Overview

LFI Scenarios

Scenario 1: Log Poisoning

If we can inject some PHP code into the apache log, in some configuration, we can use a LFI vulnerability to have that code be executed.

Scenario 2: PHPInfo with LFI == RCE

We can exploit the fact that PHPInfo contains the values of PHP values set by a POST, GET, or FILE request. Upon uploading a file, it will temporarily be stored in /tmp/ and gets deleted at the end of the phpinfo() call. If we make multiple upload requests, we can execute the code that was uploaded.

Scenario 3: Known running services configuration files

For example, if you know that a MySQL database is running on the backend, you can try to include /etc//my.cnf, /etc/mysql.d/mysql.conf, etc. If you know the website is running Wordpress, it might be worth looking for a wp-config.php in the webroot.

Scenario 4: Test for RFI

Host a PHP reverse shell on your web server (with a .txt extension) and attempt to include that file.

Scenario 5: Passwords

Look for files on the filesystem which can potentially include passwords

Scenario 6: Check for file upload

If we are able to upload files on the web server, try to upload PHP code that can be included and executed.