3 - Basic Bypasses

- In many cases, we may be facing a web app that applies various protections against file inclusion, so our normal LFI payloads would not work - Still, unless the web application is properly secured against malicious LFI user input, we may be able to bypass the protections in place and reach file inclusion # Non-Recursive Path Traversal Filters - One of the most basic filters against LFI is a search and replace filter, where it simply deletes substrings of (`../`) to avoid path traversals such as: ```php $language = str_replace('../', '', $_GET['language']); ``` - The above code is supposed to prevent path traversal, and hence renders LFI useless - If we try the LFI payloads we tried in the previous section, we get the following: ![[images/Pasted image 20251216202920.png]] - To bypass this filter we can use `....//` - As there is no recursive filtering, the filter would remove `../` and the output string would be `../`, which means we may still perform path traversal ![[images/Pasted image 20251216203149.png]] - Alternatively, we can also use `..././` or `....\/` and several other recursive LFI payloads - Furthermore, in some cases, escaping the forward slash character may also work to avoid path traversal filters (e.g. `....\/`), or adding extra forward slashes (e.g. `....////`) # Encoding - Some web filters may prevent input filters that include certain LFI-related characters, like a dot `.` or a slash `/` used for path traversals - However, some of these filters may be bypassed by URL encoding our input, such that it would no longer include these bad characters, but would still be decoded back to our path traversal string once it reaches the vulnerable function - Core PHP filters on versions 5.3.4 and earlier were specifically vulnerable to this bypass, but even on newer versions we may find custom filters that may be bypassed through URL encoding - URL encoding - `.` is URL encode as `%2e` - `/` is URL encoded as `%2f` - So, `../` becomes `%2e%2e%2f` - Burp can be used for URL encoding (so can other online tools) ![[images/Pasted image 20251216203523.png]] # Approved Paths - Some web applications may also use Regular Expressions to ensure that the file being included is under a specific path - For example, the web application we have been dealing with may only accept paths that are under the `./languages` directory, as follows: ```php if(preg_match('/^\.\/languages\/.+$/', $_GET['language'])) { include($_GET['language']); } else { echo 'Illegal path specified!'; } ``` - To find the approved path, we can examine the requests sent by the existing forms, and see what path they use for the normal web functionality - Furthermore, we can fuzz web directories under the same path, and try different ones until we get a match - To bypass this, we may use path traversal and start our payload with the approved path, and then use `../` to go back to the root directory and read the file we specify, as follows ![[images/Pasted image 20251216203649.png]] # Appended Extensions - As discussed in the previous section, some web applications append an extension to our input string (e.g. `.php`), to ensure that the file we include is in the expected extension - With modern versions of PHP, we may not be able to bypass this and will be restricted to only reading files in that extension, which may still be useful, as we will see in the next section - There are a couple of other techniques we may use, but they are obsolete with modern versions of PHP and only work with PHP versions before 5.3/5.4 ## Path Truncation - In earlier versions of PHP, defined strings have a maximum length of 4096 characters, likely due to the limitation of 32-bit systems - If a longer string is passed, it will simply be `truncated`, and any characters after the maximum length will be ignored - Furthermore, PHP also used to remove trailing slashes and single dots in path names, so if we call (`/etc/passwd/.`) then the `/.` would also be truncated, and PHP would call (`/etc/passwd`). - PHP, and Linux systems in general, also disregard multiple slashes in the path (e.g. `////etc/passwd` is the same as `/etc/passwd`) - Similarly, a current directory shortcut (`.`) in the middle of the path would also be disregarded (e.g. `/etc/./passwd`) - If we combine both of these PHP limitations together, we can create very long strings that evaluate to a correct path - Whenever we reach the 4096 character limitation, the appended extension (`.php`) would be truncated, and we would have a path without an appended extension - Finally, it is also important to note that we would also need to start the path with a non-existing directory for this technique to work - An example of such payload would be the following: ```url ?language=non_existing_directory/../../../etc/passwd/./././././ REPEATED ~2048 times] ``` - We don't have to manually type `./` 2048 times (total of 4096 characters), but we can automate the creation of this string with the following command: ```bash echo -n "non_existing_directory/../../../etc/passwd/" && for i in {1..2048}; do echo -n "./"; done non_existing_directory/../../../etc/passwd/./././<SNIP>././././ ``` ## Null Bytes - PHP versions before 5.5 were vulnerable to `null byte injection`, which means that adding a null byte (`%00`) at the end of the string would terminate the string and not consider anything after it. This is due to how strings are stored in low-level memory - To exploit this vulnerability, we can end our payload with a null byte (e.g. `/etc/passwd%00`), such that the final path passed to `include()` would be (`/etc/passwd%00.php`) - This way, even though `.php` is appended to our string, anything after the null byte would be truncated, and so the path used would actually be `/etc/passwd`, leading us to bypass the appended extension # Exercise - Ping test ![[images/Pasted image 20251216205044.png]] - Nmap scan![[images/Pasted image 20251216205051.png]] - Visit page > we have another language selection drop down ![[images/Pasted image 20251216205430.png]] - Illegal path error with a prepended `languages/` ![[images/Pasted image 20251216205523.png]] - Try prepended `languages/` - We have working LFI ![[images/Pasted image 20251216211241.png]] - Grab flag ![[images/Pasted image 20251216211308.png]]