DVWA LFI Attack Guide

TL;DR

This guide shows you how to exploit a Local File Inclusion (LFI) vulnerability in the DVWA web form. We’ll use basic techniques to read sensitive files on the server.

Prerequisites

• A running instance of DVWA (Damn Vulnerable Web Application).
• Basic understanding of HTTP requests and web forms.

Steps

1. Navigate to the File Inclusion Form: In DVWA, go to ‘File Inclusion’. This is where the vulnerability exists.
2. Understand the Vulnerable Parameter: The form likely has a field (e.g., ‘file’) that accepts a filename as input. The application attempts to include this file directly into its response.
3. Basic LFI Payload Attempt: Start with simple payloads to test if inclusion is happening at all.

   /etc/passwd

   Enter this into the ‘file’ field and submit the form. If you see the contents of /etc/passwd displayed, the vulnerability is confirmed.

4. Null Byte Injection (if needed): Some systems might terminate strings at a null byte (%00). Try adding this to your payload.

   /etc/passwd%00

   This can bypass some basic filtering mechanisms.

5. Traversal with ../: Use the ‘..’ directory traversal sequence to move up in the file system.

   ../../../../../../etc/passwd

   Adjust the number of ‘../’ sequences as needed to reach the desired file location. This attempts to navigate out of the current directory and into the root directory, then to /etc/passwd.

6. Exploiting with Absolute Paths (if known): If you know the absolute path to a sensitive file, use it directly.

   /var/log/apache2/access.log

   Replace this with the actual path of the log file on your system.

7. Exploiting with /proc/self/environ: This file contains environment variables, which can reveal sensitive information like database credentials.

   /proc/self/environ

8. URL Encoding (if needed): If special characters are causing issues, try URL encoding them. For example, ‘%2e%2e’ for ‘..’.
9. Filtering Bypass Techniques: DVWA may have some basic filtering in place.
   • Case Sensitivity: Try different casing (e.g., /Etc/PaSsWd).
   • Whitespace: Add whitespace around the path (e.g., / etc/passwd ).
   • Double Encoding: Encode characters multiple times.
10. Read Important Files: Focus on reading files that commonly contain sensitive data:
    • /etc/passwd (User accounts)
    • /etc/shadow (Password hashes – requires appropriate permissions, often not readable directly)
    • /var/log/apache2/access.log or similar (Web server logs)
    • Configuration files for the web application (e.g., database connection strings).

Important Considerations

• Permissions: You can only read files that the web server process has permission to access.
• Error Messages: Pay attention to any error messages displayed by the application, as they may provide clues about filtering or file system structure.
• DVWA Security Level: The difficulty of exploiting this vulnerability increases with higher security levels in DVWA.