0

I'm looking at a website that uses a URL parameter to include the current page, like http://host.tld/index.php?page=about.

If I add anything other than the current page (e.g. http://host.tld/index.php?page=test) it reflects the parameter, added with a .php and states that the resource was not found.

Here reflected XSS already works, but I'm trying to include other files. Now, if I put /etc/passwd as the parameter, it doesn't find the /etc/passwd.php file.

I've tried to add %00, %2500 and \0 to the end of the parameter, none of which works:

  • %00 throws an error:

    Warning: file_exists() expects parameter 1 to be a valid path, string given in /var/www/html/index.php on line 69

  • %2500 reflects the parameter (test) as "test%00.php"

  • \0 is simply added to the parameter when reflected, like test\0.php

The .php is not added on the client-side.

Is there any other way to exploit this to include other system files? The server response states Apache/2.4.10 (Debian).

Anders
  • 64,406
  • 24
  • 178
  • 215
SaAtomic
  • 989
  • 2
  • 15
  • 27

1 Answers1

0

Did you check if you can include a remote file (did you specify a URL as file)? If it's a classical LFI then you might not be going far with it because the php guys eventually fixed the bug with adding a %00 to cut off the string. What you can do now is you can scan the web server file system for php files. Maybe that allows you to detect new attack vectors but as often in pentesting you have to use your creativity if you want succeed.

kaidentity
  • 2,634
  • 13
  • 30
  • I didn't think of that, thank you! Just tried it and it just reflects the remote file as well, e.g. `127.0.0.1:8000/index.php` – SaAtomic Oct 21 '16 at 12:48
  • Yes but you can include a file from YOUR server and thereby inject arbitrary code! Please upvote my answer if it helped you. – kaidentity Oct 21 '16 at 12:49
  • `127.0.0.1` is my server in this case, the webserver I'm attacking is in a VM. I realised that 127.0.0.1 is stupid and used the actual IP of my webserver but the it's just reflected anyways. I can't upvote, my reputation is too low. – SaAtomic Oct 21 '16 at 12:52
  • Yes, the ip used is interpreted on the server so 127.0.0.1 is the server itself. You need to use your real ip. – kaidentity Oct 21 '16 at 12:55
  • I hope you have approval of the owner of the website to do all this. Otherwise it is probably illegal and subject to criminal law. – kaidentity Oct 21 '16 at 12:56
  • I understand and I did, but the remote resource is just reflected on the website and my webserver shows no access activity. thank you for your help though! – SaAtomic Oct 21 '16 at 12:57