Appsec · May 7, 2021 0

Hundred ways to exploit LFI

Recently, I took more than 40 interviews, and while most of the candidates said they knew about LFI, many didn't know about difference between directory traversal and LFI. How to exploit an LFI.
Hence, I thought of writing this blog. There are multiple ways of exploiting Local File Inclusion vulnerability, if not a hundred ways. I have written this blog considering the application is in PHP.

  • Using data wrapper (Available since php 5.2.0)
Payload-"data://text/plain;base64,PD9waHAgcGhwaW5mbygpPz4="
"PD9waHAgcGhwaW5mbygpPz4=" is <?php phpinfo()?>
  • Via File wrapper (Available since php 5.0.0). But the trick is you have to specify the full path of the file.
  • Via expect wrapper(not enabled by default, available since 4.3.0)

example: php?page=expect://ls

  •  Via input stream(Available since 5.0.0)

The trick is to use the input stream and send the payload in the post request body.

  • Via Zip wrapper( since php 4.3.0)
Let's say you can upload only zip files in an application, then here's how you can try for LFI.
Zip your payload.php and call via zip wrapper.
Payload: zip://path/your.zip%23payload.php
%23 is url encode of #

I have already covered the tricky techniques, and many people have already covered the below-given techniques. So I won't dive into details.

  • Via /proc/self/fd/

In this technique, you upload too many shells and try to brute force process no.

/Proc/self/fd/{no} 

  • proc environ injection

In this technique, we try to include the environment variable and send the payload via useragent.

GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
User-Agent: <?=phpinfo(); ?> 

  • Log poisoning

There are multiple ways logs can include your payload, for example, auth.log(ssh login) , vsftp.log(ftp login) , and access.log (via useragents) Check which log you can include, and then proceed accordingly.

  • Email tricks

Similarly, if smtp mail relay is allowed, you can include /var/mail/user and send a mail with your payload to the user.

  • Via php Sessions

PHP5 stores it’s session files under /var/lib/php5/sess_[PHPSESSID] . So you can set a cookie to payload and include the sessionid.

Spread the love