File Inclusion/Local File Inclusion/Code Injection
Two common input vectors for injecting PHP code are the "user-agent" and the httpd error log. The user-agent can be accessed through /proc/self/environ. Therefore, if an attacker uses tamper-data or a similar tool to cause their browser to send a custom user-agent containing the following string:
<?php system($_GET['cmd']); ?> |
and accesses the file:
/local.php?file=../../../../../../../../../../../../../proc/self/environ?cmd=whoami
/proc/self/environ displays the user-agent of the attacker when included. As a result, when it is included the PHP code contained in the attacker's user-agent is executed. meaning that anything supplied to the page via the 'cmd' GET variable will be executed on the server with PHP's system() function, which executes commands at the OS level.
They can retrieve the Linux or Unix username (output of the whoami command) in the return HTML of the PHP file.
The other method is to use the error log - all requests that are denied or that lead to errors are stored in an error log. This means that if we send an illegal request containing some PHP code, the entire request (including the PHP code) will be added to the error log, which can later be included with LFI to execute our code.
For example, one can use telnet command and cause a 404 error with a GET request:
GET <?php system($_GET['cmd']) ?> |
And then retrieve the following URL for the same output:
/local.php?file=../../../../../../../../../../../../../usr/local/apache/log/error_log?cmd=whoami
Note that log location may vary.