LFI Bug can help you make $500 and more.(Noob-Advance)

3 hours ago 4

BOOK THIS SPACE FOR AD

ARTICLE AD

Local File Inclusion (LFI) is a web vulnerability that allows an attacker to include files from the target server into their requests. This vulnerability can expose sensitive files, configuration details, and even lead to remote code execution in some cases. If responsibly reported, it can earn you significant rewards in bug bounty programs. Here’s a step-by-step guide to understanding and performing an LFI attack ethically during bug bounty hunting.

LFI occurs when a web application dynamically includes files based on user input without proper sanitization. For example, if a URL like the one below exists:

http://example.com/index.php?page=about

If the page parameter allows you to include unintended files, this indicates a potential LFI vulnerability.

Step 1: Reconnaissance

Identify Targets:Look for endpoints with file inclusion functionality, such as:page=, file=, document=, template=Use tools like Burp Suite or ffuf to detect such parameters.Map Application Structure:Understand the directory structure of the target application.Tools like Dirb, Gobuster, or feroxbuster can help in finding hidden directories.

Step 2: Initial Testing

Try Common Payloads: Inject payloads to see if the parameter is vulnerable:http://example.com/index.php?page=../../../../etc/passwdReplace ../../../../ with varying levels of directory traversal to locate files.Detecting LFI Behavior:If the server responds with content from /etc/passwd or similar system files, you have confirmed an LFI vulnerability.

Step 3: Exploitation

Enumerate Files:Access sensitive files:/etc/passwd (Linux user details)/etc/shadow (password hashes, restricted)C:\Windows\win.ini (Windows configuration)Log Poisoning: If direct file inclusion doesn’t lead to critical exploitation, use log poisoning to achieve remote code execution:Inject malicious PHP code into server logs, for example:User-Agent: <?php system($_GET['cmd']); ?>Then access the logs via the vulnerable parameter:http://example.com/index.php?page=../../../../var/log/apache2/access.log&cmd=lsSession Hijacking:Search for application configuration files containing session details or database credentials.

Step 4: Bypassing Filters

If the application implements some basic sanitization:

Null Byte Injection: Append a null byte (%00) to terminate the string:http://example.com/index.php?page=../../../../etc/passwd%00Double Encoding: Double encode the payload to bypass filters:../../../../etc/passwd → %252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswdAlternate Encoding: Use base64 or hex encoding to obfuscate the payload.

Step 5: Automate Scanning

Tools:wfuzz: Automates fuzzing for file inclusion.Burp Suite Pro: Scans for vulnerable parameters.FuzzDB: Use predefined payloads for effective testing.Custom Scripts: Write Python scripts to automate repetitive tasks like traversing directories or testing payloads.

Join Bug Bounty Platforms:Sign up for platforms like HackerOne, Bugcrowd, or Synack.Follow Program Guidelines:Ensure the program explicitly allows file inclusion testing.Test only within the scope defined by the program.Report Your Findings:Include detailed information such as:Steps to reproduceImpact of the vulnerabilityPotential exploitation scenariosClaim Your Reward:High-impact LFI vulnerabilities often result in significant bounty rewards.

Always respect the program’s scope and rules.Avoid destructive actions like deleting or modifying server files.Never share or sell the vulnerability details outside the bounty platform.

Read Entire Article