Exploiting Local File Inclusion (LFI) Using PHP Wrapper

IN my previous blog related to LFI, I already discussed some basic steps to achieve LFI. Now in this blog I am explaining how we can achieve LFI is there is any input filtration on the server side.

Aim: Our aim is to find admin account password of the website.

There are three tabs in the web application.

· Home

· CV

· Contact

When we click on “home” tab, home variable travel in URL with page parameter. Same thing happens with other 2 parameters as well.

After checking the basic functionality of application, we try to bypass it with basic LFI technique. So I replaced dir parameter with “../” notation and the application detected the attack as, I got “Attack detected” on page.

This clearly indicates server is detecting the ../ notation and destructing our queries. Therefore, we have to try wrappers. Let start with “PHP wrapper “to bypass LFI functionality.

page=php://filter/convert.base64-encode/resource=index

This payload forces PHP to base64 encode the file before it is used or rendered in the response. Now we replace page parameter value with above-mentioned payload and check output.