#BugBounty — “Journey from LFI to RCE!!!”-How I was able to get the same in one of the India’s popular property buy/sell company.

Published in

InfoSec Write-ups

3 min readApr 19, 2018

Hi Guys,

This blog is about how I was able to get Remote Code Execution (RCE) from Local file inclusion (LFI) in one of the India’s property buyers & sellers company. Let’s see what was the complete scenario-

As a bugbounty hunter the most important thing that I feel is the approach which we try or follow to exploit the vulnerability and which ultimately leads to have a much more impact from the vulnerability and the same I carried here.

While searching for the vulnerabilities, I found LFI in the target site- https://www.victimsite.com/forum/attachment-serve?name=../../../../../../../../../../etc/shadow&path=. As you can see parameter “name” was vulnerable to LFI.

I was confirmed that LFI was there and so now my target was to escalate it to get RCE. Before that, I have read many articles on how to get RCE from LFI and this one helped me a little here — https://medium.com/@p4c3n0g3/lfi-to-rce-via-access-log-injection-88684351e7c0 . Now the idea was to get access to some file may be log files which could provide some user controller input (in order to run some command) .

So I tried reading access logs ,error logs , different location to access them.

But it seems the user with which I got LFI didn’t have access to access logs files. Did a little reading,researching and I came to know that “/proc/self/fd” provides symbolic shortcut to access logs and various other system related file. So I tried reading those in search for access logs-

and I run intruder over /proc/self/fd/{number} and one of the fd files provided me access to access logs —

and what caught my attention here was “referer” header because I knew that it was something which is under user controlled input. Time to execute some command. I added ‘referer’ header in the HTTP request , set its value to system(id) and forwarded it-