File Inclusion
File Inclusion refers to an inclusion attack through which an attacker can trick the web application into including files on the web server.
Last updated
Was this helpful?
File Inclusion refers to an inclusion attack through which an attacker can trick the web application into including files on the web server.
Last updated
Was this helpful?
Path Travesal can lead to two different types of File Inclusion:
Local File Inclusion (LFI): When is possible to include a local file.
Remote File Inclusion (RFI): When is possible to include remote files.
Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application.
A search for path traversals begins with the examination of URL query strings and form bodies in search of values that appears as file references, including the most common indicator as file extensions.
The loadImage URL takes a filename parameter and returns the contents of the specified file. The image files themselves are stored on disk in the location /var/www/images/.
So we can request the following url to retrieve an arbitrary file from the server's filesystem:
This causes the application to read from the following file path /var/www/images/../../../etc/passwd
There are some interesting files to read, such as information about the server (users, groups), logs, etc...
Its similar to Path Traversal but not exactly the same, the difference is, in file inclusion if we include a PHP it will be interpreted and executed while in path traversal not.
PHP provides several protocols wrappers that we can use to exploit path traversal and local file inclusion vulnerabilities. These filters give us additional flexibility when attempting to inject PHP code via LFI vulnerabilities.
Used to embed inline data as part of the URL with plaintext or base64.
Used to encode/convert files. Usefull to read php files. The part of php://filter is case insensitive.
To read the compression data you need to decode the base64 and read the resulting data using:
Upload a Zip file with a PHPShell inside and access it.
Used to execute code.
Interpret php payload sent by POST parameters.
When we are able to include remote files to the application is synonym of remote code execution. We can include a webshell or a reverse shell.
Or you can create a php file with command execution or another type of reverse shell:
Finally you only need to set up a HTTP server or SMB server and request the rev shell.
Some times impacket-smbserver doesn't works due to the outdated SMB version of the target machine and we need to configure it manually.
There are several ways to escalate a LFI to a RCE.
We can poison the logs with the user agent.
And try to access to /var/log/apache2/access.log.
If SMTP is open in the server we can easily send a mail to an internal account. "user@localhost" containing the following payload <?php system($_GET["cmd"]);?>
And access to the mail inbox of the user.
Like a log file, sending the payload in the User-Agent, it will be reflected inside the /proc/self/environ file.
If exists a functionality that leads us to upload an arbitrary file, we can upload directly a reverse shell or simply upload a image with the payload injected on metadata.
To modify metadata of a file we can use exiftool.
Once uploaded we can access it.
