Journey from LFI to RCE with /proc/self/fd/ !!!

Hi Guys, This blog is about how I was able to get Remote Code Execution (RCE) from Local file inclusion (LFI)

While searching for the vulnerabilities, I found LFI in the target site- https://www.victimsite.com/web/?page=etc/passwd&menu=12.As you can see parameter “page” was vulnerable to LFI.

I was confirmed that LFI was there and so now my target was to escalate it to get RCE. Before that, I have read many articles on how to get RCE from LFI. But Due to a web server problem (504 Time Out Error)i cannot access /etc/passwd file via get method.Finaly issue the web server fixed but not finding any access log .Suddenly I remmber that Rce possible with /proc/self/fd/(number),So I tried to bruteforce on Burpsuite

/proc/self/fd/2,9,14,16 and other file here but problem is the file was so big ,so not load the file with Burpsuite and not view Brower because of my low config phone.i have a idea so i tried to view this file with terminal like (curl -i http://website.com/web/?page=/proc/self/fd/2 then 9,14,16)

After viewing this file i not find anything then i saw /proc/self/fd/16 file ,i find some intersing things

The error log of this site is saved because one server is another site,so my target is another site Referer Header there i inject my php code,I try to inject php code by copying the link, opening it with browser, intercepting request with burp, repater, but I don’t know what the problem was on that server, it would give 504 response if any payload was given.

I tried a lot but to no avail because od 504 Time Out Error ,Like all day chatting all night with Friend on Facebook ,but suddently remember it seemed like before I even bypassed the / etc / passwd 504 timeout GET to POST.Finally Working when the time was night 03.11AM

Later the server is working on GET Method to fix 504 time out Sorry if any of the mismatches are wrong - this is my 1st article, I could not explore properly.

Thanks for reading