DEV Community

DaNeil C
DaNeil C

Posted on

6 1

PentesterLab: File Include

A lot of applications need to include files to load classes or to share some templates between multiple web pages. A File Inclusion Vulnerability allows an attacker to access unauthorized or sensitive files on the web server or to execute malicious files by making use of the include() functionality.(2)

How?

The File Include Vulnerabilities come from a lack of filtering when a user-controlled parameter is used as part of a file name in a call to an including function (require, require_once, include or include_once in PHP for example).

If the call to one of these methods is vulnerable, an attacker can manipulate the function to load their own code which can lead to:

  • Local File Include: LFI. A local file is loaded, read, and interpreted, such as directory traversal to read arbitrary files.
  • Remote File Include: RFI. A remote file is retrieved and interpreted.
  • If the arbitrary code contains an opening PHP tag, the file will be interpreted as PHP code.(1)

Testing

If you are on a website, such as PentesterLabs File Include Lab, and you can see an error message once you inject a special character (") into the url parameter:

Warning: include(intro.php'): failed to open stream: 
No such file or directory in /var/www/fileincl/example1.php on line 7 
Warning: include(): Failed opening 'intro.php'' 
for inclusion (include_path='.:/usr/share/php:/usr/share/pear') 
in /var/www/fileincl/example1.php on line 7
Enter fullscreen mode Exit fullscreen mode

If you read the error message carefully, you can extract a lot of information such as:

  • The path of the script: /var/www/fileincl/example1.php.
  • The function used: include().
  • The value used in the call to include is the value we injected intro.php' without any addition or filtering.

From here you can also use the methods used to detect directory traversal and to detect file include, such as applying the ../../../etc/passwd technique in the URL.

Mitigation

  • By default, modern PHP disables loading of remote files, thanks to the configuration option: allow_url_include but that doesn't mean that it's not exploitable if the PHP version is not current.
  • Applying proper filtering of user-controlled parameters or supplying users with specific parameter options.

Happy Hacking

References

  1. https://pentesterlab.com/
  2. https://resources.infosecinstitute.com/file-inclusion-attacks/#gref
Please Note that I am still learning. If something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay