File Inclusion/Local File Inclusion
Local file inclusion can be just as dangerous if not more so. It is far more widespread than RFI but can be more difficult to exploit, subject to whatever limitations and whitelisting are in place to prevent it. Local file inclusion occurs when the PHP code at /local.php?file=welcome looks similar to the following, however allow_url_fopen and allow_url_includes has been disabled in the PHP configuration. This will only allow the attacker to access local files:
<?php include($_GET['file']); ?>
This is similar to the Remote File Inclusion vulnerability, however reviewing the code it can be seen that PHP is reading from a file on the local machine and then displaying it on the web page. The problem with this type of code is that now, instead of relinquishing execute, write, and read level permissions to an attacker, the programmer has still relinquished read level permissions to the attacker.
Local File Disclosure
Using this knowledge, the attacker can then specify a file on the remote host that the PHP server has permission to read and that file will be displayed in the web page. For example, the name of the file that contains the registry in windows is ntusers.dat in the windows directory. The attacker may request the URL:
Similarly, on a linux server:
Because local.php is vulnerable, it will display the registry of vuln.net or the /etc/passwd file in the attacker’s web browser. The first time the attacker sees a URL containing .php?file=, the attacker will most likely attempt a remote file inclusion. If that fails, the attacker will then most likely attempt local file inclusion. Both of these techniques can be used for cross-site scripting attacks.
|A null Byte can be used to prevent concatenation in a script. For example, many scripts may append '.php' to a user supplied string in an include. Appending a null Byte (%00) will often short circuit this, allowing an attacker to include any file, regardless of extension.|
If the remote host is a UNIX or Linux based system, the attacker may be able to view /etc/passwd or /proc/cpuinfo with this technique:
Or using null-bytes:
Because the file is being included, this means that the attacker can see it if it is a text file, or execute any php inside of it.
Two common input vectors for injecting PHP code are the "user-agent" and the httpd error log. The user-agent can be accessed through /proc/self/environ. Therefore, if an attacker uses tamper-data or a similar tool to cause their browser to send a custom user-agent containing the following string:
<?php system($_GET['cmd']); ?>
and accesses the file:
/proc/self/environ displays the user-agent of the attacker when included. As a result, when it is included the PHP code contained in the attacker's user-agent is executed. meaning that anything supplied to the page via the 'cmd' GET variable will be executed on the server with PHP's system() function, which executes commands at the OS level.
The other method is to use the error log - all requests that are denied or that lead to errors are stored in an error log. This means that if we send an illegal request containing some PHP code, the entire request (including the PHP code) will be added to the error log, which can later be included with LFI to execute our code.
For example, one can use telnet command and cause a 404 error with a GET request:
GET <?php system($_GET['cmd']) ?>
And then retrieve the following URL for the same output:
Note that log location may vary.
Useful files for LFI
Linux + Solaris files (Darwin [Mac] systems may have a prefix of /private/)
- Fingerprinting (General files)
- Less common paths for httpd.conf/php.ini
- OS Logs
- HTTPD Logs
- PHP Session Locations
- *:\Program Files\Apache Group\Apache\conf\httpd.conf
- *:\Program Files\Apache Group\Apache2\conf\httpd.conf
- *:\Program Files\xampp\apache\conf\httpd.conf
- *:\Program Files\Apache Group\Apache\logs\access.log
- *:\Program Files\Apache Group\Apache\logs\error.log
- PHP Session Locations