IN my previous blog related to LFI, I already discussed some basic steps to achieve LFI. Now in this blog I am explaining how we can achieve LFI is there is any input filtration on the server side.
Aim: Our aim is to find admin account password of the website.
There are three tabs in the web application.
When we click on “home” tab, home variable travel in URL with page parameter. Same thing happens with other 2 parameters as well.
After checking the basic functionality of application, we try to bypass it with basic LFI technique. So I replaced dir parameter with “../” notation and the application detected the attack as, I got “Attack detected” on page.
This clearly indicates server is detecting the ../ notation and destructing our queries. Therefore, we have to try wrappers. Let start with “PHP wrapper “to bypass LFI functionality.
This payload forces PHP to base64 encode the file before it is used or rendered in the response. Now we replace page parameter value with above-mentioned payload and check output.
So full URL of application becomes:
When we intercept the above request-using burp. Intercepted request shown below
Therefore, from response, it is clear server able to detect our wrapper-encoded payload.
It seems that application is detecting “.” “/” in the page parameter and showing error if it finds them.
Let’s try it by encoding the parameter.
For URL encoding, I used URL encoder (there so many available over the internet)
After encoding first time payload looks like:
But From URL encode we are not able to encode “. “ and “–“ so, We use “w3schools.com” website. Encoding of “.” and “-” are “%2E” and “%2D”.
Updated URL after replacing “–“and “.” with their respective encoded notation.
After applying above payload in page parameter, and intercepting the request through burp
In response, we again got “Attack detected”. So it means that it is again destructing our payloads. Lets try to double encode our payload and then execute the query again.
Again we have to replace “.” and “–“with their double encoded value and they are “%252E” and “%252D”. So updated URL becomes:
In above screen shot it mentioned in warning there is no index.php so now I have to replace index.php with give CV, as this is already exists directory there. So updated URL becomes
After inserting this payload in UI we got
Decoding the base64 string to obtain the source code for the PHP files.
<?php include(“conf.inc.php”); ?>
I got one file which was included in all the files
There is one file name mentioned in the script “conf.inc”. So now, I try to fetch this file.
After inserting it in browser, we got password in browser but it was encoded in base64. We decoded it and this time we were successful.