0

I have these two LFI filters and i want to bypass them

        $bad = str_replace('../','',$_GET['bad']);
        while( substr_count($bad, '../', 0)) {
            $bad = str_replace('../', '', $bad);
        };
        include("./".$bad);

I tried various ways and i was not able to bypass them, also the php wrappers are mostly used in php 5.* versions and before and i have php 7.6 version.

Mike Anast
  • 1
  • 1
  • It would help if you describe what you have tried and what the response was. The obvious tactic is to simply not use `../`. What other options have you tried? – schroeder Apr 23 '21 at 07:36
  • the code has two str_replace() functions so whenever you give ../../../etc/passwd (or any variation of that) they alter the input to /etc/passwd. I used all the possible scenarios from [payload of all things](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/File%20Inclusion/README.md) – Mike Anast Apr 23 '21 at 07:40
  • ... and if you add 3? – schroeder Apr 23 '21 at 08:33
  • You might want to try the suggestions in [this answer](https://security.stackexchange.com/a/74614/235964) – nobody Apr 23 '21 at 13:25
  • You could try to abuse the browser that normalize the string so you can pass `..\\` that will be normalized into `../` or you can try `.;./` or `%2e%2e/` – Marco Nappi Oct 22 '21 at 06:30

2 Answers2

0

I don't think you can do it, unless there are insecure and exploitable symlinks that allow bypassing the '../' removal filter and are reachable down from the current directory.

In other words, I believe that LFI filtering is adequate.

LSerni
  • 22,521
  • 4
  • 51
  • 60
0

The filtering method is unsafe on windows as ..\ won't get replaced. Also you'll be able to include files from sub directories such as file.php?bad=uploads/shell.jpg

Wrappers won't work as the ./ path prefix isn't compatible with any of the wrapper URIs.

Exploitation of this would likely require multiple steps, f.ex writing php into a file in the same directory or a sub directory using file upload, csv export, temporary logs, etc.

You could also leak the content of non php files which might get you additional information to use against other parts of the application such as .htpasswd file for an admin interface, like: file.php?bad=admin/.htpasswd or admin/sql_dump.sql to be able to access additional functionality which may contain additional vulnerabilites.

wireghoul
  • 5,745
  • 2
  • 17
  • 26