Multiple LFI flaws were discovered in a popular host target during QR which has been widely tested before, the web targets from the client were similar to the host targets which made easier the recon phase. In this case, four different servers were identified with the similar flaw through two parameters such as
file. Therefore, the web targets and the host targets ended up having the same root cause of the flaw.
By gathering endpoints that were reported before (see Local File Inclusion Write-Up) in analytics in the web targets, a list was gathered which contained the endpoints including the payloads for the LFI flaw as the following:
Then, by using httpx and BurpSuite, I proceeded to test the endpoints with the vulnerable IPs to send the web traffic to BurpSuite to make a better proof of concept. The following httpx command was used.
httpx -l vulnerable-ips.txt -paths vulnerable-endpoints.txt --http-proxy=http://localhost:8080
After sending the traffic through BurpSuite, this is how the proof of concept looked like which can verify the flaw by using two parameters in four different web servers among the endpoints.
After sending the report, the VO accepted it winning the QR and added an extra on the reward 30%.
For people on Synack, feel curious to test from web to host targets who may have a similar target name as they may have similar technology infrastructure which may allow you to discover similar flaws. Don’t forget to check analytics!