Skip to content

Security Knowledge Base LFI / RFI

Security Knowledge Base

Home
Bug hunting
Bug hunting
- Bounties
- Guides
Career
Career
- References
Certifications
Certifications
- Osce
  Osce
  - Preparation
- Oscp
  Oscp
  - Enumeration
  - preparation
  - Lab Setup
  - Notes
  - Practice
  - Tools
  - Cheatsheet
    Cheatsheet
    
    Cheatsheets
    
    Exploits
    
    Share files
    
    TTY
    
    Web
    
    Windows
    
    Enumeration
    Enumeration
    
    Network
    
    Vulnerability
    
    Windows local
Cloud
Cloud
- Aws s3
- Aws
- Azuer
Collections
Collections
Containers
Containers
Crypto
Crypto
- Tools
- z References
Ctf
Ctf
- Practice Resources
- Write-ups
- Hack the box
  Hack the box
  - CronOS
  - Bank
  - Bastard
  - Beep
  - Grandpa
  - Lame
  - Popcorn
  - Bashed[ippsec pending]
    Bashed[ippsec pending]
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    WebServices
    
    02 Exploitation
    02 Exploitation
    
    Phpbash
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    05 UsersGroups
    
    ScriptResults
    ScriptResults
    
    LinEnum
    
    04 PrivEscalation
    04 PrivEscalation
    
    PrevEsc
  - Blue
    Blue
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    02 Exploitation
    02 Exploitation
    
    EternalBlue
  - Brainfuck
    Brainfuck
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    WebServices
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
  - Curling[ippsecpending]
    Curling[ippsecpending]
    
    Log
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    OtherServices
    
    WebServices
    
    02 Exploitation
    02 Exploitation
    
    01 Joomla
    
    02 Binary
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
    
    02 FileSystem
    
    03 Processes
    
    04 Applications
    
    05 UsersGroups
    
    06 Network
    
    07 ScheduledJobs
    
    ScriptResults
    ScriptResults
    
    LinEnum
  - Granny
    Granny
    
    Log
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    OtherServices
    
    WebServices
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
    
    02 FileSystem
    
    03 Processes
    
    04 Applications
    
    05 UsersGroups
    
    06 Network
    
    07 ScheduledJobs
    
    ScriptResults
    ScriptResults
    
    LinEnum
  - Irked
    Irked
    
    Log
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    OtherServices
    
    WebServices
    
    02 Exploitation
    02 Exploitation
    
    Unreal
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
    
    02 FileSystem
    
    03 Processes
    
    04 Applications
    
    05 UsersGroups
    
    06 Network
    
    07 ScheduledJobs
    
    ScriptResults
    ScriptResults
    
    LinEnum
  - Jerry[ippsec pending]
    Jerry[ippsec pending]
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    WebServices
    
    02 Exploitation
    02 Exploitation
    
    Tomcat
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
  - Sense[ippsecpending]
    Sense[ippsecpending]
    
    Log
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    OtherServices
    
    WebServices
    
    02 Exploitation
    02 Exploitation
    
    Pfsense
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
    
    02 FileSystem
    
    03 Processes
    
    04 Applications
    
    05 UsersGroups
    
    06 Network
    
    07 ScheduledJobs
    
    ScriptResults
    ScriptResults
    
    LinEnum
  - Silo[ippsecpending]
    Silo[ippsecpending]
    
