LFi Freak – An Automated File Inclusion Exploiter

I am sure you know about exploiting file inclusion vulnerabilities. In file inclusion situations in common we can read files arbitrarily in the system or remotely depending on the permissions. In PHP environments commonly we poison the log files or inject malicious PHP into the user agent header and load the “/proc/self/environ” file. However when we encounter file inclusion situations in PHP environments we can use the in-built PHP wrappers to make our exploitations much easier or perhaps bypass existing filters.

There are lot of LFI exploitation tools available but I’ve written this tool mainly focusing on the usage of “php://input”, “php://filter” and “data://” methods.  Even though the title explicitly conveys “LFI Freak” this can be used for RFI vulnerabilities as well. This tool is written in Python 2.7 and I have included binaries for both Windows and Linux systems. If you are running from the source or want to modify this, you need the BeautifulSoup library.

Here is a small walkthrough of the features of the tool.

To test for local or remote file inclusions you can use the option one “Automated testing”. I am using DVWA in here. To test this tool create a small vulnerable file.

	echo "File included: ".$_REQUEST["page"]."<br>";
	$file =  $_REQUEST["page"];
	include $file;

In my case both “php://input” and data URI are possible which means the host is vulnerable to both local and remote file inclusion.

I will choose the PHP Input method and suppose I want to get the details of the victim (I currently know the victim is a Windows host). So I want to execute “systeminfo | findstr /C:”OS” to get information.

I have also included bind and reverse shells for both Windows and Linux systems.  Suppose I want to a back connection from the victim Windows host to my Linux machine, all I got to do is to choose the PHP Input method and specify the “Reverse Shell” option along with the OS. The only issue is you have to provide a direct link of the Netcat executable. I could have used PowerShell, but then this won’t work with legacy systems. To make this functionality function on modern and legacy systems I have used VBS to download the file and then execute in stealth mode.

For Linux systems I have used Python for bind and reverse shells.  This is an example where I get a back connection from the Linux host to my Windows host.

Apart from that you can also read file using PHP Filter method. But this function is not 100% working. For example suppose I want to read the /etc/passwd file. Choose option 3 and give the file location.

Here is a small video demonstrating this tool:

That is all for the walkthrough. I hope you would like this tool 🙂

Source: https://github.com/OsandaMalith/LFiFreak/

Windows Binary: http://www.mediafire.com/download/l07660857cqo9ur/LFI.exe

Linux Binary: http://www.mediafire.com/download/1m3a188637v3avo/lfi

This tool got added into the BlackArch Linux OS 🙂

This is my third addition to BlackArch. View their complete set of tools from here.

This tool was added to PentestBox: https://modules.pentestbox.com/#web-application-analysis

This tool was featured in Pentester Academy TV in 14/11/2017 after 3 years of publishing this tool 🙂


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.