I just want to share my recent finding of LFI(Local File Inclusion) on Redacted.com. It was a private program on Bugcrowd.
According to OWASP,
Local File Inclusion (also known as LFI) is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in the application.
Suppose for this below code snippet
<?php include($_GET['page'] . '.php'); ?>
It can be exploited by http://127.0.0.1/lfi.php?page=../../../../etc/passwd
In HTTP Response you will get the response of /etc/passwd file.
Now I will tell you how I got the LFI on redacted.com. It was a kind of static website. I never thought that I will end up with a P1 vulnerability. So I fired my burp and browsing the website. After sometime when I was checking all responses on my burp, one URL got my attention. The URL was like
I tried with file:///etc/passwd. I got a response like this
WAF be like
WAF was blocking some well-known keywords like passwd, hosts, ssh, log. After that, I tried with file:///etc/group & got a successful response.
It was enough for making POC and within a few hours, they fixed it and rewarded me with the bounty of $1000. So always try all possible ways until you succeed. Thank you all for your support. Happy hunting ❤
Reported on 18th May’2019
Triaged on 18th May’2019
Rewarded $1000 on 18th May’2019