Interesting Files for LFI

Linux

/etc/passwd

/etc/shadow

/etc/issue

/etc/group

/etc/hostname

Log Files 

 Apache access log: /var/log/apache/access.log
 
 Apache access log: /var/log/apache2/access.log
 
 Apache access log: /var/log/httpd/access_log
 
 Apache error log: /var/log/apache/error.log
 
 Apache error log: /var/log/apache2/error.log
 
 Apache error log: /var/log/httpd/error_log
 
 General messages and system related entries: /var/log/messages
 
 Cron logs: /var/log/cron.log
 
 Authentication logs: /var/log/secure or /var/log/auth.log

CMS configuration files

The following files are configuration files for popular content management systems. When a target is running any of these CMS systems you can try to include their configuration files as they often contain sensitive information, such as (root) credentials used to access the database.

WordPress: /var/www/html/wp-config.php

Joomla: /var/www/configuration.php

Dolphin CMS: /var/www/html/inc/header.inc.php

Drupal: /var/www/html/sites/default/settings.php

Mambo: /var/www/configuration.php

PHPNuke: /var/www/config.php

PHPbb: /var/www/config.php

Windows

To verify LFI on Windows systems a very common file we can attempt to include is the hosts file in the following directory:

C:/Windows/System32/drivers/etc/hosts

From the privilege escalation chapter, we’ve learned that the ‘Unattended.xml’ files on Windows systems may contain credentials for privileged accounts, such as the administrator or even the domain administrator. If an attacker is able to include such files it could easily result in (domain) administrator access to the system or network, for example by using the credentials to authenticate with Remote Desktop Services.

The following files of interest can (sometimes) be found on Windows systems which may contain passwords and other sensitive information:

C:/Windows/Panther/Unattend/Unattended.xml

C:/Windows/Panther/Unattended.xml

C:/Windows/Panther/Unattend.txt

C:/Unattend.xml

C:/Autounattend.xml

C:/Windows/system32/sysprep

Another directory with potentially interesting files is the web root directory:

C:/inetpub/wwwroot/

C:/inetpub/wwwroot/web.config

C:/inetpub/logs/logfiles/

The following files of interest can (sometimes) be found on Windows systems:

C:/documents and settings/administrator/desktop/desktop.ini

C:/documents and settings/administrator/ntuser.dat

C:/documents and settings/administrator/ntuser.ini

C:/users/administrator/desktop/desktop.ini

C:/users/administrator/ntuser.dat

C:/users/administrator/ntuser.ini

C:/windows/windowsupdate.log

XAMPP

 C:/xampp/apache/conf/httpd.conf
 
 C:/xampp/security/webdav.htpasswd
 
 C:/xampp/apache/logs/access.log
 
 C:/xampp/apache/logs/error.log
 
 C:/xampp/tomcat/conf/tomcat-users.xml
 
 C:/xampp/tomcat/conf/web.xml
 
 C:/xampp/webalizer/webalizer.conf
 
 C:/xampp/webdav/webdav.txt
 
 C:/xampp/apache/bin/php.ini
 
 C:/xampp/apache/conf/httpd.conf
PreviousLFI and RFINextNull Byte Injection

Last updated