need help with lfi

Hi all! Let's say (it's all theory, I am testing locally :P) that i have a php script like: <?php $handle = fopen("/blah/blah/".$_GET['file'], "r"); //echo file contents ?> First of all, the server's /etc/passwd file permission's allow me to see all the accounts on the machine: www.target.com/show_file.php?file=../../../../../../etc/passwd (shadowed password of course) even www.target.com/show_file.php?file=../../../../../../usr/bin/ls return's something. Where I need help is the latter, is it possible to run commands 'with' arguments? What kinds of attack(s) could I perform using fopen?

Try passing arguments to any program.

Edit: oops typo

What exactly shows up when you fopen "ls"?

Thanks for the quick response First, I lied about fopen, the script uses readfile($_GET['file']) //well i didn't lie, i just check by lfing the script… By *.php?file=./../../../../../bin/ls I get a lot of symbols at the top and something like ( i just piked a few lines from the mid )

eport bugs to <%s>.
�bug-coreutils@gnu.org�?�%*lu �%-*s �User name too long�cannot read symbolic link %s�Group name too long�%s %*s �%-32s �  � -> �%*s, %*s �%s �%-8u �%-8.8s �reading directory %s�:
�total�coreutils�/usr/share/locale�QUOTING_STYLE�LS_BLOCK_SIZE�COLUMNS�POSIXLY_CORRECT�TABSIZE�--sort�.*~�David MacKenzie�Richard Stallman�5.2.1�vdir�--time�--quoting-style�--indicator-style�--format�invalid line width: %s�*=@|�invalid time style format %s�.�LS_COLORS�//DIRED//�//SUBDIRED//�--color�invalid tab size: %s�time style�%Y-%m-%d %H:%M:%S.%N %z�TIME_STYLE�posix-long-iso�%Y-%m-%d %H:%M�target�unrecognized prefix: %s�%Y-%m-%d �ls.c�found����������������������
�����������������
������
���
���
������������������������������������������������������������������������
������������������
���
�������������������BðþÿãïþÿýïþÿÆïþÿ ïþÿlñþÿlñþÿlñþÿlñþÿlñþÿlñþÿlñþÿlñþÿlñþÿlñþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿZñþÿZñþÿZñþÿZñþÿZñþÿZñþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿHñþÿHñþÿHñþÿHñþÿHñþÿHñþÿòþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿùñþÿùñþÿùñþÿùñþÿùñþÿùñþÿùñþÿùñþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿïñþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ~ñþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿåñþÿ¯ðþÿÙñþÿÏñþÿ¯ðþÿ¯ðþÿÅñþÿ·ñþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ­ñþÿ¯ðþÿ¯ðþÿ¯ðþÿ£ñþÿ¯ðþÿ™ñþÿ¯ðþÿñþÿ¯ðþÿ~ñþÿOüþÿÏüþÿEýþÿçüþÿ&ýþÿküþÿ‘&ÿÿø&ÿÿX'ÿÿk(ÿÿŒ)ÿÿï#ÿÿmain�posix-�
������
������������dev_ino_pop�.;ÿÿ;ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿÄ7ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ�;ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ.:ÿÿ:ÿÿ:ÿÿõ9ÿÿ98ÿÿÅ9ÿÿ\9ÿÿæ9ÿÿÔ9ÿÿ98ÿÿ98ÿÿñ:ÿÿ98ÿÿç:ÿÿ98ÿÿ98ÿÿÎ:ÿÿ¿:ÿÿ°:ÿÿe:ÿÿV:ÿÿ98ÿÿ98ÿÿG:ÿÿ98ÿÿ�9ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿY?ÿÿL?ÿÿr?ÿÿ=?ÿÿ98ÿÿî>ÿÿÕ>ÿÿÆ>ÿÿ·>ÿÿ98ÿÿÖ?ÿÿC9ÿÿÇ?ÿÿ®?ÿÿR9ÿÿŸ?ÿÿ?ÿÿ?ÿÿ0@ÿÿ!@ÿÿ@ÿÿ@ÿÿ >ÿÿ>ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ?@ÿÿÌ=ÿÿ†=ÿÿw=ÿÿ#=ÿÿ=ÿÿ¸<ÿÿj<ÿÿ[<ÿÿ$<ÿÿk9ÿÿ�9ÿÿ)9ÿÿ<ÿÿµ;ÿÿ¢;ÿÿdereference-command-line-symlink-to-dir�Try `%s --help' for more information.
��Usage: %s [OPTION]... [FILE]...
����List information about the FILEs (the current directory by default).
Sort entries alphabetically if none of -cftuSUX nor --sort.

