From LFI to RCE: How I Turned a File Read into Shell Access

Hello everyone! Welcome to my very first blog post. Today, I’m thrilled to share a recent breakthrough where I transformed a Local File Inclusion (LFI) vulnerability into a Remote Code Execution (RCE) exploit. Buckle up and join me on this technical thrill ride!

While crawling a target domain (redacted.com), I noticed a peculiar URI pattern that accepted a parameter called filename to render files on the webpage. This parameter was meant to read file contents from the server’s filesystem. Intrigued, I thought, “Why not try some LFI magic here?” And BOOM!! – I successfully accessed local files!

Knowing the server was Linux-based, I leveraged a comprehensive wordlist from DragonJAR’s Security Wordlist. I used the following command with ffuf to probe for accessible files:

The /proc/self/environ file contains various variables, such as REMOTE_IP, REMOTE_PORT, and even USER_COOKIE—all reflecting details from the current user’s session. Interestingly, it also showed the User-Agent header from the the requested user’s request.💡

So, I thought, “If I change the User-Agent header, will it reflect in the response?” And it was reflecting!

I saw an opportunity: since the target was built using PHP, why not inject some PHP code via the User-Agent header? I crafted a simple payload:

I replaced the User-Agent header with this payload, and BOOM Again!! — the response echoed the output of the id command, confirming that I had achieved Remote Code Execution! 🎉

That’s how I turned an LFI vulnerability into a full-blown RCE exploit. The process was a fascinating journey of manual exploration, strategic brute-forcing, and creative thinking.

Thank you for reading this deep dive into my bug bounty adventure. I hope you found it as exciting as I did! Stay tuned for more insights and exploits in my upcoming blogs. Until next time, happy hunting and keep exploring! 🚀🔥