Hey there guys, this is Jay Turla a.k.a shipcode again! I decided that I will be writing a series of tutorial for the web pentesting tools that are compiled in the pWeb Suite. For today our focus will be HelLFiRE, a Local File Automation (LFi) tool that is powered by Perl’s Regular Expressions.
To check the usage of HelLFiRE, just type ./HelLFiRE -h in your terminal emulator.
./HelLFiRE -u url
add -s seconds for sleep delay between requests.
add -a “USER AGENT” to specify USER AGENT.
./HelLFiRE -u ‘http://127.0.0.1/vuln_include.php?filename=class.php’ -a “Mozilla/5.0″ -s 2
pWeb suite has a vulnerable code for you to try playing with your LFI skills, it can be found under pWeb/LFi/vulnCode/vuln_include.php. So if you have your Apache server running, you should be able to transfer this vulnerable code and run it under /var/www so that the vulnerable php file can be pointed in your browser with this address ‘http://127.0.0.1/vuln_include.php‘ / http://localhost/vuln_include.php.
And this is how you include a file to the link: http://localhost/vuln_include.php?filename=filename.php
In my case, I’m using class.php which is a PHP code I wrote that performs simple addition. So if I attack this URL by using HelLFiRE without adding the USER AGENT and the sleep delay between requests, I can just type in the terminal:
./HelLFiRE -u ‘http://127.0.0.1/vuln_include.php?filename=class.php’
If the attack is successful, the depth and all files from /etc on the Unix or Linux/GNU system will be cloned which can be found under ../logs/scans/127.0.0.1 directory. If it says “83 files raped from server”, that means it was able to copy 83 files from the /etc directory.
So if I use the command, cat ../logs/scans/127.0.0.1/etc.passwd, I should be able to see something like this..
Simple yet cool tool right? If you want to download and check this tool just click this link. Douglas (the creator) has also included a video introduction about the tools he added in pWeb suite =)