File Inclusion/Automated Scanning[questions]

hey guys,can some one help me for this question?
i fuzz this http://46.101.78.118:32280 and find exposed parameters,but nothing else,

please help me ,thank you very much!

After you have found the parameter, you need to test it for vulnerability. If you know how the parameter is vulnerable, you can read the flag.

thank you answer,i use the fuff test the parameters but i do not find this parameter,
example: ffuf -w ./burp-parameter-names.txt :FUZZ -u ‘http://46.101.78.118:32280?FUZZ=value’ -fs 0
finally,i can not find this paramemters , then i do not how to deal with problem

-fs 0 will not work. You have to find out the size of the answer first.

thank you very much ,i success

Hi, I’m getting 200 on all requests using the LFI wordlist and tried testing some payloads but they are not working. not sure if this is correct or not. need tips. thanks

you should pay attention to -fs size,then you can get correct result.

how should I find the fs size. all I can see is they have the same file size. thanks

i got it now. thanks

I also stuck on it , how did you find what size do u have to put ?

1 Like

in -fs i put arg 0 or 2000 it has not any reason. giving back huge amount of status 200 material , help please

Good afternoon.
I want to share my experience of passing this room.
One of the most incomprehensible tasks in my opinion.
I had to spend a lot of time looking for a solution, which turned out to be not so much complicated as confusing.
Due to the fact that I am not a native English speaker and I have to use a translator, the meaning and essence of the question is very often lost. And in order to understand what you need, you have to try a large number of ways and methods.
When you make a request ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u ‘http://<SERVER_IP>:/index.php?FUZZ = value’ -fs 2287
You get a lot of directory names. They are all Size: 2309, but 1 is different from them. Find it!
Once you’ve found it, don’t waste your time. I tried many tricks and methods of attack. Up to the use of Metasploit and an exploit for Apache.
When you got the directory name and -fs “its size”. You can find an example from this link and use “Find its name in this list” File Inclusion/Path traversal - HackTricks.

You can run a search with sudo ffuf -w ./LFI-Jhaddix.txt:FUZZ -u 'http://ip-server/index.php?xxxx=/.../.../.../FUZZ ’ -fs “found size”
In this way, you will find examples of requests that you need to enter into your browser. Don’t look for the flag right away! It’s practically meaningless until you understand what it takes.
Try getting passwd output first and make sure the query and directory traversal work!
Only then will you be able to easily find the flag.
Don’t use
ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u ‘http://<SERVER_IP>:/index.php?language=FUZZ’ -fs 2287
It’s pointless. You will receive a large amount of incomprehensible information, as a result, I did not understand the meaning of this request. Gives only a general picture, but I did not find my -fs in this big list
This meaningless conclusion does nothing, but only takes time.
and also I did not find even approximately a close request that can be used. It’s one thing when you already know what it looks like, another thing when you look at a long list of queries and try to apply them at random!
That’s bullshit.
curl http://<SERVER_IP>:/index.php?language=…/…/…/…/etc/apache2/apache2.conf
as well as
curl http://<SERVER_IP>:/index.php?language=…/…/…/…/etc/apache2/envvars
It also took a lot of time and I did not fully understand why they are needed in the task.
Perhaps the problem is with the translator, but in any case, in my practice, I find that my time is precious, and if I can minimize costs and make everything faster and easier, then it’s better to do so. The main thing is the result at the lowest possible cost. I value my time and it seems to me that it is better to use it to improve your skills.
Good luck.

3 Likes