Local File Inclusion detection and exploitation techniques.
A LFI could allow you to execute arbitrary code by including files not supposed to be interpreted by the web server (s.a. PHP or ASP).
<?php system('id'); ?>
If you can find a way to upload your own files to the website, you can simply embed code within it and try to include it with the LFI.
The file does not have to respect the extension or MIME type of the code you’re trying to embed. For example, if you can only upload images, try to embed code at the end of the image file.
Most web servers will log all incoming requests to a local access log file. Logs usually include the requested URL or the
Referer header, on which you have control and can try to include arbitrary code.
GET /<? phpinfo(); ?> HTTP/1.1 Host: vulnerable-website.com Referer: <? phpinfo(); ?>
Depending on the web server and operating system, logs can be found at the following default locations:
||ALL||ALL (symlink to the files opened by the running process)|
||Apache2||RHEL, CentOS, Fedora|
||NginX||RHEL, CentOS, Fedora, Debian, Ubuntu|
The same log poisoning technique could also be performed with SSH. However, those logs are usually readable by root only.
ssh -l '<? phpinfo(); ?>' vulnerable-website.com
||RHEL, CentOS, Fedora|
||Debian, Ubuntu, FreeNAS|
For every running process on a Linux host, there is a
/proc/self/environ file which contains the environment variables associated to it, including
HTTP_USER_AGENT. This means that you can try to embed code and include it by tampering with the
GET / HTTP/1.1 Host: vulnerable-website.com User-Agent: <? phpinfo(); ?>