LFI to RCE

[MrDark]

I need someone to make me to understand this :

we have this LFI :
https://ip:port/downloadfile.php?file=../../../../../../../../../../etc/passwd

how i can "make" rce:
I will add this 10 " ../ " " ../../../../../../../../../../'" after downloadfile.php?file= "
downloadfile.php?file=../../../../../../../../../../var/log/apache2/access.log&c=id

if i will do :
medium.com/@omarwhadidi9/10-ways-to-get-rce-from-lfi-f2bb696b67f6


github.com/RoqueNight/LFI---RCE-Cheat-Sheet
index.php?file=../../../../../../../var/log/auth.log&c=id


/downloadfile.php?file=../../../../../../../var/log/auth.log&c=id

none of them work

../../../.. is path traversal, the point of obtaining RCE doesn't come from the fact you can read a file, you first need to see witch user is used while reading the file, see right permissions and if your payload actually touches the right things to achive RCE. It is not only based on path traversal.

Edit: Usually when chaining 2-3 vulnerabilities together you can achieve RCE, if a base vuln is for example LFI, can be escalated to RCE by triggering other things.

 

[zdestuta]

Sec13B ,
LFI2RCE works in case inclusion in PHP code done with include() or require()
if inclusion is something like file read+echo - it's LFI only (or "path traversal" if web server itself does that, not PHP code), without RCE.

btw, nice approach with log poisoning with PHP code mentioned in this topic - it could lead to RCE in case logs could be included and executed as PHP code.