Common Files

Common Files (or) Local File Include is a vulnerability, which allows attackers to retrieve or execute server-side files. The vulnerability arises by the fact that the developer is allowing not sanitised user-supplied input to be used in functions used to open, read or display the content of files.

An example is when a developer uses the include PHP function and the GET variable for including a certain page. Here is a sample code we made as a proof of concept for LFI and a screenshot of the page we took that is vulnerable to LFI plus doing a directory traversal to the /etc/passwd file on a Linux web server:

<!DOCTYPE HTML>
<html>
<head>
<style type="text/css" media="screen">
body{
background: black;
color: limegreen;
text-shadow: 0 0 5px;
}
h2{
color:blue;
}
</style>
</head>

<body>
<h2>I am vulnerable to Local File Inclusion (LFI) with filename.php?lol= :P</h2>

<?php
// Jay Turla made this script vulnerable

include($_GET['lol']);

?>
</body>
</html>

It is just like concatenating log files and configuration files that can basically be used for information gathering and probing the web server.

Now, it takes a lot of time to guess the files of the server and put the file path name after the vulnerable page, so automating this kind of penetration test and information gathering would be awesome. we actually found a new tool that has recently been made public, and it’s called Panoptic!

Panoptic is a Python tool written by Roberto Salgado with the collaboration and help of Miroslav Stampar, one of the developers of sqlmap. This tool searches and looks for commonly known files in your web server like configurations, logs, histories, etc. through the Local File Inclusion vulnerability