Beginner Guide to File Inclusion Attack (LFI/RFI)

Share all the latest whitepapers, tutorials, guides, ebooks etc. here...
Post Reply
User avatar
S.s.H
Site Admin
Posts: 13
Joined: Mon Feb 11, 2019 9:35 am
Location: Israel

Beginner Guide to File Inclusion Attack (LFI/RFI)

Post by S.s.H » Mon Feb 11, 2019 10:01 pm

Credit:RAJ CHANDEL
You can insert the content of one PHP file into another PHP file before the server executes it, with the include () function. The function can be used to create functions, headers, footers or element that will be reused on multiple pages.

This will help developers to make it easy to change the layout of complete website with minimal effort.

If there is any change required then instead of changing thousands of files just change included file.

Assume we have a standard footer file called “footer.php“, that looks like this

Code: Select all

<?php
echo "<p>Copyright &copy; 2010-" . date("Y") . " hackingartices.in</p>";
?>
Example 1
To include the footer file in a page, use the include statement

Code: Select all

<html>
<body>
<h1>Welcome to Hacking Articles</h1>
<p>Some text.</p>
<p>Some more text.</p>
<?php include 'footer.php';?>
</body>
</html>
Example 2
Assume we have a file called “vars.php“, with some variables defined:

Code: Select all

<?php
$color='red';
$car='BMW';
?>

Code: Select all

<html>
<body>
<h1>Welcome to my home page!</h1>
<?php include 'vars.php';
echo "I have a $color $car.";
?>
</body>
</html>
Output: I have red BMW

PHP Require Function
The require statement is also used to include a file into the PHP code.

However, there is one big difference between include and require; when a file is included with the include statement and PHP cannot find it, the script will continue to execute:
Example 3

Code: Select all

<html>
<body>
<h1>Welcome to my home page!</h1>
<?php include 'noFileExists.php';
echo "I have a $color $car.";
?>
</body>
</html>
Output: I have a Red BMW

If we do the same example using the require statement, the echo statement will not be executed because the script execution dies after the require statement returned a fatal error:

Code: Select all

<html>
<body>
<h1>Welcome to my home page!</h1>
<?php require 'noFileExists.php';
echo "I have a $color $car.";
?>
</body>
</html>
No output result

PHP Required_once Function
Require_once() using this function we can access the data of another page once when you may need to include the called file more than once, It works the same way. The only difference between require and require_once is that If it is found that the file has already been included, calling script is going to ignore further inclusions.
Example 4

Code: Select all

echo.php
<?php
echo "Hello";
?>
test.php

Code: Select all

<?php
require('echo.php');
require_once('echo.php');
?>
outputs: “Hello”

Note

allow_url_include is disabled by default. If allow_url_fopen is disabled, allow_url_include is also disabled

You can enable allow_url_include from php.ini

Code: Select all

/etc/php7/apache2/php.ini
allow_url_include = On
File Inclusion Attacks
It is an attack that allows an attacker to include a file on the web server through a php script. This vulnerability arises when a web application lets the client to submit input into files or upload files to the server.

This can lead following attacks:

Code execution on the web server
Cross Site Scripting Attacks (XSS)
Denial of service (DOS)
Data Manipulation Attacks
Two Types:

Local File Inclusion
Remote File Inclusion
Local File Inclusion (LFI)
Local file inclusion vulnerability occur when a file to which to PHP account has accessed is passed as a parameter to the PHP function “include”, or “require_once”
Image
This vulnerability occurs, for example, when a page receives, as inputs the path to the file that has to be included and this input is not properly sanitized, allowing directory traversal characters (such as dot-dot-slash) to be injected.

Example – Local File Inclusion

Code: Select all

http://192.168.1.8/dvwa/vulnerabilities/fi/?page=file1.php
Image

Code: Select all

http://192.168.1.8/dvwa/vulnerabilities/fi/?page=/etc/passwd
Image
Read complete local file inclusion attack tutorial fromviewtopic.php?f=10&t=4
Remote File Inclusion (RFI)
Remote File Inclusion occurs when the URI of a file located on a different server is passed to as a parameter to the PHP function “include”, “include_once” , “require” , or “require_once” . PHP incorporates the content into the pages. If the content happens to be PHP source code, PHP executes the file.

PHP Remote File inclusion allows and attacker to embed his/her own PHP code inside a vulnerable PHP script , which may lead to disastrous results such as allowing the attacker to execute remote commands on the web server, deface parts of the web or even steal confidential information.
http://192.168.1.8/dvwa/vulnerabilities ... =file1.php
http:// 192.168.1.8/dvwa/vulnerabilities/fi/?page=http://google.com
Image


Mitigation

Strong Input Validation
A whitelist of acceptable inputs
Reject any inputs that does not strictly conform to specifications
For filenames, use stringent whitelist that limits the character set to be used
Exclude directory separators such as “/”
Use a whitelist of allowable file extensions
Environment hardening
Develop and run your code in the most recent versions of PHP available
Configure your PHP applications so that it does not use register_globals
Set allow_url_fopen to false, which limits the ability to include files from remote locations
Run your code using the lowest privileges
Use a vetted library or framework that does not allow this weakness.
Source: https://www.w3schools.com/

https://www.owasp.org/index.php/Testing ... _Inclusion

https://www.acunetix.com

Post Reply