For Support and Advertisement you can contact  701491310
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
LFI (local File Inclusion) Injection pentesting (Full Tut)
05-17-2013, 11:41 PM,
Post: #1
LFI (local File Inclusion) Injection pentesting (Full Tut)
originally Written By : "Fredrik Nordberg Almroth"

Local File Inclusion

As the title says, this is a "short" and descriptive guide about

various methods to exploit using a local file inclusion (LFI).

I will cover the following topics:

• Poison NULL Bytes

• Log Poisoning

• /proc/self/

• Alternative Log Poisoning

• Malicious image upload

• Injection of code by the use of e-mails

• Creativity

By: Fredrik Nordberg Almroth

So the question is. What is a LFI?

A LFI is, as the title says,

a method for servers/scripts to include local files on run-time,

in order to make complex systems of procedure calls.

Well most of the time, you find the LFI vulnerabilities in URL's

of the web pages.

Mainly because developers tend to like the use of GET requests

when including pages.

Nothing more. Nothing less.

So now, let's proceed shall we?

How do you find (fingerprint) them?

Let's say you find the following URL:


[COLOR=#32CD32]Notice, that this URL goes to the do.php which is a sub-domain to

It has several parameters for the internal do.php to parse, the
not and the for variable.

Let's study them a bit more.
The not variable contains the value of "exist.php", and the for
variable contains "real".

Now it turned pretty obvious, didn't it?
The not variable seem to take another PHP file as an argument,
most possibly for inclusion!


Let's try to play around with it!

Now what?

Let's try to tamper with the URL to see what we can do with it.

Let's change the content of the not variable to "/etc/passwd" and

see what happens.

Of course you can change the /etc/passwd to any other file of your
choice, but we'll just stick with it through out this tutorial.


Let's check the result!

If you get a result looking something like this:

ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

Then sir. You've done it correctly. You've found a LFI


The /etc/passwd file is world-readable on *NIX systems.
That means, you can, by a 99% chance, read it.

Unless someone have changed permissions or changed the
open_basedir configuration.

But more of that some other time!

Now let's try another scenario.

Say the programmer of the website coded like this:

<?php “include/”.include($_GET['for'].“.php”); ?>

How would we do then? We can't read /etc/passwd because the script
appends .php to the end of the file.

What to do, what to do...

Gladly for you, there's another trick here.

Poison NULL Byte.

The NULL byte, is a special byte used everywhere in the background

of your computer (or your targets).

It's the binary representation of: 00000000.

Yes. 8 zero's in binary, or the hexadecimal representation of



One of the usages of this special byte is to terminate strings.

If you've been programming for a while, you must know what a
string is.

An amount of text! Okay, it sounds complex now.

But this method is really really simple.

To bypass the .php concatenation, we simply append after our



And hopefully, your result is once again:

root:x:0:0:root:/root:/bin/bash (…)

Awesome, we can now read any file on the server (with the
privileges the account on the server we've now obtained)!
Now you might ask, how can we execute code through this?
The answer is...

Log poisoning:

Say we're exploiting a plain normal Apache server.

By default, it create two log files called access_log and

error_log on the server.

If we tamper those logs we can successfully upload our own PHP

code on the server, which might give you remote command execution

if you wish, the choice is yours.

The question is, where are those logs stored?

Gladly for you, i've compiled a small list.
Here you go:[/COLOR]

C:\Program Files\Apache Group\Apache\logs\access.log
C:\Program Files\Apache Group\Apache\logs\error.log
C:\program files\wamp\apache2\logs

Now, there's two good methods for proceeding, depending of which
log you choose.

The best one (in my opinion) is by accessing the error_log.
This method is a little outside the box.

Say you find an LFI on this server, by simple going to this URL,
PHP code will be saved in the error_log:


Now try to reach it by going here:


If your result says something like Linux then your code execution
was successful.
Yeah yeah, you get the point. It gets stored in the error_log
because the

<?PHP $s=$_GET;@chdir($s['x']);echo@system($s['y'])?>

file do not exist.

Method #2; accessing the access_log. It's a little bit more

complicated, the best way to do this is to put PHP code in your


There's a great plug-in for Firefox called "User Agent Switcher"

to do this on the fly.

Other than that, it's the same thing.
Go to:


Or any other file accessible on the server, with your user-agent

spoofed to your PHP snippet.

Then go to the access_log in order to execute the code; eg:

Code:<<command goes here>>

Yeah sure, you're so cool, you can execute your own code! Now,let's be hardcore.

The Linux kernel is fascinating.
I'm not sure if you've heard of this, but the /proc/self is a symbolic link (symlink) going to the instance of the target HTTP
There is several things you can do by using this link, one is to
do the access_log-method, by simply spoofing your user-agent to
PHP code, then try to include

the /proc/self/environ.

Everyone knows that these days.

That's not fun. However your code will be executed!

Let's move on to more... Uncommon methods.

You can obtain the HTTP configuration file by simply trying to

include /proc/self/cmdline,

because most of the time the config file is set by a command-line

a simple, but a cool "feature", nothing malicious here, that's
just the way it works.

What you choose to do with the config file is up to you.
The log-file location(s) tend to be in there...

