Exploiting Local File Inclusion (LFI) Using PHP Wrapper

IN my previous blog related to LFI, I already discussed some basic steps to achieve LFI. Now in this blog I am explaining how we can achieve LFI is there is any input filtration on the server side.

Aim: Our aim is to find admin account password of the website.

There are three tabs in the web application.

· Home

· CV

· Contact

When we click on “home” tab, home variable travel in URL with page parameter. Same thing happens with other 2 parameters as well.

Image for post
Image for post

After checking the basic functionality of application, we try to bypass it with basic LFI technique. So I replaced dir parameter with “../” notation and the application detected the attack as, I got “Attack detected” on page.

Image for post
Image for post

This clearly indicates server is detecting the ../ notation and destructing our queries. Therefore, we have to try wrappers. Let start with “PHP wrapper “to bypass LFI functionality.

page=php://filter/convert.base64-encode/resource=index

This payload forces PHP to base64 encode the file before it is used or rendered in the response. Now we replace page parameter value with above-mentioned payload and check output.

So full URL of application becomes:

Image for post
Image for post

When we intercept the above request-using burp. Intercepted request shown below

Request:

Image for post
Image for post

Response:

Image for post
Image for post

Therefore, from response, it is clear server able to detect our wrapper-encoded payload.

It seems that application is detecting “.” “/” in the page parameter and showing error if it finds them.

Let’s try it by encoding the parameter.

For URL encoding, I used URL encoder (there so many available over the internet)

After encoding first time payload looks like:

php%3A%2F%2Ffilter%2Fconvert.base64-encode%2Fresource%3Dindex.php

But From URL encode we are not able to encode “. “ and “–“ so, We use “w3schools.com” website. Encoding of “.” and “-” are “%2E” and “%2D”.

Updated URL after replacing “–“and “.” with their respective encoded notation.

php%3A%2F%2Ffilter%2Fconvert%2Ebase64%2D encode%2Fresource%3Dindex%2Ephp

After applying above payload in page parameter, and intercepting the request through burp

Request:

Response:

Image for post
Image for post

In response, we again got “Attack detected”. So it means that it is again destructing our payloads. Lets try to double encode our payload and then execute the query again.

php%25253A%25252F%25252Ffilter%25252Fconvert.base64-encode%25252Fresource%25253Dindex.php

Again we have to replace “.” and “–“with their double encoded value and they are “%252E” and “%252D”. So updated URL becomes:

php%253A%252F%252Ffilter%252Fconvert%252Ebase64%252Dencode%252Fresource%253Dindex%252Ephp

Request:

Image for post
Image for post

Response:

Image for post
Image for post

In above screen shot it mentioned in warning there is no index.php so now I have to replace index.php with give CV, as this is already exists directory there. So updated URL becomes

php%253A%252F%252Ffilter%252Fconvert%252Ebase64%252Dencode%252Fresource%253Dcv

After inserting this payload in UI we got

Image for post
Image for post

Decoding the base64 string to obtain the source code for the PHP files.

<?php include(“conf.inc.php”); ?>

I got one file which was included in all the files

There is one file name mentioned in the script “conf.inc”. So now, I try to fetch this file.

php%253A%252F%252Ffilter%252Fconvert%252Ebase64%252Dencode%252Fresource%253Dconf

After inserting it in browser, we got password in browser but it was encoded in base64. We decoded it and this time we were successful.

Written by

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store