    Log
    
    01 Enumeration
    01 Enumeration
    
    Network
    
    OtherServices
    
    WebServices
    
    02 Exploitation
    02 Exploitation
    
    Oracle
    
    03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
    
    02 FileSystem
    
    03 Processes
    
    04 Applications
    
    05 UsersGroups
    
    06 Network
    
    07 ScheduledJobs
    
    ScriptResults
    ScriptResults
    
    LinEnum
- Template
  Template
  - Log
  - 01 Enumeration
    01 Enumeration
    
    Network
    
    OtherServices
    
    WebServices
  - 03 PostExploitation
    03 PostExploitation
    
    Goodies
    
    InfoBreakdown
    InfoBreakdown
    
    01 Host
    
    02 FileSystem
    
    03 Processes
    
    04 Applications
    
    05 UsersGroups
    
    06 Network
    
    07 ScheduledJobs
    
    ScriptResults
    ScriptResults
    
    LinEnum
Databases
Databases
- Access
  Access
  - Tools
- Mongodb
  Mongodb
  - 0 cheatsheet
- Mysql
  Mysql
  - Cheatsheet
  - MySQL-Root to System-Root
- Oracle
  Oracle
  - Tools
- Sqlserver
  Sqlserver
Dfir
Dfir
- Cheatsheet
- CTFs
- Important Files
- Tools
- References
Embedded and iot
Embedded and iot
- Cheetshet
- FCC
- Protocols
- Tools
- References
- Scenario
  Scenario
  - Test Conditions
- Specific
  Specific
  - ATMs
  - Automobile
  - Bluetooth
  - Cameras
  - Locks
  - Printers
  - Ships
  - UEFI
- Techniques
  Techniques
  - Glitching
  - Side Channel
Exploits and shellcoding
Exploits and shellcoding
Identity and access management
Identity and access management
- Kerberos
- References
Languages
Languages
- GO
- Java
- Javascript
- NodeJS
- PHP
- Python
- Rails
- Regex
- Rust
Malware
Malware
Network
Network
Os
Os
- Android
  Android
  - Android
- Ios
  Ios
  - IOS
- Linux
  Linux
  - Cheatsheet
  - Important Files / Folders
  - Important issues
  - Kernel Exploitation
  - Privilege Escalation
  - Wildcards
  - Defense
  - Tools
    Tools
    
    Iptables
    
    Netcat (NC)
    
    tcpdump
    
    VI
- Macos
  Macos
  - Defense
- Windows
  Windows
  - Cheatsheet
  - Active Directory
  - Windows API
  - Events
  - HyperV
  - Important Endpoints
  - Important Files
  - Important issues
  - Important Processes
  - Important Registry Locations
  - Kernel Exploitation
  - Privilege Escalation
  - WMI
  - Defense Bypass
  - Defense
  - Tools
  - References
  - Credentials
    Credentials
    
    Hashes and Credentials
    
    Using Credentials
  - Powershell
    Powershell
    
    Cheatsheet
    
    Collections
    
    Modules
    
    Resources
Osint
Osint
- Tools
- References
Password attacks
Password attacks
Protocols and ports
Protocols and ports
- Citrix 1494
- DHCP
- DNS 53
- FTP 21
- Finger 79
- HTTP HTTPS 80,443
- IMAP 143,993
- IRC 8067
- LDAP 389
- Memcache
- Modbus 502
- MySQL 3306
- NFS 2049
- NTP 123
- References
- POP3 110
- PPTP L2TP VPN 500,1723
- Portmapper 111
- RDP 3389
- RPC 445
- SIP 5060
- SMB Samba NetBIOS 135 139,445
- SMTP 25
- SNMP 161
- SQL Server 1433,1434
- SSH 22
- TFTP 69
- Telnet 23
- Tor 9001,9030
- VNC 5900
- WebDev
- X11 6000
- Rlogin 513
- References
Reverse engineering
Reverse engineering
- 0 cheatsheet
- Defense
- Practice
- Tools
- References
- Linux
  Linux
  - ELF
  - GDB
  - Lab Setup
- Specific
  Specific
  - ARM
  - C / C++
  - .NET
  - Go
  - Java
  - Mobile App
- Windows
  Windows
  - PE Files
  - Tools
  - VBA
  - Defense
Rf and wireless
Rf and wireless
- Rfid nfc
- RaspberryPi
- SDR
Shellcoding
Shellcoding
- Reverse Shell
- Memorize the 8086 opcodes
Shells
Shells
- C++
- ICMP Shells
- Java
- Linux
- PHP
- Python
Steganography
Steganography
- Tools
Theoretical
Theoretical
- Pentesting Process
Vulnerable
Vulnerable
Web
Web
- Cheatsheet
- Client Side Attacks
- CMS
- Discovery
- Sharepoint
- SSL/TLS
- Defense Bypass
- Defense
- Tools
- References
- Scenario
  Scenario
- Vulnerabilities
  Vulnerabilities
  - Command injection
  - CRLF
  - CSRF
  - LFI / RFI LFI / RFI
    Table of contents
    
    LFI to RCE
    
    RCE with TXT upload
    
    RCE with Logs
    
    RCE over SQLi
    
    References
  - Open Redirect
  - PUT
  - SQL Injection
  - SSRF
  - XSS

LFI / RFI

LFI to RCE

RCE with TXT upload

Expose .txt file and use a vulnerable include to include the txt file into code (evil.txt.php).

PHP config can be used to disable URL file access. But still local files can be accessed (allow_url_fopen / allow_url_include)

RCE with Logs

Use NC to write logs with malicious content to access_logs.
Connect and just send the attack string (In user-agent etc.).
Then include the log file (local file inclusion)

RCE over SQLi

Return <?php echo "test"?> from SQL and see results to check if RCE is possible over SQLi

References

Universal LFI for Windows + PHP (using phpinfo): https://rdot.org/forum/showthread.php?t=1134