Testing for all LFI on OWASP-SKF

3 min readApr 29, 2020

Welcome back my budding hackers , so this time we’ll blackbox test the Owasp-Skf and we’ll try to test the LFI’s (local file inclusion) this time .

LFI (case-1)

Let’s run our owasp-skf server for LFI

We can see that we have a submit button and a drop down menu as well , so let’s check them out .

On clicking on the submit button and inspecting the html code

We can notice that the server is refeering to a file at location text/intro.txt with the file name as intro.txt , let’s try directory traversal here and check if we can exploit the LFI.

We’ll do directory traversal for /etc/passwd

Once we do that let’s use the drop down option for chapter 1

Once we click on the submit button , we have all the content of /etc/passwd.

LFI (case-2)

Let’s try to exploit , the way we did before

We can see that we get a message “try harder’ , okay let’s try hard then . Since our usual method is not working , so the server must be filtering our “../” , and that’s the reason why we aren’t able to exploit , let’s have a closer look at this photo .

So we’ll use “…/./” in place of “../” alright , so let’s try this method

Here we go , we have exploited LFI .

LFI (case-3)

Let’s try the payload that we used in case-2 here

It says try harder which means that the server isn’t accepting the “../” at all , what we can do now ?

Let’s set up our burp proxy and analyze the requests

When we click on submit button for chapter one , this is the request that we see , we can see the file path here , so let’s inject our payload here .

But before sending the request as i said before the server isn’t accepting “../” at all so what we can do is to encode our payload with url encoding , we can encode it one time , two time whatever , i have encoded it thrice here , so let’s forward this packet .

Here we go

File inclusion vulnerabilities are simple and easy to exploit and they can actually cause potential damage , check out my other blog to learn how you can execute code on server just by exploiting LFI vulnerability .