File Inclusion / Directory Traversal
Blog The Proc File System
LFI
PHP provides various wrappers, which can be used for easier access to files, protocols, or streams. A list of wrappers can be found here. The php://
wrapper is enabled by default and interacts with IO streams.
PHP filter to convert file contents to Base64
PHP filter to convert file contents to ROT13
Command execution with PHP Expect
wrapper
Expect
wrapperUsing PHP Input
wrapper for command execution
Input
wrapper for command executionCommand execution with the PHP Zip
wrapper
Zip
wrapperThe Proc File System
Directory | Description |
---|---|
/proc/sched_debug | This is usually enabled on newer systems, such as RHEL 6. It provides information as to what process is running on which cpu. This can be handy to get a list of processes and their PID number. |
/proc/mounts | Provides a list of mounted file systems. Can be used to determine where other interesting files might be located |
/proc/net/arp | Shows the ARP table. This is one way to find out IP addresses for other internal servers. |
/proc/net/route | Shows the routing table information. |
/proc/net/tcp and /proc/net/udp | Provides a list of active connections. Can be used to determine what ports are listening on the server |
/proc/net/fib_trie | This is used for route caching. This can also be used to determine local IPs, as well as gain a better understanding of the target’s networking structure |
/proc/version | Shows the kernel version. This can be used to help determine the OS running and the last time it’s been fully updated. |
Directory | Description |
---|---|
/proc/[PID]/cmdline | Lists everything that was used to invoke the process. This sometimes contains useful paths to configuration files as well as usernames and passwords. |
/proc/[PID]/environ | Lists all the environment variables that were set when the process was invoked. This also sometimes contains useful paths to configuration files as well as usernames and passwords. |
/proc/[PID]/cwd | Points to the current working directory of the process. This may be useful if you don’t know the absolute path to a configuration file. |
/proc/[PID]/fd/[#] | Provides access to the file descriptors being used. In some cases this can be used to read files that are opened by a process. |
Last updated