VulnerableApp
VulnerableApp copied to clipboard
SasanLabs
Add Local File Inclusion Vulnerability
Hi!, I was working on the issue #286 I added the Local File Inclusion to the project:
It has two level:
- Direct url param injection
- Direct url param injection with null byte character
It works similar to Remote File Inclusion, when the user find the folder with the password file it will return the following:
When the users clicks on the hyperlink they will go to the next level:
The users can see the secret data if they successfully performs the vulnerability:
I also made some fixes, these hyperlinks were sending you to broken links when clicking on them, so I added "/ VulnerableApp" to fix them.
And the GitHub icon wasn't on the project so I added it too:
Greetings, I hope these changes are ok :)
Hi @Ivan12273,
Thanks for the PR, however, I have few suggestions:
- we should create a UI where users can give input and that input causes LFI. Something similar to what we have for Command Injection or other vulnerability levels.
- For creating a UI, we need a particular theme such that users related to real-world LFI vulnerabilities. For this, have a look at other vulnerable applications such as DVWA.
- Please add more Vulnerability levels associated with Blacklist, wrongly implemented whitelisting, different protocol bypasses, and 1 or 2 secure implementations such that we can better judge a scanner.
thanks, Karan
Hello @preetkaran20 then it would be fine if I add an input where the user write the url? I see that if I try to write an url param like this: http://localhost:9090/VulnerableApp?file=[something] the app sends me to the home view, so I was thinking on an input as the command injection one but longer where if the user types a path with a different file, the application shows the content below the input.
Hi @Ivan12273, Thanks for the PR, however, I have few suggestions:
- we should create a UI where users can give input and that input causes LFI. Something similar to what we have for Command Injection or other vulnerability levels.
- For creating a UI, we need a particular theme such that users related to real-world LFI vulnerabilities. For this, have a look at other vulnerable applications such as DVWA.
- Please add more Vulnerability levels associated with Blacklist, wrongly implemented whitelisting, different protocol bypasses, and 1 or 2 secure implementations such that we can better judge a scanner.
thanks, Karan
Hello @preetkaran20 then it would be fine if I add an input where the user write the url? I see that if I try to write an url param like this: http://localhost:9090/VulnerableApp?file=[something] the app sends me to the home view, so I was thinking on an input as the command injection one but longer where if the user types a path with a different file, the application shows the content below the input.
Didn't get your question fully, however, I would suggest not take URL as input because that doesn't seem like a real-world use case, check some applications like DVWA, etc to see how are they taking the input.
We are fine with showing the output below the input.
Hello @preetkaran20 I did something similar as DVWA, this is how it works:
I added a button for verify the URL:
For the first level if the user writes a path like this http://localhost:9090/VulnerableApp/?file=secretFiles/passwords.txt this is going to happen:
In other cases the app will show:
I was only able to add another blacklist vulnerability and a secure implementations, sorry, I hope that's okay.
Best regards!
Hello @preetkaran20 I did something similar as DVWA, this is how it works:
I added a button for verify the URL:
For the first level if the user writes a path like this http://localhost:9090/VulnerableApp/?file=secretFiles/passwords.txt this is going to happen:
In other cases the app will show:
I was only able to add another blacklist vulnerability and a secure implementations, sorry, I hope that's okay.
Best regards!
@Ivan12273, one question, Does the user need to add a query param for input? I think we should add an input box. Adding the input to query param of a single page application doesn't seems right.
Hello @preetkaran20 I did something similar as DVWA, this is how it works: I added a button for verify the URL:
@Ivan12273, one question, Does the user need to add a query param for input? I think we should add an input box. Adding the input to query param of a single page application doesn't seems right.
Alright, I will change it for an input box.
@preetkaran20 Hi again, I changed it for the input box :)
@preetkaran20 Hi again, I changed it for the input box :)
I don't think input as a URL to an application for LFI is right. It might be the case for RFI or SSRF. For LFI we just need file name only.
As we see in DVWA, a PHP file is included based on an input parameter. My suggestion is to think of a use case first. Please go through some use cases from multiple places like https://www.neuralegion.com/blog/local-file-inclusion-lfi/ or https://www.netsparker.com/blog/web-security/local-file-inclusion-vulnerability/.
An example use-case at the top of my mind is: Say we want to show a page with images and the image name goes as an input to the application. Now if that image name is modified then that can cause LFI.
Code:
<img src="http://localhost:8080/LFI/?filename=image1.png" />
<img src="http://localhost:8080/LFI/?filename=image2.png" />
Now in this, user can change filename as "/etc/passwd" and that can cause LFI.
