Beruflich Dokumente
Kultur Dokumente
HOME BLOG
for LFI vulnerabilities, a good example would be the following PHP script Nmap Cheat
foo.php?file=image.jpg which takes image.jpg as a parameter. An Sheet
attacker would simply replace image.jpg and insert a payload. Normally a Linux Commands
directory traversal payload is used that escapes the script directory and Cheat Sheet
traverses the lesystem directory structure, exposing sensitive les such as More
foo.php?file=../../../../../../../etc/passwd or sensitive les within
WALKTHROUGHS
the web application itself. Exposing sensitive information or con guration les
containing SQL usernames and passwords.
InsomniHack CTF
Note: In some cases, depending on the nature of the LFI vulnerability its Teaser - Smartcat2
possible to run system executables. Writeup
https://highon.coffee/blog/lfi-cheat-sheet/ 1/8
7/28/2017 LFI Cheat Sheet
Below is the error received if the PHP expect wrapper is disabled: SECURITY
HARDENING
Warning: include(): Unable to find the wrapper "expect" - did you forget to enable it when you
Security Harden
CentOS 7
More
PHP Wrapper php:// le
/DEV/URANDOM
Another PHP wrapper, php://input your payload is sent in a POST request
using curl, burp or hackbar to provide the post data is probably the easiest
MacBook - Post
option.
Install Con g +
Apps
More
OTHER BLOG
https://highon.coffee/blog/lfi-cheat-sheet/ 2/8
7/28/2017 LFI Cheat Sheet
Then try and download a reverse shell from your attacking machine using:
http://192.168.155.131/fileincl/example1.php?page=php://filter/convert.base64-encode/resource
This method is a little tricky as the proc le that contains the Apache error log
information changes under /proc/self/fd/ e.g. /proc/self/fd/2 ,
/proc/self/fd/10 etc. Id recommend brute forcing the directory structure
of the /proc/self/fd/ directory with Burp Intruder + FuzzDBs LFI-FD-Check.txt
list of likely proc les, you can then monitor the returned page sizes and
investigate.
Fimap exploits PHPs temporary le creation via Local File Inclusion by abusing
PHPinfo() information disclosure glitch to reveal the location of the created
temporary le.
If a phpinfo() le is present, its usually possible to get a shell, if you dont know
the location of the phpinfo le map can probe for it, or you could use a tool
like OWASP DirBuster.
Enjoy.
https://highon.coffee/blog/lfi-cheat-sheet/ 4/8
7/28/2017 LFI Cheat Sheet
Follow Arr0way
Twitter GitHub
Also...
kali linux HowTo: Kali Linux Chromium Install for Web App Pen Testing
https://highon.coffee/blog/lfi-cheat-sheet/ 5/8
7/28/2017 LFI Cheat Sheet
Proudly hosted by
The contents of this website are
2017 HighOn.Coffee
https://highon.coffee/blog/lfi-cheat-sheet/ 6/8
7/28/2017 LFI Cheat Sheet
https://highon.coffee/blog/lfi-cheat-sheet/ 7/8
7/28/2017 LFI Cheat Sheet
https://highon.coffee/blog/lfi-cheat-sheet/ 8/8