External/rfi-lfi-payload-list
1
0
Fork 0
mirror of https://github.com/payloadbox/rfi-lfi-payload-list.git synced 2025-12-17 09:45:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
kikisslass 2020-10-01 12:20:05 +05:30 committed by GitHub
parent 869ec53f1b
commit 1314e912e5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -8,7 +8,7 @@
<img src="https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg"> <img src="https://img.shields.io/github/stars/payloadbox/rfi-lfi-payload-list?style=social"> <img src="https://img.shields.io/github/forks/payloadbox/rfi-lfi-payload-list?style=social"> <img src="https://img.shields.io/github/repo-size/payloadbox/payloadbox/rfi-lfi-payload-list"> <img src="https://img.shields.io/github/license/payloadbox/rfi-lfi-payload-list"> <img src="https://img.shields.io/github/issues/detail/author//payloadbox/rfi-lfi-payload-list/1">
</p>
As with many exploits, remote and local file inclusions are only a problem at the end of the encoding. Of course it takes a second person to have it. Now this article will hopefully give you an idea of protecting your website and most importantly your code from a file iclusion exploit. Ill give code examples in PHP format.
As with many exploits, remote and local file inclusions are only a problem at the end of the encoding. Of course, it takes a second person to have it. Now, this article will hopefully give you an idea of protecting your website and most importantly your code from a file iclusion exploit. Ill give example codes in PHP format.
Lets look at some of the code that makes RFI / LFI exploits possible.
@ -20,13 +20,13 @@ include ($ page);
?>
```
Now obviously this should not be used. The $ page entry is not fully cleared. $ page input is directed directly to the damn web page, which is a big “NO”. Always remove any input passing through the browser. When the user clicks on “File” to visit “files.php” when he visits the web page, something like this will appear.
Obviously this should not be used. The $ page entry is not fully cleared. $ page input is directed directly to the damn web page, which is a big “NO”. Always remove any input passing through the browser. When the user clicks on “File” to visit “files.php” when he visits the web page, something will appear like this.
```
http: //localhost/index.php? page = files.php
```
Now if no one has cleared the input in the $ page variable, we can have it pointed to what we want. If hosted on a unix / linux server, we can display the password as configuration files for shaded or uncleaned variable input.
Now, if no one has cleared the input in the $ page variable, we can have it pointed to what we want. If hosted on a unix / linux server, we can display the password as configuration files for shaded or uncleaned variable input.
Viewing files on the server is a “Local File Inclusion” or LFI exploit. This is no worse than an RFI exploit.