You are free to ignore my suggested example usecase.
Earlier Input box suggestions was little wrong from my side as there is nothing much we can do with input box.
@preetkaran20 Hi again, I changed it for the input box :)
@preetkaran20 Hi again, I changed it for the input box :)
I don't think input as a URL to an application for LFI is right. It might be the case for RFI or SSRF. For LFI we just need file name only.
As we see in DVWA, a PHP file is included based on an input parameter. My suggestion is to think of a use case first. Please go through some use cases from multiple places like https://www.neuralegion.com/blog/local-file-inclusion-lfi/ or https://www.netsparker.com/blog/web-security/local-file-inclusion-vulnerability/.
An example use-case at the top of my mind is: Say we want to show a page with images and the image name goes as an input to the application. Now if that image name is modified then that can cause LFI.
Code:
<img src="http://localhost:8080/LFI/?filename=image1.png" /> <img src="http://localhost:8080/LFI/?filename=image2.png" />Now in this, user can change filename as "/etc/passwd" and that can cause LFI.
You are free to ignore my suggested example usecase.
Earlier Input box suggestions was little wrong from my side as there is nothing much we can do with input box.
Alright!, then you suggest an input box only for the param, I will take this usecase, it is fine?
Alright!, then you suggest an input box only for the param, I will take this usecase, it is fine?
ok, can you please check if this use-case is feasible or not? You need to do a little more research on this.
Alright!, then you suggest an input box only for the param, I will take this usecase, it is fine?
ok, can you please check if this use-case is feasible or not? You need to do a little more research on this.
Hi @preetkaran20 sorry for the delay, I did a research about this use-case, is feasible, it would be the same idea as this scenario but with an input for the images:
It occurred to me an use case where the user can change the file name of an image, for example: an user can select one image with a select input, once selected he can write in an input text the new name of the image, when the user press submit the app will show the image with a successful message. This will be the "normal" case.
In the other case, the user write a new name with a path like: "/etc/passwd", and when the user press submit the app will show the passwd info.
What do you think about this approach?
Alright!, then you suggest an input box only for the param, I will take this usecase, it is fine?
ok, can you please check if this use-case is feasible or not? You need to do a little more research on this.
Hi @preetkaran20 sorry for the delay, I did a research about this use-case, is feasible, it would be the same idea as this scenario but with an input for the images:
It occurred to me an use case where the user can change the file name of an image, for example: an user can select one image with a select input, once selected he can write in an input text the new name of the image, when the user press submit the app will show the image with a successful message. This will be the "normal" case.
In the other case, the user write a new name with a path like: "/etc/passwd", and when the user press submit the app will show the passwd info.
What do you think about this approach?
Yeah, this use case looks good however it is not very clear to me. Can you please elaborate more?
My thought was somewhat same as the example use case, i.e. we just create a gallery of images and each image is shown like <img src=http://localhost:.../LFI?param=image1.png />. If the user opens this URL directly in a new tab, the user will get the image and if the user tweaks the param value to http://localhost:.../LFI?param=/etc/password he should be able to see the contents of the directory.
Also if possible let's connect over a call to discuss? I work in IST time zone from 10 AM IST to 10 PM IST. Please let me know your preferred timings.
Alright!, then you suggest an input box only for the param, I will take this usecase, it is fine?
ok, can you please check if this use-case is feasible or not? You need to do a little more research on this.
Hi @preetkaran20 sorry for the delay, I did a research about this use-case, is feasible, it would be the same idea as this scenario but with an input for the images:
Yeah, this use case looks good however it is not very clear to me. Can you please elaborate more? My thought was somewhat same as the example use case, i.e. we just create a gallery of images and each image is shown like
<img src=http://localhost:.../LFI?param=image1.png />. If the user opens this URL directly in a new tab, the user will get the image and if the user tweaks the param value tohttp://localhost:.../LFI?param=/etc/passwordhe should be able to see the contents of the directory.Also if possible let's connect over a call to discuss? I work in IST time zone from 10 AM IST to 10 PM IST. Please let me know your preferred timings.
Hello @preetkaran20 I am so sorry, it seems that for now I will not have enough time to continue with this, I will probably be available in the future but at the moment it is complicated. If you want I can close the PR or leave it open. Sorry again I whish I could helped more :(
Hi @Ivan12273,
No problem. No need to close the PR, we will pick this issue from here only. Thanks a lot for the contribution.
thanks, Karan