Author Topic: Magic LFI PHP command  (Read 2104 times)

0 Members and 2 Guests are viewing this topic.

Offline Stackprotector

  • Administrator
  • Titan
  • *
  • Posts: 2515
  • Cookies: 205
    • View Profile
Magic LFI PHP command
« on: May 17, 2013, 12:02:17 pm »
Hai guys,


Today i found this neat little trick to inject into a include($_GET['sex']); LFI vulnerability.


Quote
php://filter/read=convert.base64-encode/resource=index.php


This returns instead of the result of index.php the actual content encoded in base64. So when you got some basedir restrictions and you can't do much more than including stupid files you can read them and get the config's etc. :)
~Factionwars

Offline ca0s

  • VIP
  • Sir
  • *
  • Posts: 432
  • Cookies: 53
    • View Profile
    • ka0labs #
Re: Magic LFI PHP command
« Reply #1 on: May 17, 2013, 02:07:39 pm »
Those funny PHP wrappers :D
They are also useful to bypass WAFs/filters.

Code: [Select]
http://www.ptsecurity.ru/ics/%D0%90.%D0%9C%D0%BE%D1%81%D0%BA%D0%B2%D0%B8%D0%BD_%D0%9E_%D0%B1%D0%B5%D0%B7%D0%BE%D0%BF_%D0%B8%D1%81%D0%BF_%D0%A0%D0%9D%D0%A0_wrappers.pdf

And sometimes even for code execution, like it's shown at the end of this post:
Code: [Select]
http://zerofreak.blogspot.com.es/2012/04/lfi-exploitation-via-phpinput-shelling.html

Offline Stackprotector

  • Administrator
  • Titan
  • *
  • Posts: 2515
  • Cookies: 205
    • View Profile
Re: Magic LFI PHP command
« Reply #2 on: May 17, 2013, 02:15:58 pm »
Those funny PHP wrappers :D
They are also useful to bypass WAFs/filters.

Code: [Select]
http://www.ptsecurity.ru/ics/%D0%90.%D0%9C%D0%BE%D1%81%D0%BA%D0%B2%D0%B8%D0%BD_%D0%9E_%D0%B1%D0%B5%D0%B7%D0%BE%D0%BF_%D0%B8%D1%81%D0%BF_%D0%A0%D0%9D%D0%A0_wrappers.pdf

And sometimes even for code execution, like it's shown at the end of this post:
Code: [Select]
http://zerofreak.blogspot.com.es/2012/04/lfi-exploitation-via-phpinput-shelling.html
php://fd

php://fd allows direct access to the given file descriptor. For example, php://fd/3 refers to file descriptor 3.

That could do some harm in site with vulnerability's
~Factionwars