i Local File Inclusion – Sending Emails to Remote Code Execution – All things in moderation

Local File Inclusion – Sending Emails to Remote Code Execution

Local file inclusion

Local File Inclusion (LFI) is the process of including files, that are already locally present on the server. This vulnerability occurs when a user input contains the path to the file that has to be included. When such an input is not properly sanitized, the attacker may give some default file names and access unauthorized files, or an attacker may also make use of directory traversal characters (such as dot-dot-slash) and retrieve sensitive files available in other directories.

Consider following web application: http://192.168.223.128/dvwa/vulnerabilities/fi/?page=include.php

So the first lets try getting** /etc/passwd** to confirm if its Local file inclusion or not

../ is used to get into upper(parent) Directory in linux

http://192.168.126.134/dvwa/vulnerabilities/fi/?page=../../../../etc/passwd

It worked:

From LFI to code execution by Sending Emails

This is one of the author’s favourite ways to move from an LFI to a reverse shell. This technique is one of the simplest and at the same time funniest ways to achieve our goal. All we have to do is to send an email!

A mail server hosts its emails under the /var/mail directory. Every user has a file under this directory with his username set as the filename. The user www-data will log his emails under /var/log/www-data.

Read file /var/log/www-data: http://192.168.126.134/dvwa/vulnerabilities/fi/?page=../../../../var/log/www-data

Can you imagine what will happen if we send a malicious email to that user and then include the log file via the web application? Let’s see!

On this example, we are sending an email using some application on the website. Email address or content include php code :

<?php phpinfo(); >

Send mail application: http://192.168.126.134/bWAPP/maili.php

The code is stored in the file /var/log/www-data:

By including the /var/mail/www-data in Local File Inclusion technique, we get the result of the executable code:

http://192.168.126.134/dvwa/vulnerabilities/fi/?page=../../../../var/log/www-data

In this way you can insert other php code to the file /var/mail/www-data that executes the system command to control the system.

Leave a Reply