IN my previous blog related to LFI, I already discussed some basic steps to achieve LFI. Now in this blog I am explaining how we can achieve LFI is there is any input filtration on the server side.
Aim: Our aim is to find admin account password of the website.
There are three tabs in the web application.
When we click on “home” tab, home variable travel in URL with page parameter. Same thing happens with other 2 parameters as well.
After checking the basic functionality of application, we try to bypass it with basic LFI technique. So I replaced dir parameter with “../” notation and the application detected the attack as, I got “Attack detected” on page.
This clearly indicates server is detecting the ../ notation and destructing our queries. Therefore, we have to try wrappers. Let start with “PHP wrapper “to bypass LFI functionality.
This payload forces PHP to base64 encode the file before it is used or rendered in the response. Now we replace page parameter value with above-mentioned payload and check output.
So full URL of application becomes:
When we intercept the above request-using burp. Intercepted request shown below
Therefore, from response, it is clear server able to detect our wrapper-encoded payload.
It seems that application is detecting “.” “/” in the page parameter and showing error if it finds them.
Let’s try it by encoding the parameter.
For URL encoding, I used URL encoder (there so many available over the internet)
After encoding first time payload looks like: