Exploiting Local File Inclusion (LFI) Using PHP Wrapper
IN my previous blog related to LFI, I already discussed some basic steps to achieve LFI. Now in this blog I am explaining how we can achieve LFI is there is any input filtration on the server side.
Aim: Our aim is to find admin account password of the website.
There are three tabs in the web application.
· Home
· CV
· Contact
When we click on “home” tab, home variable travel in URL with page parameter. Same thing happens with other 2 parameters as well.
After checking the basic functionality of application, we try to bypass it with basic LFI technique. So I replaced dir parameter with “../” notation and the application detected the attack as, I got “Attack detected” on page.
This clearly indicates server is detecting the ../ notation and destructing our queries. Therefore, we have to try wrappers. Let start with “PHP wrapper “to bypass LFI functionality.
page=php://filter/convert.base64-encode/resource=index
This payload forces PHP to base64 encode the file before it is used or rendered in the response. Now we replace page parameter value with above-mentioned payload and check output.
So full URL of application becomes:
When we intercept the above request-using burp. Intercepted request shown below
Request:
Response:
Therefore, from response, it is clear server able to detect our wrapper-encoded payload.
It seems that application is detecting “.” “/” in the page parameter and showing error if it finds them.
Let’s try it by encoding the parameter.
For URL encoding, I used URL encoder (there so many available over the internet)
After encoding first time payload looks like:
php%3A%2F%2Ffilter%2Fconvert.base64-encode%2Fresource%3Dindex.php
But From URL encode we are not able to encode “. “ and “–“ so, We use “w3schools.com” website. Encoding of “.” and “-” are “%2E” and “%2D”.
Updated URL after replacing “–“and “.” with their respective encoded notation.
php%3A%2F%2Ffilter%2Fconvert%2Ebase64%2D encode%2Fresource%3Dindex%2Ephp
After applying above payload in page parameter, and intercepting the request through burp
Request:
Response:
In response, we again got “Attack detected”. So it means that it is again destructing our payloads. Lets try to double encode our payload and then execute the query again.
php%25253A%25252F%25252Ffilter%25252Fconvert.base64-encode%25252Fresource%25253Dindex.php
Again we have to replace “.” and “–“with their double encoded value and they are “%252E” and “%252D”. So updated URL becomes:
php%253A%252F%252Ffilter%252Fconvert%252Ebase64%252Dencode%252Fresource%253Dindex%252Ephp
Request:
Response:
In above screen shot it mentioned in warning there is no index.php so now I have to replace index.php with give CV, as this is already exists directory there. So updated URL becomes
php%253A%252F%252Ffilter%252Fconvert%252Ebase64%252Dencode%252Fresource%253Dcv
After inserting this payload in UI we got
Decoding the base64 string to obtain the source code for the PHP files.
<?php include(“conf.inc.php”); ?>
I got one file which was included in all the files
There is one file name mentioned in the script “conf.inc”. So now, I try to fetch this file.
php%253A%252F%252Ffilter%252Fconvert%252Ebase64%252Dencode%252Fresource%253Dconf
After inserting it in browser, we got password in browser but it was encoded in base64. We decoded it and this time we were successful.
