Movatterモバイル変換

[0]ホーム
URL:

Skip to content
DEV Community
Log in Create account

DEV Community

DaNeil C
DaNeil C

Posted on

     

PentesterLab: File Include

A lot of applications need to include files to load classes or to share some templates between multiple web pages. A File Inclusion Vulnerability allows an attacker to access unauthorized or sensitive files on the web server or to execute malicious files by making use of theinclude() functionality.(2)

How?

The File Include Vulnerabilities come from a lack of filtering when a user-controlled parameter is used as part of a file name in a call to an including function (require, require_once, include or include_once in PHP for example).

If the call to one of these methods is vulnerable, an attacker can manipulate the function to load their own code whichcan lead to:

  • Local File Include: LFI. A local file is loaded, read, and interpreted, such as directory traversal to read arbitrary files.
  • Remote File Include: RFI. A remote file is retrieved and interpreted.
  • If the arbitrary code contains an opening PHP tag, the file will be interpreted as PHP code.(1)

Testing

If you are on a website, such as PentesterLabs File Include Lab, and you can see an error message once you inject a special character (") into the url parameter:

Warning: include(intro.php'): failed to open stream: No such file or directory in /var/www/fileincl/example1.php on line 7 Warning: include(): Failed opening 'intro.php'' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/fileincl/example1.php on line 7
Enter fullscreen modeExit fullscreen mode

If you read the error message carefully, you can extract a lot of information such as:

  • The path of the script: /var/www/fileincl/example1.php.
  • The function used: include().
  • The value used in the call to include is the value we injected intro.php' without any addition or filtering.

From here you can also use the methods used to detect directory traversal and to detect file include, such as applying the../../../etc/passwd technique in the URL.

Mitigation

  • By default, modern PHP disables loading of remote files, thanks to the configuration option: allow_url_include but that doesn't mean that it's not exploitable if the PHP version is not current.
  • Applying proper filtering of user-controlled parameters or supplying users with specific parameter options.

Happy Hacking

References

  1. https://pentesterlab.com/
  2. https://resources.infosecinstitute.com/file-inclusion-attacks/#gref
Please Note that I am still learning. If something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.

Top comments(0)

Subscribe
pic
Create template

Templates let you quickly answer FAQs or store snippets for re-use.

Dismiss

Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment'spermalink.

For further actions, you may consider blocking this person and/orreporting abuse

I write to better educate myself as I go through CTFs and Bug Bounties. If anything I have written is incorrect, please let me know and send me a link to an article to read to better educate myself.
  • Location
    Seattle
  • Education
    Information Technology BA and Software Engineering Bootcamp Grad
  • Work
    Security Engineer/Researcher Performing Responsible Disclosure
  • Joined

More fromDaNeil C

DEV Community

We're a place where coders share, stay up-to-date and grow their careers.

Log in Create account
[8]ページ先頭
©2009-2025 Movatter.jp