.

Really, really good LFI list

<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Sun Mar 28, 2010 6:49 pm

Really, really good LFI list

Below is a link to my favorite LFI list. This list is a great resource when you finally get "in" and dont just want to settle for etc/passwd.

Check it out:

http://pastie.org/840199
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sun Mar 28, 2010 7:02 pm

Re: Really, really good LFI list

Juicy!  Thanks!
~~~~~~~~~~~~~~
Ketchup
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sun Mar 28, 2010 9:24 pm

Re: Really, really good LFI list

Sweet!  Thanks, Jason!
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sun Mar 28, 2010 11:02 pm

Re: Really, really good LFI list

I'll play the newb... What does LFI mean?
OSWP, Sec+
<<

n1p

Jr. Member
Jr. Member

Posts: 89

Joined: Tue Mar 16, 2010 5:31 pm

Post Mon Mar 29, 2010 2:16 am

Re: Really, really good LFI list

A nice list there! A few lines of python and that is a handy win/Linux LFI scanner.

@chrisj - LFI is Local File Inclusion - a web app vulnerability that is caused by the developer using local filed within their application. Incorrcectly coded let's an attacker read any file. Although on Linux, this is restricted to the permissions of the server. The format is something like www.ethicalhacker.net/index.php?page=comments.php. A vulnerable fopen function call in php, would allow an attacker to enter  www.ethicalhacker.net/index.php?page=../../etc/passwd to read the file on a Linux server.

There is also RFI which is remote file inclusion and allows remote content (i.e. Another site) to be included. An attacker could include a php shell for example..

n1p
<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Mon Mar 29, 2010 8:11 am

Re: Really, really good LFI list

Cheers n1p (and jason ofc ;)), didn't know the term yet either :)
Last edited by Anquilas on Mon Mar 29, 2010 10:06 am, edited 1 time in total.
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Mon Mar 29, 2010 9:43 am

Re: Really, really good LFI list

thanks Anquilas,

Correct, any server side code that will read files on the webserver and display them is an LFI.

The list contains the juicy stuff you want to get when you compromise a server this way.

It also serves as just a nice list to get when you pop a box in general =)
<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Mon Mar 29, 2010 10:09 am

Re: Really, really good LFI list

I suppose such a list is ideal for making a little script that pulls all those files to your own box, so that you can quickly logoff?
Or would that be bad for some reason, like having a suspicious amount of operations in a small timewindow? (for IDS systems or something, just guessing here)
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon Mar 29, 2010 1:01 pm

Re: Really, really good LFI list

You can write a script to take advantage of this list, certainly.  However, several tools, like Paros, Burp, WebScarab, and others have the ability to fuzz requests to a server.  You would use this list to fuzz LFI.
~~~~~~~~~~~~~~
Ketchup
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Mon Mar 29, 2010 1:10 pm

Re: Really, really good LFI list

exactly... once you find your LFI you can use a bash script with curl to iterate through this list and download all files it can access.

Good times.
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Tue Mar 30, 2010 4:13 am

Re: Really, really good LFI list

Nice, thanks Jason.

Return to Tools

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software