File Inclusion Vulnerabilities

Local File Inclusion (LFI)?:-

??Local File inclusion (LFI) refers to an inclusion attack through which an attacker can trick the web application into including files on the web server by exploiting a functionality that dynamically includes local files or scripts.

??The consequences of a successful LFI attack include Directory Traversal and Information Disclosure as well as Remote Code Execution.

??Basically Local File Inclusion (LFI) occurs, when an application gets the path to the file that has to be included as an input without treating it as untrusted input.

??This would allow a local file to be supplied to the included statement.

??Local File Inclusion is very much like?Remote File Inclusion(RFI), with the difference that with Local File Inclusion, an attacker can only include local files (not remote files like in the case of RFI).

??A interesting tool to exploit this vulnerability:

https://github.com/kurobeats/fimap

• Below are some common OS files you could use when testing :-

Locations to check :

1. /etc/issue?: contains a message or system identification to be printed before the login prompt.
2. /etc/profile?: controls system-wide default variables, such as Export variables, File creation mask (umask), Terminal types, Mail messages to indicate when new mail has arrived
3. /proc/version?: specifies the version of the Linux kernel.
4. ?/etc/passwd?: has all registered user that has access to a system.
5. ?/etc/shadow?: contains information about the system’s users’ passwords.
6. /root/.bash_history?: contains the history commands for root user.
7. /var/log/dmessage?: contains global system messages,including the messages that are logged during system startup.
8. /var/mail/root : all emails for root user.
9. /root/.ssh/id_rsa?: Private SSH keys for a root or any known valid user on the server.
10. /var/log/apache2/access.log?: The accessed requests for Apache web server
11. C:\boot.ini : contains the boot options for computers with BIOS firmware

Basic LFI and bypasses?:-

??https://example.com/index.php?page=../../../etc/passwd

Bypass tricks :

??https://example.com/index.php?page=utils/scripts/../../../../../etc/passwd?(From Existing Folder)

??https://example.com/index.php?page=..///////..////..//////etc/passwd

??https://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd?(Traversal sequences stripped non-recursively?)

??https://example.com/index.php?page=/var/www/../../etc/passwd

??https://example.com/index.php?page=../../../etc/passwd%00 (Null Byte)

Remote File Inclusion(RFI)?:-

??Remote file inclusion (RFI) is an attack technique used to exploit "dynamic file include" mechanisms in web applications.

??This vulnerability is mainly due to inadequate input validation, which allows the user’s input to be passed to the “file include” commands without proper validation.

??When web applications take user input (URL, parameter value, etc.) and pass them into “file include” commands, the web application can be tricked into including remote files with malicious code. which can then run on either the server or clients.

??Remote file inclusion is mainly used for packaging common code into separate files that are later referenced by main application modules.

??When a web application references an include file, the code in this file may be executed implicitly or explicitly by calling specific procedures.

??If the choice of module to load is based on elements from the HTTP request then the web application can be vulnerable to remote file inclusion attack.?

Abusing Upload Functions?:-

??A vulnerable Web Application upload feature combined with a Local File Inclusion might lead to a Remote Code Execution.

??An attacker who manages to upload data on the server - like image upload, specific document type file upload, etc. - could use a Local File Inclusion vulnerability to execute arbitrary commands remotely.

Difference Between LFI and RFI?:-

??Local File Inclusion (LFI) and Remote File Inclusion (RFI) are two common vulnerabilities that typically affect PHP web applications.

??These vulnerabilities are caused due to poorly written web applications and or failing to follow appropriate security practices.

??Cybercriminals can exploit these weaknesses to disclose sensitive information or take control of the entire server.

??The main difference between an LFI and an RFI is the included file’s point of origin.

??In an LFI attack, threat actors use a local file that is stored on the target server to execute a malicious script. These types of attacks can be carried out by using only a web browser.

??In an RFI attack, they use a file from an external source instead of accessing a file on the local web server.

Protecting Against LFI & RFI Attacks?:-

??The main cause for LFI and RFI vulnerabilities is improper input validation.

??Therefore efforts should be made to ensure the input received is properly sanitized before allowing it to pass to an include function.

??Here are a few ways you can protect your web applications from these vulnerabilities :

i.?Disable the remote inclusion feature by setting the “allow_URL_include to 0” in your PHP configuration.

ii.?If circumstances demand that you enable the remote file inclusion feature, ensure that you make a whitelist of accepted filenames and limit the input to only those files on the list.

iii.?Disable the “allow_URL_fopen” option to control the ability to open, include or use a remote file.

iv.?Use preset conditions as an alternative to filenames when file inclusion is based on user input.

References?:-

https://spanning.com/blog/file-inclusion-vulnerabilities-lfi-rfi-web-based-application-security-part-9/

https://dzone.com/articles/what-is-local-file-inclusion-lfic

https://www.whitehatsec.com/glossary/content/remote-file-inclusion

https://book.hacktricks.xyz/pentesting-web/file-inclusion#basic-lfi-and-bypasses

?

?

?

?