basic Local file inclusion

Open target IP in the browser and login inside BWAPP as a bee: bug now chooses the bug remote & local file Inclusion then click on the hack.

Here the requested web page which suffering from RFI & LFI Vulnerability gets open. Where you will find a comment to select a language from the given drop-down list, and when you click on go button the selected language file gets included in URL. To perform basic attacks manipulate

 In basic LFI attack we can directly read the content of a file from its directories using (../) or simply (/), now if you will notice the given below screenshot you will find that I have access the password file when the above URL is executed in the browser.

Null byte

 In some scenario, the above basic local file inclusion attack may not work due to the high-security level. From the below image you can observe now that I got to fail to read the password file when executing the same path in URL. So when we face such kind of problem then go for NULL BYTE attack.

Now turn on burp suite to capture the browser request then select the proxy tab and start intercept. Do not forget to set browser proxy while making use of burp suite

Now inside burp suite send the intercepted data into the repeater.

Inside repeater, you can do an analysis of sent request and response generated by it. From the screenshot, it will be clear that /etc/passwd is not working and I am not able to read the password file.  

From the following screenshot, you can see I had forward the request by adding null character (%00) at the end of directory /etc/passwd%00 and click on go tab. Then on the right sight of the window, the password file gets open as a response.

Base64 encoded

 Now there is another way to exploit LFI when the security level is high and you are unable to view the PHP file content, and then use the following PHP function.

Here from the screenshot, you can see the content of password file is encoded into base64; copy the whole encoded text.

I am using hackbar which a Firefox plugin to decode above-copied text.

Now a pop-up box will get open past the copied encoded text inside it and click on ok

From the given screenshot you can view the result and read the content of password file.

PHP Input

 Using PHP input function we will execute injected PHP code to exploit LFI vulnerability. With the help of hackbar, I am going to perform this task in which first we need to load the URL of the targeted web page as you can see in the given screenshot.

Now manipulate above URL using a PHP input function

 Then select the checkbox to enable Post data which will forward the post request and add cmd comment in given text area

as shown in the following screenshot, finally click on execute.

This will show directories of victim PC.

Now time to connect the victim through the reverse connection; an open terminal in Kali Linux and type msfconsole to start Metasploit framework.

Copy the highlighted text shown in below window

Paste above-copied PHP code inside the URL as shown in the image and execute it.

When above URL get to execute the attacker got victim’s meterpreter session inside the Metasploit.

Proc/self/environ

If the server is outdated then to exploit it through LFI we can include proc/self/environ file that stores User_Agent where we will place our PHP code for executing CMD command.

Now start burp suite and capture the browser request and send the fetch data into the repeater.

Add cmd comment <?php system($_GET[‘cmd’]); ?> inside user_Agent and send the request with GET parameter 

as shown in the below image. On the right side of the window, you can see the highlight result as a response.

Author: Aarti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

3 Comments 5 ways to Exploit LFi Vulnerability

  1. Ankur

    Hi Raj, I tried to do null byte on DVWA but its not working. I added %00 after etc/passwd but its not working and i get response as file not found. Any suggestions please.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *