Author Topic: Magic LFI PHP command (Read 2101 times)

Stackprotector · « **on:** May 17, 2013, 12:02:17 PM »

Hai guys,

Today i found this neat little trick to inject into a include($_GET['sex']); LFI vulnerability.

Quote

php://filter/read=convert.base64-encode/resource=index.php

This returns instead of the result of index.php the actual content encoded in base64. So when you got some basedir restrictions and you can't do much more than including stupid files you can read them and get the config's etc.

ca0s · « **Reply #1 on:** May 17, 2013, 02:07:39 PM »

Those funny PHP wrappers

They are also useful to bypass WAFs/filters.

Code: [Select]

http://www.ptsecurity.ru/ics/%D0%90.%D0%9C%D0%BE%D1%81%D0%BA%D0%B2%D0%B8%D0%BD_%D0%9E_%D0%B1%D0%B5%D0%B7%D0%BE%D0%BF_%D0%B8%D1%81%D0%BF_%D0%A0%D0%9D%D0%A0_wrappers.pdf

And sometimes even for code execution, like it's shown at the end of this post:

Code: [Select]

http://zerofreak.blogspot.com.es/2012/04/lfi-exploitation-via-phpinput-shelling.html

Stackprotector · « **Reply #2 on:** May 17, 2013, 02:15:58 PM »

Quote from: ca0s on May 17, 2013, 02:07:39 PM

Those funny PHP wrappers
They are also useful to bypass WAFs/filters.

Code: [Select]
http://www.ptsecurity.ru/ics/%D0%90.%D0%9C%D0%BE%D1%81%D0%BA%D0%B2%D0%B8%D0%BD_%D0%9E_%D0%B1%D0%B5%D0%B7%D0%BE%D0%BF_%D0%B8%D1%81%D0%BF_%D0%A0%D0%9D%D0%A0_wrappers.pdf
And sometimes even for code execution, like it's shown at the end of this post:
Code: [Select]
http://zerofreak.blogspot.com.es/2012/04/lfi-exploitation-via-phpinput-shelling.html

php://fd

php://fd allows direct access to the given file descriptor. For example, php://fd/3 refers to file descriptor 3.

That could do some harm in site with vulnerability's

Author Topic: Magic LFI PHP command (Read 2101 times)

Stackprotector

Magic LFI PHP command

ca0s

Re: Magic LFI PHP command

Stackprotector

Re: Magic LFI PHP command