You got the grip now, I'll just keep writing.

There is yet another way to resolve the log-files by using this
link, by simply going to the file description of the log file (the
running stream).
• Yes

No need for you to run a dictionary-attack in order to resolve the
different log-files or to include the /proc/self/cmdline.

Now, how do we access those file descriptions?
Well sir, the /proc/self tend to have a folder (?) called fd.
You guessed it right.

fd do stand for file description.
The content within fd is numeric ID's going to different open

So the easiest way for us to find is, is to simply iterate our way


… p ?
Sooner or later, you'll find one of the log-files.
By doing that you just go with the access_log or the error_log
Now seriously. Have you ever had any success with the ordinary
"Log Poisoning" methods?
I mean, in like 95% of the cases your requests gets URI encoded,
and by that ruining your code.
So here comes an alternative method:
Alternative Log Poisoning:
Apache got the tendency to log the Authorized user if any is
The Authorization header is a part of the HTTP protocol, I've bet
you've seen it.
It creates a prompt asking for a username and password as htaccess
do when you try to reach a protected folder.
Internet Explorer makes a prompt looking like this:
Yeah, well. The username and password gets sent base64 encoded
with : as a separator.
And as you might have figured out, the base64 wont get URIencoded!
So by providing this header in your HTTP request:
Authorization: Basic
The code will stay untouched, and simply unpacked by Apache
straight to the logs.
The base64 is the small PHP payload I've used earlier,
just with a : in the end to follow the HTTP RFC's.
Now when we're on to it, exploiting using different methods and
Why not exploit LFI with a JPG?
Malicious image upload:
Yes, you heard me. You can use a picture in order to execute code
by the use of a LFI vulnerability.
However you need special software to do this for you.
The attack consists in changing the EXIF data of the image of your
Say you're exploiting a community, which allows image uploads, for
let's say, your avatar.
By tampering with the EXIF data and by finding a LFI
you can take full control! Cool huh?
The EXIF data tend to hold what camera model, year, place,
location, etc... When the image was taken, but, as proven before,
it's rather easy to tamper with.
Injection of code by the use of e-mails:
Say your target server got port 109 or 110 open (POP2 or POP3) for
handling of e-mails.
You could send an e-mail to the HTTP server-user on target box.
Like: [EMAIL=""][/EMAIL]
And then try to include the /var/spool/mail/apache if this exists.
It's possible to execute through this as well.
However it's not very common to find this specific exploit.
Of course, the mail you send will contain the PHP code for you to
There is literary hundreds of ways to perform this attack
depending on the mail-server running back-end.
Qmail, for example, stores the incoming mails in /var/log/maillog
by default, but as been said before, this is thinking outside the
Why stop here?
I'm sure the Linux kernel, IRIX, AIM, Windows, SunOS, BSD and
other OS'es provides yet more interesting exploit scenarios.
Do they have SSH open?
If so, try to inject PHP code as the SSH username and go grab the
SSH log.
Will it work? Maybe?
Can the embedding of malicious content like the JPG EXIF field be
done withing a MP3 file?
Try it yourself. Be creative.

Need help ! just ping me Blackhat
Jabber :
ICQ : 701491310

For Support and Advertisement you can contact  701491310

Possibly Related Threads...
Thread Author Replies Views Last Post
Admin Panel Login bypass [SQL bypass] Full Tutorial - 2019 [Method + Cheat Sheet] Elite_x 8 6,501 01-17-2020, 01:50 AM
Last Post: mabix
How easy is it to file your taxes with TurboTax? turbotaxhelpline 0 564 10-30-2019, 06:42 AM
Last Post: turbotaxhelpline
[How To] Exploit Server using File Upload Vulnerability through Metasploit Codefire 100 69,456 10-28-2019, 06:11 PM
Last Post: Eon
Remote Code Execution Full (Tutorial) Codefire 3 6,126 05-11-2019, 05:36 AM
Last Post: mrroboto
LFI [Local File Inclusion] Hacking Tutorial: Swapnil Haxor 6 6,008 04-22-2019, 01:02 AM
Last Post: jtach
[Patch] IPB &lt; 3.4.2 Full Path Disclosure (ASCII) [Patch] Codefire 1 3,847 03-15-2019, 05:27 AM
Last Post: mrroboto
Understanding WP-CONFIG.PHP file Deeply Codefire 2 3,550 03-13-2019, 05:36 AM
Last Post: mrroboto
Website Hack By "file viewer" remote File upload vulnerability: Swapnil Haxor 26 20,801 02-19-2019, 05:37 AM
Last Post: mrroboto
[Leak] Acunetix Web Vulnerability Scanner 9.5 [Full Version] -=_ Cyber Warrior _=- 65 47,763 02-05-2019, 05:30 AM
Last Post: mrroboto
[Tutorial] Sqlmap Vs Havij (Full HD) - 2017 JK-EXPLOITER 0 2,315 07-31-2017, 01:13 PM

Forum Jump:

Users browsing this thread: 1 Guest(s)
For Support and Advertisement you can contact  701491310

All rights reserved © 2012-2015 OffensiveCommunity, Designed at WallBB Co Uk
Powered By MyBB, © 2002-2020 MyBB Group.