While having a conversation with @kuldeepdotexe, he commented me that he have reported a LFI flaw in a Synack target and maybe I should take a look at a possibility to find similar flaws. After looking at the analytics of the target, @osiryszzz seemed to have reported the flaw in similar endpoints, so it came to my mind if I could replicate the flaw by fuzzing the folder name along with a different parameter name to have a full payout of the vulnerability. Thankfully after some fuzzing, a new endpoint and parameter were gathered which allowed me to report the flaw with no issues.
After looking at the vulnerable web servers in analytics, I proceed it to start fuzzing different paths who still may have the same PHP file
raft-large-words.txt wordlist with the usage of ffuf as the following:
ffuf -c -ac -v -mc all -w raft-large-words.txt -u https://ca.domain.vi/FUZZ/download.php -t 100
After fuzzing the endpoints the path
/testip/ was found. Then, in order to find a different parameter to have the vulnerability considered for acceptance as the
f parameter seemed to be reported before, so I started to fuzz for parameters while holding the same LFI payload like the following:
ffuf -c -ac -v -mc all -w raft-large-words.txt -u https://ca.domain.vi/testip/download.php?FUZZ=file:///C:/WINDOWS/System32/drivers/etc/hosts -t 100
After fuzzing for parameters, the parameter
file was found which allowed to perform the LFI flaw.
After some back to back with the VO, they accepted the flaw giving three stars to the report due to report writing.
If you see similar endpoints and flaws being reported, give it a shot to fuzz different paths and parameters which may allow you to find or replicate such a flaw. Besides that, try to get creative and place yourself in the position of the other tester and ask yourself what they have made different to allow them to find such a flaw.