I am sure you know about exploiting file inclusion vulnerabilities. In file inclusion situations in common we can read files arbitrarily in the system or remotely depending on the permissions. In PHP environments commonly we poison the log files or inject malicious PHP into the user agent header and load the “/proc/self/environ” file. However when we encounter file inclusion situations in PHP environments we can use the in-built PHP wrappers to make our exploitations much easier or perhaps bypass existing filters.
There are lot of LFI exploitation tools available but I’ve written this tool mainly focusing on the usage of “php://input”, “php://filter” and “data://” methods. Even though the title explicitly conveys “LFI Freak” this can be used for RFI vulnerabilities as well. This tool is written in Python 2.7 and I have included binaries for both Windows and Linux systems. If you are running from the source or want to modify this, you need the BeautifulSoup library.
Here is a small walkthrough of the features of the tool.
To test for local or remote file inclusions you can use the option one “Automated testing”. I am using DVWA in here. To test this tool create a small vulnerable file.
[code language=”php”]
<?php
echo "File included: ".$_REQUEST["page"]."<br>";
$file = $_REQUEST["page"];
include $file;
?>
[/code]
In my case both “php://input” and data URI are possible which means the host is vulnerable to both local and remote file inclusion.
I will choose the PHP Input method and suppose I want to get the details of the victim (I currently know the victim is a Windows host). So I want to execute “systeminfo | findstr /C:”OS” to get information.
I have also included bind and reverse shells for both Windows and Linux systems. Suppose I want to a back connection from the victim Windows host to my Linux machine, all I got to do is to choose the PHP Input method and specify the “Reverse Shell” option along with the OS. The only issue is you have to provide a direct link of the Netcat executable. I could have used PowerShell, but then this won’t work with legacy systems. To make this functionality function on modern and legacy systems I have used VBS to download the file and then execute in stealth mode.
For Linux systems I have used Python for bind and reverse shells. This is an example where I get a back connection from the Linux host to my Windows host.
Apart from that you can also read file using PHP Filter method. But this function is not 100% working. For example suppose I want to read the /etc/passwd file. Choose option 3 and give the file location.
Here is a small video demonstrating this tool:
That is all for the walkthrough. I hope you would like this tool 🙂
Source: https://github.com/OsandaMalith/LFiFreak/
Windows Binary: http://www.mediafire.com/download/l07660857cqo9ur/LFI.exe
Linux Binary: http://www.mediafire.com/download/1m3a188637v3avo/lfi
This tool got added into the BlackArch Linux OS 🙂
[tweet https://twitter.com/blackarchlinux/status/582863965308526593 ]
[tweet https://twitter.com/blackarchlinux/status/582829191688810496 ]
This is my third addition to BlackArch. View their complete set of tools from here.
This tool was added to PentestBox: https://modules.pentestbox.com/#web-application-analysis
This tool was featured in Pentester Academy TV in 14/11/2017 after 3 years of publishing this tool 🙂
2 thoughts on “LFi Freak – An Automated File Inclusion Exploiter”