��Mandatory arguments to long options are mandatory for short options too.
���  -a, --all                  do not hide entries starting with .
  -A, --almost-all           do not list ```

F1L0s0F3R_gr wrote: Thanks for the quick response First, I lied about fopen, the script uses readfile($_GET['file']) //well i didn't lie, i just check by lfing the script… By *.php?file=./../../../../../bin/ls I get a lot of symbols at the top and something like ( i just piked a few lines from the mid )

eport bugs to <%s>.
�bug-coreutils@gnu.org�?�%*lu �%-*s �User name too long�cannot read symbolic link %s�Group name too long�%s %*s �%-32s �  � -> �%*s, %*s �%s �%-8u �%-8.8s �reading directory %s�:
�total�coreutils�/usr/share/locale�QUOTING_STYLE�LS_BLOCK_SIZE�COLUMNS�POSIXLY_CORRECT�TABSIZE�--sort�.*~�David MacKenzie�Richard Stallman�5.2.1�vdir�--time�--quoting-style�--indicator-style�--format�invalid line width: %s�*=@|�invalid time style format %s�.�LS_COLORS�//DIRED//�//SUBDIRED//�--color�invalid tab size: %s�time style�%Y-%m-%d %H:%M:%S.%N %z�TIME_STYLE�posix-long-iso�%Y-%m-%d %H:%M�target�unrecognized prefix: %s�%Y-%m-%d �ls.c�found����������������������
�����������������
������
���
���
������������������������������������������������������������������������
������������������
���
�������������������BðþÿãïþÿýïþÿÆïþÿ ïþÿlñþÿlñþÿlñþÿlñþÿlñþÿlñþÿlñþÿlñþÿlñþÿlñþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿZñþÿZñþÿZñþÿZñþÿZñþÿZñþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿ¡ðþÿHñþÿHñþÿHñþÿHñþÿHñþÿHñþÿòþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿùñþÿùñþÿùñþÿùñþÿùñþÿùñþÿùñþÿùñþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿïñþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ~ñþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿåñþÿ¯ðþÿÙñþÿÏñþÿ¯ðþÿ¯ðþÿÅñþÿ·ñþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ¯ðþÿ­ñþÿ¯ðþÿ¯ðþÿ¯ðþÿ£ñþÿ¯ðþÿ™ñþÿ¯ðþÿñþÿ¯ðþÿ~ñþÿOüþÿÏüþÿEýþÿçüþÿ&ýþÿküþÿ‘&ÿÿø&ÿÿX'ÿÿk(ÿÿŒ)ÿÿï#ÿÿmain�posix-�
������
������������dev_ino_pop�.;ÿÿ;ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿÄ7ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ�;ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ.:ÿÿ:ÿÿ:ÿÿõ9ÿÿ98ÿÿÅ9ÿÿ\9ÿÿæ9ÿÿÔ9ÿÿ98ÿÿ98ÿÿñ:ÿÿ98ÿÿç:ÿÿ98ÿÿ98ÿÿÎ:ÿÿ¿:ÿÿ°:ÿÿe:ÿÿV:ÿÿ98ÿÿ98ÿÿG:ÿÿ98ÿÿ�9ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿY?ÿÿL?ÿÿr?ÿÿ=?ÿÿ98ÿÿî>ÿÿÕ>ÿÿÆ>ÿÿ·>ÿÿ98ÿÿÖ?ÿÿC9ÿÿÇ?ÿÿ®?ÿÿR9ÿÿŸ?ÿÿ?ÿÿ?ÿÿ0@ÿÿ!@ÿÿ@ÿÿ@ÿÿ >ÿÿ>ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ98ÿÿ?@ÿÿÌ=ÿÿ†=ÿÿw=ÿÿ#=ÿÿ=ÿÿ¸<ÿÿj<ÿÿ[<ÿÿ$<ÿÿk9ÿÿ�9ÿÿ)9ÿÿ<ÿÿµ;ÿÿ¢;ÿÿdereference-command-line-symlink-to-dir�Try `%s --help' for more information.
��Usage: %s [OPTION]... [FILE]...
����List information about the FILEs (the current directory by default).
Sort entries alphabetically if none of -cftuSUX nor --sort.

��Mandatory arguments to long options are mandatory for short options too.
���  -a, --all                  do not hide entries starting with .
  -A, --almost-all           do not list ```

Looks like it's just cat'ing the ELF, so nothing's executing.

OK. That means there is no way I could run commands using readfile or fopen, true?

If the site, or your site, allows the uploading of images you could insert some PHP into the image using something like this http://www.sb-software.com/jpegcommenter/ and then LFI the image and the PHP will execute. Although I'm not sure if that's what your looking for.

skathgh420 wrote: If the site, or your site, allows the uploading of images you could insert some PHP into the image using something like this http://www.sb-software.com/jpegcommenter/ and then LFI the image and the PHP will execute. Although I'm not sure if that's what your looking for.

Readfile, not include.