File Inclusion

EXPLOITATION

LFI ATTACKS

Short for Local File Inclusion attacks, this type of exploit allows you to exploit vulnerabilities in the programming code such as PHP to access files by running certain requests that go beyond the intended access.

Being able to see the source code of a web app is helpful since certain PHP additions without sanitization could indicate the opportunity to execute an LFI attack if you know what to look for.

For more information about LFI exploits, check out this article.

PHP VULNERABILITIES

There are a few tricks that can help with LFI attacks, although some of these have been patched in newer versions of PHP.


  • Null bytes - Sometimes developers filter keywords to avoid revealing sensitive information. They may only allow a certain type of file extension to be accessed. In these cases, adding a Null byte to the URL could help to bypass these filters.

Null bytes are string termination points, or delimiters, which tell a machine to stop processing the string immediately. In PHP, for example, a null byte can be represented by %00.

Adding a Null byte to the end of a payload at a certain point can tell the function to ignore anything after it, thus allowing attackers in some cases to bypass filters for certain functions.

The null byte tick is fixed and doesn't work in PHP 5.3.4 or higher.


  • Current directory trick - Sometimes, filters can be bypassed by adding a dot to the end of the URL. Example: http://webapp.com/index.php?lang=/etc/passwd/.

    Sometimes, by specifying the current directory, it can trip up certain filters and not process them.


RFI - REMOTE FILE INCLUSION

When the allow_url_fopen option is left on in a web application, it provides attackers with the possibility of injecting an external URL into the include function.

This is what's known as an RFI, or Remote File Inclusion attack. RFI attacks are more compromising since they can allow an attacker to gain Remote Command Execution (RCE) on the server. Other consequences of this attack include the possibility of these other threats:

  • Sensitive Information Disclosure

  • Cross-site Scripting (XSS)

  • Denial of Service (DoS)

An easy way to inject malicious code into a target server using this method is to host a server using the following python script: python3 -m http.server [port #]

This will allow you to connect to your machine from another server and request files that can contain code that you want executed on a target server.



FILE INCLUSION REMEDIATION

Preventing file inclusion vulnerabilities is a matter of careful construction and maintenance of web apps. Here are some common ways to protect web application from these types of exploits.

  • Keep system and services, including web application frameworks, updated with the latest version.

  • Turn off PHP errors to avoid leaking the path of the application and other potentially revealing information.

  • A Web Application Firewall (WAF) is a good option to help mitigate web application attacks.

  • Disable some PHP features that cause file inclusion vulnerabilities if your web app doesn't need them, such as allow_url_fopen on and allow_url_include.

  • Carefully analyze the web application and allow only protocols and PHP wrappers that are in need.

  • Never trust user input, and make sure to implement proper input validation against file inclusion.

  • Implement whitelisting for file names and locations as well as blacklisting.