# Basic LFI - Website allows us to select between English and Spanish![[images/Pasted image 20251216200154.png]] - We also notice that the URL includes a `language` parameter that is now set to the language we selected (`es.php`) ![[images/Pasted image 20251216200159.png]] -  The web app may be pulling the content from a different db table based on the specified parameter, or it may be loading an entirely different version of the web app - However, as previously discussed, loading part of the page using template engines is the easiest and most common method utilized - If the web app is truly pulling a file that is now being included in the page, we may be able to change the file being pulled to read the content of a different local file - Two common readable files that are available on most back-end servers are `/etc/passwd` on Linux and `C:\Windows\boot.ini` on Windows - Try to replace `es.php` with `/etc/passwd` ![[images/Pasted image 20251216200351.png]] - As we can see the page is vulnerable # Path Traversal - In many occasions, web developers may append or prepend a string to the `language` parameter. For example, the `language` parameter may be used for the filename, and may be added after a directory, as follows ```php include("./languages/" . $_GET['language']); ``` - In this case, if we try to insert `index.php?language=/etc/passwd` we will get an error ![[images/Pasted image 20251216200736.png]] - We can easily bypass this restriction by traversing directories using relative paths by adding `../` before our file name, which refers to the parent directory - For example, if the full path of the languages directory is `/var/www/html/languages/`, then using `../index.php` would refer to the `index.php` file on the parent directory (i.e. `/var/www/html/index.php`) - We can use this trick to go back several directories until we reach the root path (i.e. `/`), and then specify our absolute file path (e.g. `../../../../etc/passwd`), and the file should exist ![[images/Pasted image 20251216200840.png]] - If we were at the root path (`/`) and used `../` then we would still remain in the root path - So, if we were not sure of the directory the web application is in, we can add `../` many times, and it should not break the path # Filename Prefix - Sometimes our input may be appended after a different string - For example, it may be used with a prefix to get the full filename, like the following example ```php include("lang_" . $_GET['language']); ``` - In this case, if we try to traverse the directory with `../../../etc/passwd`, the final string would be `lang_../../../etc/passwd`, which is invalid - Here we get an error ![[images/Pasted image 20251216201336.png]] - Instead of directly using path traversal, we can prefix a `/` before our payload, and this should consider the prefix as a directory, and then we should bypass the filename and be able to traverse directories ![[images/Pasted image 20251216201435.png]] - **Conclusion**: prepend `/` to file inclusion # Appended Extensions - Another very common example is when an extension is appended to the `language` parameter, as follows: ```php include($_GET['language'] . ".php"); ``` - We would not have to write the extension every time we need to change the language, and this may also be safer as it may restrict us to only including PHP files - Here, if we try to read `/etc/passwd`, then the file included would be `/etc/passwd.php`, which does not exist ![[images/Pasted image 20251216201551.png]] - There are several techniques that we can use to bypass this, and we will discuss them in upcoming sections. # Second-Order Attacks - Another common, and a little bit more advanced, LFI attack is a `Second Order Attack` - This occurs because many web application functionalities may be insecurely pulling files from the back-end server based on user-controlled parameters - For example, a web application may allow us to download our avatar through a URL like (`/profile/$username/avatar.png`) - If we craft a malicious LFI username (e.g. `../../../etc/passwd`), then it may be possible to change the file being pulled to another local file on the server and grab it instead of our avatar - As such,  we would be poisoning a database entry with a malicious LFI payload in our username - Developers often overlook these vulnerabilities, as they may protect against direct user input (e.g. from a `?page` parameter), but they may trust values pulled from their database, like our username in this case - If we managed to poison our username during our registration, then the attack would be possible # Exercise - Ping test![[images/Pasted image 20251216201839.png]] - Nmap scan ![[images/Pasted image 20251216201921.png]] - We can select language ![[images/Pasted image 20251216202010.png]] - Let's try to simply replace `en.php` with `/etc/passwd` - Nothing ![[images/Pasted image 20251216202103.png]] - Add x5 `../` for good measure - Now we are cooking ![[images/Pasted image 20251216202206.png]]![[images/Pasted image 20251216202330.png]] - Try to read `flag.txt`![[images/Pasted image 20251216202402.png]] ![[images/Pasted image 20251216202417.png]]